Comments (9)
vbottu
commented on May 29, 2024
1
It worked,Thank you so much
from openunison-k8s-login-activedirectory.
mlbiam
commented on May 29, 2024
in either the org or the portalUrl you can specify a constraint by group in the same way you would specify it in the rbac rule. So similar to the example in the README to limit access to the CN=k8s_login_ckuster_admins,CN=Users,DC=ent2k12,DC=domain,DC=com group, specify
- constraint: CN=k8s_login_ckuster_admins,CN=Users,DC=ent2k12,DC=domain,DC=com
scope: group
make sure you don't keep the original constraint in place otherwise everyone will see it.
from openunison-k8s-login-activedirectory.
vbottu
commented on May 29, 2024
Thanks, how do I add multiple groups to that constraint, is it comma separated or a separate entry
from openunison-k8s-login-activedirectory.
mlbiam
commented on May 29, 2024
You can list multiple azRules:
apiVersion: openunison.tremolo.io/v1
kind: Org
metadata:
name: cluster2
namespace: openunison
spec:
description: "My second cluster"
uuid: 04901973-5f4c-46d9-9e22-55e88e168776
parent: B158BD40-0C1B-11E3-8FFD-0800200C9A66
showInPortal: true
showInRequestAccess: false
showInReports: false
azRules:
- scope: group
constraint: CN=k8s_login_ckuster_admins,CN=Users,DC=ent2k12,DC=domain,DC=com
- scope: group
constraint: CN=k8s_login_cluster2_admins,CN=Users,DC=ent2k12,DC=domain,DC=com
When listing multiple groups, OpenUnison will allow access if any of the azRule definitions are satisfied
from openunison-k8s-login-activedirectory.
vbottu
commented on May 29, 2024
I tried that ,the org is not displayed even though the azRule is satisfied. Below is my org
apiVersion: openunison.tremolo.io/v1
kind: Org
metadata:
name: test-cluster
namespace: openunison
spec:
description: "TEST K8S CLUSTER"
uuid: *************************************
parent: ******************************
showInPortal: true
showInRequestAccess: false
showInReports: false
azRules:
- scope: group
constraint: CN=k8s-test-devs,OU=Groups,DC=example,DC=com
- scope: group
constraint: CN=k8s-test-admins,OU=Groups,DC=example,DC=com
from openunison-k8s-login-activedirectory.
mlbiam
commented on May 29, 2024
try
apiVersion: openunison.tremolo.io/v1
kind: Org
metadata:
name: test-cluster
namespace: openunison
spec:
description: "TEST K8S CLUSTER"
uuid: *************************************
parent: ******************************
showInPortal: true
showInRequestAccess: false
showInReports: false
azRules:
- scope: filter
constraint: (memberOf=CN=k8s-test-devs,OU=Groups,DC=example,DC=com)
- scope: filter
constraint: (memberOf=CN=k8s-test-admins,OU=Groups,DC=example,DC=com)
from openunison-k8s-login-activedirectory.
vbottu
commented on May 29, 2024
Hi Marc,
I just tried it ,did not work. the user is member of both the groups.
from openunison-k8s-login-activedirectory.
mlbiam
commented on May 29, 2024
Sorry, hopefully third time's a charm:
apiVersion: openunison.tremolo.io/v1
kind: Org
metadata:
name: test-cluster
namespace: openunison
spec:
description: "TEST K8S CLUSTER"
uuid: *************************************
parent: ******************************
showInPortal: true
showInRequestAccess: false
showInReports: false
azRules:
- scope: filter
constraint: (groups=CN=k8s-test-devs,OU=Groups,DC=example,DC=com)
- scope: filter
constraint: (groups=CN=k8s-test-admins,OU=Groups,DC=example,DC=com)
from openunison-k8s-login-activedirectory.
vbottu
commented on May 29, 2024
I will try it out, Thank you
from openunison-k8s-login-activedirectory.
Related Issues (20)
- Apps external to k8s HOT 9
- ERROR ConfigSys : Given final block not properly padded. Such issues can arise if a bad key is used during decryption. HOT 34
- java.io.FileNotFoundException: /etc/extracerts/input.props HOT 17
- openunison-orchestra Terminating HOT 12
- Own TLS Certificate ans SSO HOT 23
- Re-created kubernetes api cert, openunison shows "unauthorized" HOT 43
- kubectl Windows Command doesn't work HOT 2
- Option to remove TMP_CERT from linux command HOT 21
- Using Openldap and Istio Ingress HOT 38
- Error while trying to build locally HOT 3
- Customizing the look and feel HOT 2
- Group has different DN other than LDAP HOT 2
- Multi Cluster Authentication HOT 15
- Deployment with istio gateway and virtualservice causes certificate issues HOT 26
- Upgrade from 1.0.18 HOT 17
- Installing offline HOT 3
- Credentials in Plain Text in /auth/formLogin HOT 3
- An error occurred while processing this request. Please see the system administrator for assistance. HOT 3
- old expired sessions HOT 15
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from openunison-k8s-login-activedirectory.