✨ Initial draft of generic authentication and authorization #182
Conversation
shawn-hurley
requested review from
aufi,
mansam,
jortel,
rromannissen,
sjd78,
ibolton336,
dymurray and
pranavgaikwad
|
Does this replace or make use of the openshift auth functionality we have in the operator today? It's not well tested, and maybe not even well known it is there, and to fully work I believe there'd probably need to be changes to the hub. |
|
Going to be honest @jmontleon I had no idea that existed, and I am not convinced that this would even work. @aufi @jortel Can someone let me know if this even is a valid option? |
I added this. It worked at the time, but I have not tested it in a long time. It uses the OpenShift oauth-proxy. It only provided authentication, no authorization, so once authenticated you could do anything. |
|
Thank you for reminding me about this! I had forgetten this option. I have a feeling it still works and something that I will need to add:
|
|
|
||
| ## Summary | ||
|
|
||
| As we move to more and more integrations with MTA, we need to consider the many different |
There was a problem hiding this comment.
"As we move to more and more integrations with Konveyor"
| ## Motivation | ||
|
|
||
| As we gain both more users, and more integrations, supporting generic authentication that would exist in a company | ||
| is going to make the user experience more complete. This will enable easier setup of a secure MTA environment by allowing |
There was a problem hiding this comment.
"This will enable easier setup of a secure Konveyor environment..."
|
|
||
| The goal of this enhancement is to make authentication generic, such that any authentication provider that supports OAuth and OIDC is usable as authorization and authentication. The goal is for admin users to have an easy configuration, end users have some default access when logging on and when using OIDC you can map roles to internal roles. Each of these is important to keep the user experience sane and not cumbersome. | ||
|
|
||
| The other goal is to make integration with things like RHDH easier, by allowing users to share authentication between systems. |
There was a problem hiding this comment.
"The other goal is to make integration with things like Backstage easier"
|
|
||
| ## Alternatives | ||
|
|
||
| We did consider moving to using Kubernetes built-in RBAC. The biggest drawback with this approach is that users of MTA would have to have logins for Kubernetes. |
There was a problem hiding this comment.
"The biggest drawback with this approach is that users of Konveyor would have to have logins for Kubernetes"
No description provided.