Skip to content

Allow pushing user-allocation membership to Keycloak #249

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Allow pushing user-allocation membership to Keycloak #249

wants to merge 1 commit into from
+158 −18

Conversation

QuanMPhm
Copy link
Contributor

@QuanMPhm QuanMPhm commented Oct 3, 2025

Closes nerc-project/operations#948. More details in the commit message
There are still some questions I have below, so this is still a draft for now.

QuanMPhm
QuanMPhm commented Oct 3, 2025
View reviewed changes
src/coldfront_plugin_cloud/kc_client.py

def get_user_id(self, cf_username) -> str | None:
"""Return None if user not found"""
# TODO (Quan): Confirm that Coldfront usernames map to Keycloak emails, not email, or something else?
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@knikolla @naved001

QuanMPhm
QuanMPhm commented Oct 3, 2025
View reviewed changes
src/coldfront_plugin_cloud/tests/functional/openshift/test_allocation.py
user_id = self.kc_admin_client.get_user_id(user.username)
assert project_id in self.kc_admin_client.get_user_groups(user_id)

# TODO (Quan): Confirm that user should also be removed from group on role removal
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@knikolla @larsks @naved001

@QuanMPhm
Allow pushing user-allocation membership to Keycloak
d7da5c4 
A Keycloak admin client has been added
When `activate_allocation` is called, the user is added
to a Keycloak group named after the project ID on the remote cluster.
If the user does not already exist in Keycloak, the case is ignored for now
@QuanMPhm
Copy link
Contributor Author

QuanMPhm commented Oct 6, 2025

@knikolla Two more questions:

  1. Do we also want validate_allocations to add PIs to pre-existing allocations?
  2. When a PI adds a user to an Coldfront project or allocation, do those users also get added to a the project's Keycloak group?

@QuanMPhm QuanMPhm marked this pull request as draft October 6, 2025 17:42
@knikolla knikolla mentioned this pull request Oct 6, 2025
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@larsks larsks Awaiting requested review from larsks

@knikolla knikolla Awaiting requested review from knikolla

@naved001 naved001 Awaiting requested review from naved001

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Investigate centralizing authorization for NERC users in Keycloak
1 participant
@QuanMPhm