Skip to content

Multi-Organization Group Sync compatibility upgrade #14202

New issue
New issue
Closed
#14578
Closed
Multi-Organization Group Sync compatibility upgrade#14202
#14578
Assignees
Emyrk
Labels
enterpriseEnterprise-license / premium functionalitymulti-orgtemporary label for multiple organizations related work
Milestone
 
Organizations & Custom Roles (GA)
@Emyrk

Description

@Emyrk
Emyrk
opened on Aug 7, 2024

Migrate feature away from using the default organization.

At present oidcGroups returns a flat []string of groups to assign to the user. This flat list is applied to the default organization.

Organization Membership

Group sync could, and might be extended to membership sync. Meaning we might want to use the "everyone" group to assign users into an org.

So the default config would look like (json structure subject to change):

# assign the oidc group to the 'everyone' group in the default org. So
# these users are placed into the "default" org as a member. 
CODER_OIDC_GROUP_MAPPING='{"myOIDCGroupID": {"default":"everyone"}}'

This means if the user has no myOIDCGroupID group, they would be removed from the default org. Using groups to assign org membership would be great if we can handle all the edge cases and defaults.

  • Should there be something like CODER_OIDC_GROUP_ALWAYS='{"default":"everyone"}' to make sure everyone is in the default org?
  • Easy to make orgless users.

Some design principles to consider. Organizations are intended to be "self serve" from the perspective of an organization admin. It reasons then that a site wide admin might control which users are placed into an org, but further group membership could be decided by the admins of said org.

This could potentially split the configuration into 2 places.

Deployment configuration to upgrade

Auto-create

The CODER_OIDC_GROUP_AUTO_CREATE poses a challenge in multi-org. As it is no longer obvious which organization the new group should be created in.

Static group mapping

The static mapping CODER_OIDC_GROUP_MAPPING needs to accommodate an organization context. This map

JSON is currently map[<OIDC_group_name>]<coder_group_name>, so an example of the current configuration is:

# Flat assignment assuming default org. We need to inject an `<ord_id>` into this
CODER_OIDC_GROUP_MAPPING='{"myOIDCGroupID": "myCoderGroupName"}'

We need a json structure that includes organization context for the group. For single org deployments, maybe the old config should still work?

Metadata

Metadata

Assignees

Labels

enterpriseEnterprise-license / premium functionalitymulti-orgtemporary label for multiple organizations related work

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions