jreadey
commented
3 years ago Changes to support this are checked in here: https://github.com/HDFGroup/hsds/commit/729d39d423b4b52ef60985fb32d25468b211c1c2. Summary, the authentication code looks at the "roles" claim in the bearer token and basis the username's group membership based on that.
On the client side, the roles are not generated strictly based on the AD group membership, but by using "App Roles". See: https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps. It's easy enough to assign a role based on a AAD group and more flexible than attempting to use the group directly.
Support the use of AD groups for RBAC rather than relying on group list managed by the server.