Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement shadow user creation by org manager #4113

Merged
merged 15 commits into from
Jan 9, 2025
Merged

Implement shadow user creation by org manager #4113

merged 15 commits into from
Jan 9, 2025

Conversation

svkrieger
Copy link
Contributor

@svkrieger svkrieger commented Nov 28, 2024
edited
Loading

A short explanation of the proposed change:

Implementation of the shadow user creation by org managers according to the RFC https://github.com/cloudfoundry/community/blob/main/toc/rfc/rfc-0033-user-creation-by-org-managers.md

Links to any other associated PRs

Add configuration to CAPI release: cloudfoundry/capi-release#491

  • I have reviewed the contributing guide

  • I have viewed, signed, and submitted the Contributor License Agreement

  • I have made this pull request to the main branch

  • I have run all the unit tests using bundle exec rake

  • I have run CF Acceptance Tests

@svkrieger svkrieger mentioned this pull request Nov 28, 2024
Merged
3 tasks
@stephanme stephanme mentioned this pull request Nov 28, 2024
Open
@svkrieger svkrieger force-pushed the implement-shadow-user-creation-by-org-manager branch 5 times, most recently from 49439ba to 2c99e5d Compare December 2, 2024 13:27
@svkrieger svkrieger force-pushed the implement-shadow-user-creation-by-org-manager branch from 2c99e5d to 39a4b2a Compare December 3, 2024 09:57
svkrieger
svkrieger commented Dec 3, 2024
View reviewed changes
lib/tasks/spec.rake Outdated Show resolved Hide resolved
jochenehret
jochenehret previously approved these changes Dec 3, 2024
View reviewed changes
@svkrieger svkrieger force-pushed the implement-shadow-user-creation-by-org-manager branch 2 times, most recently from 6a27ed1 to 626f8e6 Compare December 18, 2024 08:35
svkrieger added 14 commits January 7, 2025 13:41
@svkrieger
Add username and origin to user create message
48d2226
@svkrieger
Add uaa client for creating shadow users
c97ae1f
@svkrieger
Enable UAA shadow user creation for POST /v3/users
d5cb693
@svkrieger
Add error handling in case UAA is unavailable
9e28d7a
@svkrieger
Disallow using origin 'uaa' when creating user by username
6c9f266
@svkrieger
Allow org managers to create users by username
c37a438
@svkrieger
Add config flag
9ae68a2
@svkrieger
Adjust error handling and add unit tests
19ca8bb
@svkrieger
Implement shadow user creation in /v3/roles endpoint
7625e65
@svkrieger
Allow empty array in config for uaa->clients
3fc639c
@svkrieger
Prevent calling UAA twice when creating new user through /v3/users
6841621
@svkrieger
Add unit test for scenario feature off but admin can still create sha…
0b8be7d 
…dow user using username and origin
@svkrieger
First check whether user exists in UAA before trying to create in /v3…
3319199 
…/users
@svkrieger
First check whether user exists in UAA before trying to create in /v3…
2968960 
…/roles
@svkrieger svkrieger force-pushed the implement-shadow-user-creation-by-org-manager branch from 626f8e6 to 2968960 Compare January 7, 2025 12:41
@svkrieger
Copy link
Contributor Author

svkrieger commented Jan 7, 2025
edited
Loading

To make sure that we don't break the behaviour before introducing this new feature the following table shows relevant scenarios before the change and the same scenarios after the change when the feature is disabled and no client is configured.

Test catalog before change

/v3/users endpoint

Privileges User exists in UAA? Origin Request Method Request path data Response Code Response Body
admin NO != uaa POST /v3/users '{"username":"[email protected]","origin":"keycloak.local"}' 422 - Unprocessable Entity "Unknown field(s): 'username', 'origin', Guid must be a string, Guid must be between 1 and 200 characters"
others NO != uaa POST /v3/users same 403 Forbidden "You are not authorized to perform the requested action"
admin NO uaa POST /v3/users '{"username":"[email protected]","origin":"uaa"}' 422 - Unprocessable Entity "Unknown field(s): 'username', 'origin', Guid must be a string, Guid must be between 1 and 200 characters"
others NO uaa POST /v3/users same 403 Forbidden "You are not authorized to perform the requested action"
admin NO - POST /v3/users '{"guid":"some-guid"}' 201 Created (this only creates a DB entry in CCDB) user object (origin null, username null)
others NO - POST /v3/users same 403 Forbidden "You are not authorized to perform the requested action"
admin YES - POST /v3/users '{"guid":"some-guid"}' 201 Created user object (origin and username is set and comes from UAA)
others YES - POST /v3/users same 403 Forbidden "You are not authorized to perform the requested action"

