Before You Start #
- You must have an active Enterprise key
- You must have an Authentication Provider (IdP) set up that supports groups
- Review the Access Control (RBAC) Roles & Permissions.
- Confirm you have the right role(s) to grant a user access to a given resource (e.g., you have the
projectOwner
role on a given project you wish to add other users to)
How to Assign Roles to a Group #
This guide uses Auth0 and assumes resources (projects, repositories) have already been created in your cluster.
- Enable group management in your IdP of choice .
- Update your connector config to include the appropriate attributes.
Syntax:
{
"type": "oidc",
"id": "auth0",
"name": "Auth0",
"version": 1,
"config":{
"issuer": "https://dev-k34x5yjn.us.auth0.com/",
"clientID": "hegmOc5rTotLPu5ByRDXOvBAzgs3wuw5",
"clientSecret": "7xk8O71Uhp5T-bJp_aP2Squwlh4zZTJs65URPma-2UT7n1iigDaMUD9ArhUR-2aL",
"redirectURI": "http(s)://<insert-external-ip-or-dns-name>/dex/callback",
"scopes": ["groups", "email", "profile"],
"claimMapping":{
"groups": "http://pachyderm.com/groups"
},
"insecureEnableGroups": true
}
}
type: oidc
id: auth0
name: Auth0
version: 1
config:
issuer: https://dev-k34x5yjn.us.auth0.com/
clientID: hegmOc5rTotLPu5ByRDXOvBAzgs3wuw5
clientSecret: 7xk8O71Uhp5T-bJp_aP2Squwlh4zZTJs65URPma-2UT7n1iigDaMUD9ArhUR-2aL
redirectURI: http(s)://<insert-external-ip-or-dns-name>/dex/callback
scopes:
- groups
- email
- profile
claimMapping:
groups: http://pachyderm.com/groups
insecureEnableGroups: true
- Update the config by running the following command:
pachctl idp update-connector <connector-id> --version 2
- Grant the group roles by running the following command:
pachctl auth set <resource-type> <resource-name> <role-name> group:<group-name>
- Confirm the group’s roles were updated for the given resource:
Resource Type:
pachctl auth get project <project-name>
pachctl auth get repo <repo-name>
💡
The command pachctl auth get-groups
lists the groups that have been defined on your cluster.