Make service account creds required for google oauth

In the absence of service account creds, non-admin users from google's hosted domain cannot lookup groups, even their own groups (Restriction from google api). So even during login we can't find out what groups the user belongs to. Admins of hosted google domain do not have the same restriction. So they can still search for and add groups that non-admin google users belong to. This will cause lot of inconsistencies, since admins can add a user's groups, but user still won't have access to rancher. So making service account credentials a required field will avoid all this, and searching users/groups will work equally for all google users. Hostname should not be updatable once auth is setup, since the principalIds assigned to users after they log into rancher contain their google addresses which have the hostname.
2025-06-30 23:41:47 +00:00 · 2019-06-21 10:16:10 -07:00 · 2019-06-21 10:16:10 -07:00 · dc55e60da1
commit dc55e60da1
parent a10815ebfe
1 changed files with 2 additions and 2 deletions
--- a/apis/management.cattle.io/v3/authn_types.go
+++ b/apis/management.cattle.io/v3/authn_types.go
@ -168,9 +168,9 @@ type GoogleOauthConfig struct {
 	AuthConfig        `json:",inline" mapstructure:",squash"`

 	OauthCredential          string `json:"oauthCredential,omitempty" norman:"required,type=password"`
-	ServiceAccountCredential string `json:"serviceAccountCredential,omitempty" norman:"type=password"`
+	ServiceAccountCredential string `json:"serviceAccountCredential,omitempty" norman:"required,type=password"`
 	AdminEmail               string `json:"adminEmail,omitempty"`
-	Hostname                 string `json:"hostname,omitempty" norman:"required"`
+	Hostname                 string `json:"hostname,omitempty" norman:"required,noupdate"`
 	UserInfoEndpoint         string `json:"userInfoEndpoint" norman:"default=https://openidconnect.googleapis.com/v1/userinfo,required,notnullable"`
 }