Is it possible to leverage both OIDC (via GenericOAuthenticator) and RBAC at the same time?
And, specifically, is it possible to use RBAC to map groups to roles, and then OIDC (GenericOAuthenticator) to map users to groups?
Here’s what I would expect to accomplish the job:
# Define roles and assign them to groups. c.JupyterHub.load_roles.append(...) # Allow OIDC to define user groups. def compute_groups(claims): pass c.GenericOAuthenticator.claim_groups_key = compute_groups c.GenericOAuthenticator.manage_groups = True
However as far as I can tell,
claim_groups_key is only ever read by
get_user_groups, which is only ever read in two scenarios:
allowed_groupsis set to a static list of groups that are allowed in, and
update_auth_model, if a specific set of
and both of those scenarios seem to violate the basic principles of RBAC. I’d want my group’s role to be consulted for permissions, not the simple fact of role membership.
And, since I’m not setting
admin_groups, I’m not ever seeing my
compute_groups function getting called.
What’s the magic incantation to allow OIDC to define user groups, map groups to roles, and use roles to define permissions?
I’ve also tried specifying
load_groups and disabling
manage_groups. That definitely loads a static group membership map into the database, but then the OIDC GenericOAuthenticator still doesn’t seem to pick up user groups or even invoke
# Define roles and assign them to groups. c.JupyterHub.load_roles.append(...) # Define static group mapping. c.JupyterHub.load_groups.append(...) # Allow OIDC to define user groups. def compute_groups(claims): pass c.GenericOAuthenticator.claim_groups_key = compute_groups