Thanks to visit codestin.com
Credit goes to github.com

Skip to content
This repository was archived by the owner on May 16, 2024. It is now read-only.

Add wildcard option to group field #626

Merged
merged 1 commit into from
Sep 28, 2023
Merged

Add wildcard option to group field #626

merged 1 commit into from
Sep 28, 2023

Conversation

@IvanVan
Copy link
Contributor

@IvanVan IvanVan commented Sep 27, 2023
edited
Loading

What changed?

Follow up PR to #625
This PR adds functionality to support wildcard in groups field for IdentityConfiguration config. Thus common-fate fetches all the groups that Okta API token has access to.

Why?

Current state:

We do ListUsers = ListAllUsersAPICall (code) + numberOfUsers * GetUserGroupsAPICall (code) and we do ListGroups(ListAllGroupsAPICall). Every API call also may include pagination, but we don’t take it into account in these calculations. Also number of operations to parse/create map/etc. is O(numberOfGroups * numberOfUser.

This PR:

We'll call ListGroups first if the groups field is provided, then we will fetch all users for every group and then group membership will be used to fill Groups field for every user. In this case we need to fetch users for every groups. So in total it will be ListGroups(ListAllGroupsAPICall) + numberOfGroups * GetGroupUsers + ListAllUsersAPICall (it may be omit, because we already have all the users from groups that commonfate has access to). Number of operations is the same O(numberOfGroups * numberOfUser).

Thus this optimization makes sense if # groups << # users. We'll add this information to docs here - https://github.com/common-fate/docs if the PR is approved.

How did you test it?

We tested it in our env.

Potential risks

N/A

Is patch release candidate?

No

Link to relevant docs PRs

#625

@shwethaumashanker
Copy link
Contributor

shwethaumashanker commented Sep 27, 2023

@IvanVan Where you able to run gdeploy identity sync successfully after this update ? I'm seeing this error: "listing okta users from okta API: the API returned an error: Not found: Resource not found: 00g* (UserGroup): withStack
null" in the APIIdpSyncHandlerFunction

I tested using this format: groups: 00g*

@keymon
Copy link
Contributor

keymon commented Sep 27, 2023
edited
Loading

@shwethaumashanker actually the only valid options are static values or just *, 00g* is not valid

the idea is that by having groups: * we are inversing the logic of the membership api queries, where the service will list all the groups accessible by the sync cluster, and check members for each.

This is great for our use case, because then we leverage the concept of ResourceSet in okta https://help.okta.com/en-us/content/topics/security/custom-admin-role/create-resource-set.htm to restrict which groups commonfate can see, and this way control a lot the API calls.

But yes, groups: * might be a bit confusing/misleading UX:

  • groups refers to "groups to get user membership from". IMO a better name could be user_groups
  • groups:* t effectivelly says "Sync membership from all accessible groups"
  • groups: qwertyuio234,qwertyuio235,qwertyuio236 it effectivelly says "Sync membership from all accessible groups"

We are open to alternatives. Some options:

  • Option 1: groups: * groups: qwertyuio234,qwertyuio235,qwertyuio236
  • Option 2: groups: any groups: qwertyuio234,qwertyuio235,qwertyuio236
  • Option 3: membership_from_groups: true + groups: qwertyuio234,qwertyuio235,qwertyuio236
    • if users_from_groups: true then pull members from groups
    • if groups: qwertyuio234,qwertyuio235,qwertyuio236 set, only sync/query those groups

@IvanVan
Copy link
Contributor Author

IvanVan commented Sep 28, 2023

@IvanVan Where you able to run gdeploy identity sync successfully after this update ? I'm seeing this error: "listing okta users from okta API: the API returned an error: Not found: Resource not found: 00g* (UserGroup): withStack
null" in the APIIdpSyncHandlerFunction

I tested using this format: groups: 00g*

Thank you @shwethaumashanker for reviewing!
As @keymon said there are only two available options in the current implementation: ""(all the groups) and "groupId1,groupId2"(group ids separated by comma). We tested it in our environment with "" option.

@shwethaumashanker
Copy link
Contributor

shwethaumashanker commented Sep 28, 2023

Hi @IvanVan and @keymon,

Thanks for the clarification – my bad for misunderstanding the options earlier. I tested groups: "*" and it seems to be working well. As long as we keep things well-documented, I think this implementation should do the trick.

I'll released v0.15.9 with the PR, and for future PRs, we're sticking with the release/v0.15 branch for OSS releases.

Appreciate your contributions – thank you both! πŸ™Œ

@shwethaumashanker shwethaumashanker merged commit 516e26c into common-fate:main Sep 28, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@shwethaumashanker shwethaumashanker shwethaumashanker approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@IvanVan @shwethaumashanker @keymon