djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update dynamic clients proposal with a link to the LDAP/AD UI release

Browse Source 
Also fix a typos.
This commit is contained in:
Ryan Richard 2022-07-21 11:37:58 -07:00
parent 1eefba537d
commit b507604b90
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
proposals/1125_dynamic-supervisor-oidc-clients/README.md
View File

@ -57,11 +57,12 @@ Goals for this proposal:
Not all webapps should have permission to act on behalf of the user with the Kubernetes API of the clusters,
so an admin must be able to configure which clients have this permission.
- Provide a mechanism for requesting access to different aspects of a user identity, especially getting group
memberships or not, to allow the admin to exclude this potentially information for clients which do not need it.
memberships or not, to allow the admin to exclude this potentially sensitive information for clients which do not need it.
- Support a web UI based LDAP/ActiveDirectory login screen. This is needed to avoid having webapps handle the user's
password, which must only be seen by the Supervisor and the LDAP server. However, the details of this item have been
split out to a
[separate proposal document](https://github.com/vmware-tanzu/pinniped/tree/main/proposals/1113_ldap-ad-web-ui).
The feature was released in [v0.18.0](https://github.com/vmware-tanzu/pinniped/releases/tag/v0.18.0).
- Client secrets must be stored encrypted or hashed, not in plain text.
- Creation of client credentials on the operator's behalf - the server must generate any secrets.
- The operator must be able to initiate manual rotation of client credentials.