Configure Operatr with Github SSO (OAuth2) to authenticate and authorize users.
Note: Github Enterprise SSO integrations will limit user sign-in to your organization. When integrating with standard Github SSO you must configure RBAC w/Github org set to ensure the same organization level restriction is met.
User Authentication
Create a Github OAuth2 Application
- Login to GitHub and navigate to the organisation you wish to integrate with Operatr.
- Navigate to Settings > Developer Settings > OAuth Apps > New Oath Application
-
Fill out the Register a new OAuth application form:
- Application Name: The name of your Operatr instance, e.g. 'Operatr Staging'.
- Homepage URL: The absolute URL to your Operatr instance, e.g. https://operatr.stage.mycorp.com
- Authorization callback URL: The absolute URL for authorization callback, e.g. https://operatr.stage.mycorp.com/oauth2/github/callback
- Open your freshly created OAuth App and make note of the Client ID and Client Secret.
Integrate Operatr with Github OAuth2
Set the following environment variables and start Operatr:
- AUTH_PROVIDER_TYPE=github
- OPENID_AUTH_URI= The URI to authorize Github users, e.g. https://github.com/login/oauth/authorize, or [Github Enterprise Host]/login/oauth/authorize
- OPENID_TOKEN_URI= The URI to retrieve an OAuth token, e.g. https://github.com/login/oauth/access_token, or [Github Enterprise Host]/login/oauth/access_token
- OPENID_API_URI= The URI to perform user actions, e.g. https://api.github.com/user, or [Github Enterprise Host]/api/v3/user
- OPENID_CLIENT_ID= the Client ID found in the OAuth Apps page (required)
- OPENID_CLIENT_SECRET= the Client Secret found in the OAuth Apps page (required)
- OPENID_LANDING_URI= The absolute Operatr URI, e.g. https://operatr.stage.mycorp.org
Operatr will now authenticate users with Github via OAuth2.
User Authorization
See the guide to Role Based Access Control for full configuration details.
Integrate Okta SSO (OpenID) and RBAC
When RBAC is enabled Operatr will request orgs:read
scope to view the roles associated with an authenticated user.
Github Organisation roles are restricted to admin
or member
so they are the two roles you can configure with Operatr RBAC when using Github SSO.
When authenticating a user Operatr makes a request to the GitHub API for user membership state and role information by querying GET /orgs/:org/memberships/:username
.
Specify the github
key inside your rbac-config.yaml
to define the Github Organisation to query for role information.
Configuration
In this example we grant admin
users of the operatr-io
Github Organisation actions TOPIC_INSPECT
and TOPIC_PRODUCE
for cluster N9xnGujkR32eYxHICeaHuQ
.
policies:
- resource: ["cluster", "N9xnGujkR32eYxHICeaHuQ"]
effect: "Allow"
actions: ["TOPIC_INSPECT", "TOPIC_PRODUCE"]
role: "admin"
# Specifically restrict Auth to a single Github Organization
github:
org: operatr-io
Need Help?
- Raise a ticket using the help widget or email support@operatr.io
- Raise an issue in our community Github repository
- Book a video support call or training session at a time that suits your team
Comments
0 comments
Article is closed for comments.