Skip to content

feat: Add experimental Entra user-info-fetcher backend #712

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 35 commits into from
May 5, 2025
Merged

feat: Add experimental Entra user-info-fetcher backend #712

merged 35 commits into from
May 5, 2025

Conversation

maltesander
Copy link
Member

@maltesander maltesander commented Apr 14, 2025
edited by Techassi
Loading

Description

  • adds expermimental Entra UIF backend

CRD

pub struct EntraBackend {
    /// Hostname of the token provider, defaults to `login.microsoft.com`.
    #[serde(default = "entra_default_token_hostname")]
    pub token_hostname: HostName,

    /// Hostname of the user info provider, defaults to `graph.microsoft.com`.
    #[serde(default = "entra_default_user_info_hostname")]
    pub user_info_hostname: HostName,

    /// Port of the identity provider. If TLS is used defaults to `443`, otherwise to `80`.
    pub port: Option<u16>,

    /// The Microsoft Entra tenant ID.
    pub tenant_id: String,

    /// Use a TLS connection. Should usually be set to WebPki.
    // We do not use the flattened `TlsClientDetails` here since we cannot
    // default to WebPki using a default and flatten
    // https://github.com/serde-rs/serde/issues/1626
    // This means we have to wrap `Tls` in `TlsClientDetails` to use its
    // method like `uses_tls()`.
    #[serde(default = "default_tls_web_pki")]
    pub tls: Option<Tls>,

    /// Name of a Secret that contains client credentials of an Entra account with
    /// permissions `User.ReadAll` and `GroupMemberShip.ReadAll`.
    ///
    /// Must contain the fields `clientId` and `clientSecret`.
    pub client_credentials_secret: String,
}

And the usage:

---
apiVersion: v1
kind: Secret
metadata:
  name: user-info-fetcher-client-credentials
stringData:
  clientId: foo
  clientSecret: bar
---
apiVersion: opa.stackable.tech/v1alpha1
kind: OpaCluster
metadata:
  name: opa
spec:
  image:
    productVersion: "1.0.1"
  clusterConfig:
    userInfo:
      backend:
        experimentalEntra:
          tenantId: foo-bar
          clientCredentialsSecret: user-info-fetcher-client-credentials
  servers:
    roleGroups:
      default: {}

@maltesander maltesander self-assigned this Apr 14, 2025
sbernauer
sbernauer reviewed Apr 14, 2025
View reviewed changes
Copy link
Member

@sbernauer sbernauer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only minor comments.
Did not test it, you mentioned some Python script for simulating Entra?

sbernauer
sbernauer reviewed Apr 15, 2025
View reviewed changes
sbernauer
sbernauer requested changes Apr 15, 2025
View reviewed changes
sbernauer
sbernauer requested changes Apr 16, 2025
View reviewed changes
Copy link
Member

@sbernauer sbernauer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for addressing the review!

@maltesander maltesander changed the title experimental: Add Entra backend feat: Add experimental Entra user-info-fetcher backend Apr 17, 2025
@maltesander maltesander marked this pull request as ready for review April 17, 2025 15:12
@maltesander maltesander added release-note Denotes a PR that will be considered when it comes time to generate release notes. type/feature-new scheduled-for/25.7.0 labels Apr 17, 2025
sbernauer
sbernauer reviewed Apr 22, 2025
View reviewed changes
Copy link
Member

@sbernauer sbernauer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only one CRD change question left.
As this is a CRD change I think we should put it on the decisions board (even for experimental features)

sbernauer
sbernauer previously approved these changes Apr 22, 2025
View reviewed changes
Copy link
Member

@sbernauer sbernauer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, but I think this needs to go through the decision board

@maltesander maltesander moved this to Development: In Review in Stackable Engineering Apr 22, 2025
@maltesander maltesander added this pull request to the merge queue May 5, 2025
Merged via the queue into main with commit 4bb9307 May 5, 2025
17 checks passed
@maltesander maltesander deleted the feat/experimental-entra-backend branch May 5, 2025 08:46
@maltesander maltesander moved this from Development: In Review to Development: Done in Stackable Engineering May 5, 2025
@lfrancke
Copy link
Member

lfrancke commented May 9, 2025

Could you add a link to the docs and release notes please?

@lfrancke lfrancke moved this from Development: Done to Acceptance: In Progress in Stackable Engineering May 9, 2025
@maltesander
Copy link
Member Author

Docs: https://docs.stackable.tech/home/nightly/opa/usage-guide/user-info-fetcher/#backend-entra
Release Snippet: The user-info-fetcher backend now supports fetching user groups from Microsoft Entra experimentally.

@lfrancke lfrancke moved this from Acceptance: In Progress to Done in Stackable Engineering May 26, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sbernauer sbernauer sbernauer approved these changes

Assignees

@maltesander maltesander

Labels
release-note Denotes a PR that will be considered when it comes time to generate release notes. scheduled-for/25.7.0 type/experimental type/feature-new
Projects
Stackable Engineering
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@maltesander @lfrancke @sbernauer