separate user for each team member

[tapuhi]

Hi, The security department asked me to have a separate user for each team member or each employee accessing orchestrator even for read only (we all like security right ? :-) ) , is that possible ? Is there a way to use "Google Sign in" to manage access to orchestrator or any other external authenticator like AD ? if not please add it :-) . Br

[shlomi-noach]

Hi,

I'd suggest using LDAP. orchestrator itself has no built-in support for ldap/google-sign-in/oautch/etc.

Instead, what I've done in different places:

• bind orchestrator to 127.0.0.1:3000 (pick your port) ; this will ensure it cannot serve external requests
• run nginx or other reverse proxy on same server
• have nginx authenticate users via ldap
• have nginx send HTTP header to orchestrator with authenticated username.
• pizza

see https://github.com/github/orchestrator/blob/master/docs/security.md, "Headers authentication".