Map OAuth claims to Server Groups #9704
Description
Describe the solution you'd like
With OAuth, it would be really useful to be able to assign access to Server Groups using OIDC claims. You could use this to give users different levels of permissions based on their assigned roles.
For example:
# config.py
OAUTH2_SERVER_GROUP_CLAIM = 'pgadmin_server_groups'Then with claim mappers you set:
{"pgadmin_server_groups": ["RO Server 1", "RO Server 2", ...]}which should give you access to that list of servers.
Describe alternatives you've considered
Reconfiguring servers on a per-user basis (tedious, copies of database credentials). Using a shared server group (not granular).
Or #9673 - but that seems much more involved than what I was thinking
Basically, I'm thinking something like this:
@staticmethod
def get_all_server_groups():
"""
Returns the list of server groups to show in server mode and
if there is any shared server in the group.
:return: server groups
"""
pref = Preferences.module('browser')
hide_shared_server = pref.preference('hide_shared_server').get()
# lookup claims
oauth2_allowed_server_groups = None
if getattr(current_user, 'auth_source', None) == OAUTH2:
oauth2_allowed_server_groups = session.get('oauth2_server_group_claims')
has_claim_based_filter = isinstance(oauth2_allowed_server_groups, list)
if has_claim_based_filter:
oauth2_allowed_server_groups = set(oauth2_allowed_server_groups)
server_groups = ServerGroup.query.all()
groups = []
for group in server_groups:
is_allowed_group = (
group.user_id == current_user.id or
(not hide_shared_server and ServerGroupModule.has_shared_server(group.id)) or
# also check claim
(has_claim_based_filter and group.name in oauth2_allowed_server_groups)
)
if is_allowed_group:
groups.append(group)
return groups