seatgeek / backstage-plugins

SeatGeek Backstage Plugins Collection
Apache License 2.0
34 stars 6 forks source link

Okta Backend: enhancement: Associated users to Groups #51

Open billabongrob opened 7 months ago

billabongrob commented 7 months ago

Right now, this plugin has consumed all users and groups for my organization; however, the membership to those groups is not being ingested at this point, based on the default configuration of the README for the plugin. It would be good to be able to associate this so as to leverage the built in backstage permissions model and RBAC that some others have made available.

zhammer commented 7 months ago

so we do this in a maybe backwards way. in our okta, users have fields in their profile like department: "platform", team: "developer-experience" which we use to populate UserEntity.spec.memberOf in our userTransformer. in our groupTransformer we just set spec.children: []. backstage stitches together the proper relationships behind the scenes.

i don't know if these fields are the default for an okta organization or if it's something custom to our org.

anyway, curious if you're asking for some new support in the provider to do this or just an example in the readme?

billabongrob commented 7 months ago

@zhammer I think an example in the README would be super helpful. In our org, members are directly added to groups with team or department not coming into the mix.
I'm almost thinking we'd need to use either something like: user.listGroups() to propagate UserEntity.spec.memberOf or... group.listUsers()to propagate spec.children: [] to propagate this correctly, but I don't believe that functionality is implemented now?

zhammer commented 7 months ago

hm i'm still a bit confused here. sorry for the delay on this as well. to clarify, does the user that comes from okta have some field that maps it to its group? then you can do something like

 userTransformer = (user: OktaUser): UserEntity => {
    return {
      apiVersion: 'backstage.io/v1alpha1',
      kind: 'User',
      metadata: {
        name: user.profile!.username!,
      },
      spec: {
        profile: {
          displayName: user.profile!.displayName!,
          email: user.profile!.email!,
        },
        // here, user profile has a "group" field that has the name of their group, which matches the name of the group object returned by the okta groups api
        memberOf: [user.profile!.group],
      },
    };
  };
billabongrob commented 6 months ago

It's all good. Nature of the OSS community. The user does come from Okta; however, it is not coming with any groups in the profile response.