GitLab Groups as Groups members

[ejiektpobehuk]

Preflight Checklist

• [X] I agree to follow the Code of Conduct that this project adheres to.
• [X] I have searched the issue tracker for an issue that matches the one I want to file, without success.

Problem Description

Right now (dex 2.30, Gitlab 14.2.3) there is an option to grant GitLab group members access to a cluster (namespaces).

It grants access to direct members & inherited members (from higher levels groups) but ignores invited groups.

GitLab allows to invite a Group to a Project and to a Group. This allows to have a group (lets say dev_team) and then add dev_team to another group (let's say kubernetes_ro). With this structure we can add new user once and get all the permissions automatically.

Unfortunately, dex doesn't support groups shared with groups.

Proposed Solution

Since dex moved from GitLab API to GitLabs OIDC API there is no clean solution to fix it in dex. The best option would be to ask GitLab to include such groups in /oauth/userinfo in a groups field.

I've created a Gitlab issue.

Alternatives Considered

There were times when dex used GitLab main API. We can still implement api call to a regular api/v4/.

The problem is that current logic is based on a user while the only way to get a list of Groups invited to a Group is group based. To be more precise — api/v4/groups/:id in a field shared_with_groups. Second part of the problem is nesting. We can't be sure, how many Group in Group memberships lead to a given user.

Additional Information

We are using Deckhouse developed by Flant. It uses user-authz from dex thus has the same issue. My understanding of dex can be far from reality =\

[f0wk3s]

Hey. Really need this one, any plans to add this feature?