https://rancher.com/ logo
Title
f

freezing-hairdresser-79403

04/26/2023, 12:37 PM
I would like to know if Rancher has the ability to retrieve user groups from an external identity provider and import them to the local Rancher cluster.
w

worried-doctor-71696

04/26/2023, 3:27 PM
it at least works with okta. we use it to pull okta groups into rancher. after adding okta integration, our okta groups were available from the drop-down on the "Cluster Member: Add" page of the rancher ui. we did this a few years ago, and iirc, there was some wonkiness like the user adding the cluster member had to be part of the okta group he/she wanted to add for rancher to be able to query okta for that group. hopefully, the process has been improved since then.
f

freezing-hairdresser-79403

04/26/2023, 3:41 PM
I find myself in a this situation, where the user who is adding a cluster member is also a member of the group that I want to add
Were you able to display the list of users in the user group of your Okta ?
Sorry, my question not clear enough Were you able to view the list of users within your Okta group in the user group of your Rancher cluster
w

worried-doctor-71696

04/26/2023, 4:04 PM
ah. no i don't think we have that ability. your use case may be different from ours, but we just add entire okta groups as cluster members then assign them to namespaces, etc. when a user on one of the allowed groups logs into rancher, they login as themselves and rancher and okta figure out what group they belong to and if that group is a cluster member. if so, they can log into the console.
membership to rancher is handled through okta groups for the most part. that said, we have had to set up individual "local" users tho, because we usually just give the groups "Cluster View" or "Cluster Member privileges. if an individual really needs admin privs, it's treated as a one-off.
f

freezing-hairdresser-79403

04/26/2023, 4:19 PM
Based on previous information shared, it seems that Rancher may only import the groups from the external identity provider that corresponds to the user who made the integration. This means that any new groups that are created within the external identity provider and not associated with the user who made the integration may not be visible in Rancher
Please correct me if I am wrong
w

worried-doctor-71696

04/26/2023, 4:30 PM
interesting. that's not the case from our experience. i wasn't the one who initially set up the okta integartion, but i'm fairly certain he wasn't a member of all the groups we've added to rancher at the time or any of the new groups we've added that didn't exist at the time. in the handful of instances i had to add new groups to rancher myself, i would first have to add myself to the okta group (until i added the group to rancher). i did have to make sure to log out of rancher and log back in so rancher could re-query okta and see my new group membership.
also, i was incorrect when i mentioned we didn't add individual users. i found a cluster where we have one user in the cluster members list tagged as an "Okta User", tho i'm not sure how that was done, unfortunately. 😞