Configuring Azure AD groups for authorization
244 views
Skip to first unread message
Sachidanand Patil
Jan 22, 2021, 10:52:56 AM1/22/21
to Repo and Gerrit Discussion
Hi,
We are struggling to configure Azure AD groups for authorization in Gerrit. Authentication is working fine after installing plugin i.e. gerrit-oauth-provider and we are able to login with Azure AD users but unable to user groups in azure AD for authorization.
Thanks & Regards,
Sachi
Luca Milanesio
Jan 22, 2021, 11:17:53 AM1/22/21
to Sachidanand Patil, Luca Milanesio, Repo and Gerrit Discussion
> On 22 Jan 2021, at 15:36, Sachidanand Patil <sachidana...@gmail.com> wrote:
>
> Hi,
>
> We are struggling to configure Azure AD groups for authorization in Gerrit. Authentication is working fine after installing plugin i.e. gerrit-oauth-provider and we are able to login with Azure AD users but unable to user groups in azure AD for authorization.
Gerrit supports Active Directory as LDAP out of the box, including groups resolution.
If you want to use OAuth for any reasons, the groups won’t be resolved. You would need to still rely on LDAP groups lookup, using the HTTP_LDAP authentication scheme.
HTH
Luca.
Sachidanand Patil
Jan 22, 2021, 11:49:56 AM1/22/21
to Repo and Gerrit Discussion
Thanks
Luca for the prompt response.
Currently we are using LDAP for authentication as well as authorization but now are are planning to use MS Azure active directory(OAUTH/SAML) instead of LDAP for Authentication and Authorization of all our DevOps tools including Gerrit.
Why are we planning to do so: As its cloud solution and recommended for Identity and access management in our organization. off course its has its own benefits like MFA, Self Service, all other benefits that every SAAS solution provides e.g. Stability, Performance, Reliability etc.
We have configured OAUTH with MS Azure AD for Gerrit and authentication is working fine but we are struggling to use Azure AD groups for authorization.
Can you help if it can be achieved using this or any other way.
Also would be nice if you can help me more on this. Are you suggesting LDAP for authorization and federate authentication to MS Azure AD in this case ?
"If you want to use OAuth for any reasons, the groups won’t be resolved. You would need to still rely on LDAP groups lookup, using the HTTP_LDAP authentication scheme "
Thanks & regards,
Sachi
Luca Milanesio
Jan 22, 2021, 11:58:33 AM1/22/21
to Sachidanand Patil, Luca Milanesio, Repo and Gerrit Discussion
On 22 Jan 2021, at 16:49, Sachidanand Patil <sachidana...@gmail.com> wrote:Thanks Luca for the prompt response.Currently we are using LDAP for authentication as well as authorization but now are are planning to use MS Azure active directory(OAUTH/SAML) instead of LDAP for Authentication and Authorization of all our DevOps tools including Gerrit.Why are we planning to do so: As its cloud solution and recommended for Identity and access management in our organization. off course its has its own benefits like MFA, Self Service, all other benefits that every SAAS solution provides e.g. Stability, Performance, Reliability etc.We have configured OAUTH with MS Azure AD for Gerrit and authentication is working fine but we are struggling to use Azure AD groups for authorization.Can you help if it can be achieved using this or any other way.Also would be nice if you can help me more on this. Are you suggesting LDAP for authorization and federate authentication to MS Azure AD in this case ?"If you want to use OAuth for any reasons, the groups won’t be resolved. You would need to still rely on LDAP groups lookup, using the HTTP_LDAP authentication scheme "
Gerrit doesn’t support OAuth *natively* but has instead an OAuth plugin for that, which uses a servlet redirection system. Basically, a servlet will manage the OAuth handshake and will propagate to Gerrit the identity with an HTTP header.
The issue is, as you’ve noticed, the groups aren’t propagated.
One solution is to use the Gerrit’s HTTP_LDAP authentication config (see [1]) and therefore still rely on LDAP groups resolution, on top of your current OAuth authentication handshake.
You would need to resolve the OAuth handshake at reverse proxy level, e.g. Apache HTTPD with OAuth authentication module (see [2]).
HTH
Luca.
[1] https://gerrit-documentation.storage.googleapis.com/Documentation/3.3.1/config-gerrit.html#auth.type
Thanks & regards,SachiOn Friday, January 22, 2021 at 5:17:53 PM UTC+1 lucamilanesio wrote:
> On 22 Jan 2021, at 15:36, Sachidanand Patil <sachidana...@gmail.com> wrote:
>
> Hi,
>
> We are struggling to configure Azure AD groups for authorization in Gerrit. Authentication is working fine after installing plugin i.e. gerrit-oauth-provider and we are able to login with Azure AD users but unable to user groups in azure AD for authorization.
Any reason why you are using OAuth and not LDAP to connect with Active Directory?
Gerrit supports Active Directory as LDAP out of the box, including groups resolution.
If you want to use OAuth for any reasons, the groups won’t be resolved. You would need to still rely on LDAP groups lookup, using the HTTP_LDAP authentication scheme.
HTH
Luca.
--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/b6e2bb3e-d0f8-4703-818f-17f3bf0e6179n%40googlegroups.com.
Sachidanand Patil
Jan 26, 2021, 7:09:34 AM1/26/21
to Repo and Gerrit Discussion
Hi,
Thanks for the prompt response.
I guess I got the point that. Currently Plugin does not support the Azure AD groups and we need to rely on LDAP groups for authorization.
However, We have many devops tools for which we are moving away from LDAP to Azure AD for both authentication as well as authorization.
We will highly appreciate If azure AD groups support can be added to plugin if possible as its going to be very useful to us and I am sure to may big Organizations like us.
Thanks & Regards,
Sachi¨
Luca Milanesio
Jan 26, 2021, 8:59:37 AM1/26/21
to Sachidanand Patil, Luca Milanesio, Repo and Gerrit Discussion
On 26 Jan 2021, at 12:09, Sachidanand Patil <sachidana...@gmail.com> wrote:
Hi,
Thanks for the prompt response.I guess I got the point that. Currently Plugin does not support the Azure AD groups and we need to rely on LDAP groups for authorization.However, We have many devops tools for which we are moving away from LDAP to Azure AD for both authentication as well as authorization.We will highly appreciate If azure AD groups support can be added to plugin if possible as its going to be very useful to us and I am sure to may big Organizations like us.
Sure, have you thought about contributing back and write the support for Azure Groups?
Gerrit Code Review is a truly open-source project and relies on contributions by its users.
Many of the features of Gerrit have been written by big Organisations like yours.
It would be also useful if you could propose the feature on:
Thanks for your feedback and hopefully contributions :-)
Luca.
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/a061f6da-f042-4671-8ec1-7bde8f5b1df3n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages