Authentication Groups

When configured for platform-wide LDAP/AD user authentication (see The User Management Screen and Configuring User Authentication Settings) the addition of LDAP/AD groups (called authentication groups) to a tenant or project as Tenant/Project Members, Tenant/Project Administrators, or Platform Administrators via the External Authentication tab is supported, as described in Configuring User Authentication Settings.

This feature lets you avoid having to manually add individual users. Each authentication group may be associated with up to one role per tenant or project. A pop-up error dialog appears if you try to assign multiple roles to the same authentication group within a single tenant.

An LDAP/AD user who belongs to one of a tenant's or project's authentication groups, as declared by the memberOf or isMemberOf attribute in that user object, can log in and act within that tenant/project.

NOTE The isMemberOf variant attribute is currently only supported for the purposes of UI/API login and tenant/project role assignment. The default authentication package used in the container login feature still requires memberOf as the group pointer. If isMemberOf needs to be recognized for container login purposes, then the authentication package will need to be modified..

Such a user is treated as follows:

  • A user who is a member of at least one tenant authentication group can log into a tenant/project using their LDAP/AD credentials.
  • A user who is authenticated because of group membership will have their role in a tenant (i.e. member or admin) determined by the role associated with that group.
  • A user who is a member of multiple authentication groups for a tenant or project will have the Tenant Administrator role in that tenant if any of those groups are associated with the Tenant Administrator role.
  • User privileges persist for the duration of a session. A session lasts until the user logs out, 24 hours pass, or until a Platform Administrator terminates the session as described in Managing User Sessions, whichever comes first.
  • Changes to tenant authentication groups and role associations, or changes to group memberships on the LDAP/AD server, will apply to affected users the next time they log in and establish a new session.
NOTE Nested group membership is not supported. For example, if Group_A is the only authentication group specified for a tenant/project and Group_B is a member of Group_A, then only users who are members of Group_A will be authenticated. Users who are members of Group_B but who are not direct members of Group_A will not be authenticated.
NOTE When using an Active Directory server for authentication, an authentication group will not be able to grant access for AD users that have it as their Primary Group. Only the non-primary groups assigned to AD users can be employed as authentication groups. This issue is not a concern if you are using an LDAP server.

The user account for a group-authenticated user is created whenever that user logs in. This behavior has the following implications:

  • Login-time account creation for a user will not occur if the Platform Administrator has manually added that user as an externally-authenticated LDAP/AD user. In that case, the user's manually assigned tenant/project roles will take precedence over the effects of any authentication group memberships.
  • The Platform Administrator cannot modify the roles assigned to users who belong to an authentication group but who have not been manually added. These changes must happen at the LDAP/AD server level.
  • Users who belong to an authentication group will not appear in the User Management screen until they log into HPE Ezmeral Runtime Enterprise or a specific tenant/project for the first time.
  • Removing an authentication group user from the User Management screen does not override their group-based access permissions, because the affected user will simply be able to log back in and re-create their user account.

    Changing such a user's access privileges requires either removing them from the authentication group at the LDAP/AD server or changing the role associated with the entire authentication group (see Editing an Existing Kubernetes Tenant or Project).