Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

providers/ldap: Remove search group #10639

Merged
merged 18 commits into from
Aug 14, 2024
Merged

Conversation

BeryJu
Copy link
Member

@BeryJu BeryJu commented Jul 25, 2024

Details

Search group has been a thing on the LDAP provider since about 3 years, back when we didn't expose any of the RBAC things that we do now. Since we expose RBAC now we can use an object-level permission for this.

  • Needs documentation update
  • Test of migration

Checklist

  • Local tests pass (ak test authentik/)
  • The code has been formatted (make lint-fix)

If an API change has been made

  • The API schema has been updated (make gen-build)

If changes to the frontend have been made

  • The code has been formatted (make web)

If applicable

  • The documentation has been updated
  • The documentation has been formatted (make website)

@BeryJu BeryJu requested review from a team as code owners July 25, 2024 19:27
Copy link

netlify bot commented Jul 25, 2024

Deploy Preview for authentik-storybook canceled.

Name Link
🔨 Latest commit 75419d1
🔍 Latest deploy log https://app.netlify.com/sites/authentik-storybook/deploys/66bcb89262cc9b0008af667a

Copy link

netlify bot commented Jul 25, 2024

Deploy Preview for authentik-docs ready!

Name Link
🔨 Latest commit 75419d1
🔍 Latest deploy log https://app.netlify.com/sites/authentik-docs/deploys/66bcb892943003000845fa2e
😎 Deploy Preview https://deploy-preview-10639--authentik-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

Copy link

codecov bot commented Jul 25, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 92.46%. Comparing base (3815803) to head (75419d1).

Additional details and impacted files
@@            Coverage Diff             @@
##             main   #10639      +/-   ##
==========================================
- Coverage   92.66%   92.46%   -0.21%     
==========================================
  Files         736      736              
  Lines       36252    36277      +25     
==========================================
- Hits        33593    33543      -50     
- Misses       2659     2734      +75     
Flag Coverage Δ
e2e 48.62% <100.00%> (-0.65%) ⬇️
integration 25.10% <6.89%> (-0.02%) ⬇️
unit 90.21% <68.96%> (-0.02%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@BeryJu BeryJu force-pushed the providers/ldap/remove-search-group branch from 65d3341 to 602361d Compare July 26, 2024 11:46
Copy link
Contributor

@kensternberg-authentik kensternberg-authentik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall, looks straightforward. I still think the amount of shotgun surgery needed to make this happen makes our product look fragile.

<ak-form-element-horizontal label=${msg("Search group")} name="searchGroup">
<ak-search-select
.fetchObjects=${async (query?: string): Promise<Group[]> => {
const args: CoreGroupsListRequest = {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fewer things make me happier than one less search-select in the product. :-)

@BeryJu BeryJu force-pushed the providers/ldap/remove-search-group branch from 602361d to 20e416b Compare August 2, 2024 17:10
Copy link
Contributor

github-actions bot commented Aug 2, 2024

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your .env file:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-75419d144309ceb9a72058a6e0c5bd6f77a574b9
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

For arm64, use these values:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-75419d144309ceb9a72058a6e0c5bd6f77a574b9-arm64
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your values.yml file:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
    image:
        repository: ghcr.io/goauthentik/dev-server
        tag: gh-75419d144309ceb9a72058a6e0c5bd6f77a574b9

For arm64, use these values:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
    image:
        repository: ghcr.io/goauthentik/dev-server
        tag: gh-75419d144309ceb9a72058a6e0c5bd6f77a574b9-arm64

Afterwards, run the upgrade commands from the latest release notes.

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu BeryJu force-pushed the providers/ldap/remove-search-group branch from 20e416b to 4c32b7e Compare August 14, 2024 12:29
@BeryJu BeryJu requested a review from a team as a code owner August 14, 2024 12:43
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu BeryJu force-pushed the providers/ldap/remove-search-group branch from 2b8a9b2 to c264e9d Compare August 14, 2024 13:06
BeryJu and others added 5 commits August 14, 2024 15:22
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@authentik-automation
Copy link
Contributor

Images automagically compressed by Calibre's image-actions

Compression reduced images by 36.3%, saving 83.15 KB.

Filename Before After Improvement Visual comparison
website/docs/providers/ldap/general_setup14.png 64.67 KB 40.27 KB -37.7% View diff
website/docs/providers/ldap/general_setup15.png 164.52 KB 105.78 KB -35.7% View diff

160 images did not require optimisation.

Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Signed-off-by: Jens L. <jens@beryju.org>
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Signed-off-by: Jens L. <jens@beryju.org>
[Users](../../user-group-role/user/index.mdx) and [Roles](../../user-group-role/roles/index.mdx) can be assigned the permission "Search full LDAP directory" to allow them to search the full LDAP directory and retrieve information about all users in the authentik instance.

:::info
Up to authentik version 2024.8 this was managed using the "Search group" attribute in the LDAP Provider, where users could be added to a group to grant them this permission. With authentik 2024.8 this is automatically migrated to the "Search full LDAP directory" permission, which can be assigned more flexibly.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So there is no action that users who upgrade to 2024.8 and later need to take, right?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correct

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please note many of us lost a lot of time on this #11548 (comment) since we did not get we had to work on object-level permission

- **RBAC support for Blueprints and Terraform**

RBAC permissions for global/object level permissions for Users/Roles can now be managed via Blueprints and Terraform. This allows for the automatic configuration of permissions.

## Upgrading

This release does not introduce any new requirements.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is a new section in the Rel Notes template, with a link to the Upgrade docs. Let's make sure it gets into these Rel Notes.

Copy link
Contributor

@tanberry tanberry left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few nits, looks great, let's go!

BeryJu and others added 2 commits August 14, 2024 15:59
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Signed-off-by: Jens L. <jens@beryju.org>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu BeryJu merged commit 8f53d0b into main Aug 14, 2024
68 checks passed
@BeryJu BeryJu deleted the providers/ldap/remove-search-group branch August 14, 2024 14:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants