Import groups from the IDP provider for OCP 4.10+

Introduction

In OpenShift 4.10, a new capability was added to import groups from an IDP provider. For example, while using LDAP, you can import the groups of which a user is member of. This allows you to create RBAC based on your IDP provider group.

LDAP Configuration

In the Authrealm, you can add a section explaining how to query the groups the user belong too.

Let’s say for example you have this ldap entries.

# testuser, example.com
dn: cn=testuser,dc=example,dc=com
objectClass: person
objectClass: inetOrgPerson
sn: user
cn: test
cn: testuser
mail: testuser@example.com
userPassword:: Zm9vYmFy

# mygroup, example.com
dn: cn=mygroup,dc=example,dc=com
objectClass: groupOfNames
cn: mygroup
member: cn=testuser,dc=example,dc=com

You can add in your Authrealm the LDAPExtraConfigs section to import the groups

  ldapExtraConfigs:
    <your_idp_name>:
      baseDN: dc=example,dc=com
      filter: (objectClass=person)
      groupSearch:
        baseDN: dc=example,dc=com
        filter: (objectClass=groupOfNames)
        nameAttr: cn
        userMatchers:
        - groupAttr: member
          userAttr: DN

Now when the user testuser@example.com will login, the group mygroup will be automatically created on the managed cluster. You can check it after login to the managedcluster with admin role by running this command.

oc get groups

or if you have cm-cli with from the hub.

cm with cc <your_clusterclaim_name> -- oc get groups

result:

NAME      USERS
mygroup   testuser@example.com