Before You Start #
- Your IdP must support groups to use these instructions.
- Review the permissions assigned to each role.
- This guide assumes resources (projects, repositories) have already been created in your cluster.
- This guide uses Auth0 as an example IdP.
How to Assign Roles to a Group #
- Enable group management in your IdP of choice .
- Update your connector config to include the appropriate attributes.
Syntax:
{
"type": "oidc",
"id": "auth0",
"name": "Auth0",
"version": 1,
"config":{
"issuer": "https://dev-k34x5yjn.us.auth0.com/",
"clientID": "hegmOc5rTotLPu5ByRDXOvBAzgs3wuw5",
"clientSecret": "7xk8O71Uhp5T-bJp_aP2Squwlh4zZTJs65URPma-2UT7n1iigDaMUD9ArhUR-2aL",
"redirectURI": "http(s)://<insert-external-ip-or-dns-name>/dex/callback",
"scopes": ["groups", "email", "profile"],
"claimMapping":{
"groups": "http://pachyderm.com/groups"
},
"insecureEnableGroups": true
}
}
type: oidc
id: auth0
name: Auth0
version: 1
config:
issuer: https://dev-k34x5yjn.us.auth0.com/
clientID: hegmOc5rTotLPu5ByRDXOvBAzgs3wuw5
clientSecret: 7xk8O71Uhp5T-bJp_aP2Squwlh4zZTJs65URPma-2UT7n1iigDaMUD9ArhUR-2aL
redirectURI: http(s)://<insert-external-ip-or-dns-name>/dex/callback
scopes:
- groups
- email
- profile
claimMapping:
groups: http://pachyderm.com/groups
insecureEnableGroups: true
- Update the config by running the following command:
pachctl idp update-connector <connector-id> --version 2
- Grant the group roles by running the following command:
pachctl auth set <resource-type> <resource-name> <role-name> group:<group-name>
- Confirm the group’s roles were updated for the given resource:
Resource Type:
pachctl auth get project <project-name>
pachctl auth get repo <repo-name>
💡
The command pachctl auth get-groups
lists the groups that have been defined on your cluster.