/v3/roles endpoint

Privileges User exists in UAA? Origin Request Method Request path data Response Code Response Body
admin NO uaa POST /v3/roles org guid + username + origin + org auditor 422 Unprocessable Entity "No user exists with the username '[email protected]' and origin 'uaa'."
org manager NO uaa POST /v3/roles org guid + username + origin + org auditor 422 Unprocessable Entity "No user exists with the username '[email protected]' and origin 'uaa'."
admin NO != uaa POST /v3/roles org guid + username + origin + org auditor 422 Unprocessable Entity "No user exists with the username '[email protected]' and origin 'keycloak.local'."
org manager NO != uaa POST /v3/roles org guid + username + origin + org auditor 422 Unprocessable Entity "No user exists with the username '[email protected]' and origin 'keycloak.local'."
others NO uaa POST /v3/roles org guid + username + origin + org auditor 403 Forbidden "You are not authorized to perform the requested action"
admin YES uaa POST /v3/roles org guid + username + origin + org auditor 201 Created role object
org manager YES uaa POST /v3/roles org guid + username + origin + org auditor 201 Created role object
admin YES != uaa POST /v3/roles org guid + username + origin + org auditor 201 Created role object
org manager YES != uaa POST /v3/roles org guid + username + origin + org auditor 201 Created role object

Test catalog after change when feature is disabled and no client config present

/v3/users endpoint

Privileges User exists in UAA? Origin Request Method Request path data Response Code Response Body
admin NO != uaa POST /v3/users '{"username":"[email protected]","origin":"keycloak.local"}' 500 - Internal Server Error "An unknown error occurred."
others NO != uaa POST /v3/users same 403 Forbidden "You are not authorized to perform the requested action"
admin NO uaa POST /v3/users '{"username":"[email protected]","origin":"uaa"}' 422 - Unprocessable Entity "Origin cannot be 'uaa' when creating a user by username"
others NO uaa POST /v3/users same 403 Forbidden "You are not authorized to perform the requested action"
admin NO - POST /v3/users '{"guid":"some-guid"}' 201 Created (this only creates a DB entry in CCDB) user object (origin null, username null)
others NO - POST /v3/users same 403 Forbidden "You are not authorized to perform the requested action"
admin YES - POST /v3/users '{"guid":"some-guid"}' 201 Created user object (origin and username is set and comes from UAA)
others YES - POST /v3/users same 403 Forbidden "You are not authorized to perform the requested action"

/v3/roles endpoint

Privileges User exists in UAA? Origin Request Method Request path data Response Code Response Body
admin NO uaa POST /v3/roles org guid + username + origin + org auditor 422 Unprocessable Entity "No user exists with the username '[email protected]' and origin 'uaa'."
org manager NO uaa POST /v3/roles org guid + username + origin + org auditor 422 Unprocessable Entity "No user exists with the username '[email protected]' and origin 'uaa'."
admin NO != uaa POST /v3/roles org guid + username + origin + org auditor 422 Unprocessable Entity "No user exists with the username '[email protected]' and origin 'keycloak.local'."
org manager NO != uaa POST /v3/roles org guid + username + origin + org auditor 422 Unprocessable Entity "No user exists with the username '[email protected]' and origin 'keycloak.local'."
others NO uaa POST /v3/roles org guid + username + origin + org auditor 403 Forbidden "You are not authorized to perform the requested action"
admin YES uaa POST /v3/roles org guid + username + origin + org auditor 201 Created role object
org manager YES uaa POST /v3/roles org guid + username + origin + org auditor 201 Created role object
admin YES != uaa POST /v3/roles org guid + username + origin + org auditor 201 Created role object
org manager YES != uaa POST /v3/roles org guid + username + origin + org auditor 201 Created role object

@svkrieger svkrieger mentioned this pull request Jan 7, 2025
Merged
5 tasks
@svkrieger svkrieger requested a review from jochenehret January 8, 2025 09:12
@svkrieger svkrieger merged commit 4e53164 into main Jan 9, 2025
8 checks passed
@svkrieger svkrieger deleted the implement-shadow-user-creation-by-org-manager branch January 9, 2025 10:06
ari-wg-gitbot added a commit to cloudfoundry/capi-release that referenced this pull request Jan 9, 2025
@ari-wg-gitbot
Bump cloud_controller_ng
7991d96 
Changes in cloud_controller_ng:

- Implement shadow user creation by org manager
    PR: cloudfoundry/cloud_controller_ng#4113
    Author: Sven Krieger <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jochenehret jochenehret jochenehret approved these changes

Assignees
No one assigned
Labels
needs_review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@svkrieger @jochenehret