Add Roles to Group via PachCTL

Before You Start

How to Assign Roles to a Group

This guide uses Auth0 and assumes resources (projects, repositories) have already been created in your cluster.

  1. Enable group management in your IdP of choice .

  2. Update your connector config to include the appropriate attributes.

    {
        "type": "oidc",
        "id": "auth0",
        "name": "Auth0",
        "version": 1,
        "config":{
        "issuer": "https://dev-k34x5yjn.us.auth0.com/",
        "clientID": "hegmOc5rTotLPu5ByRDXOvBAzgs3wuw5",
        "clientSecret": "7xk8O71Uhp5T-bJp_aP2Squwlh4zZTJs65URPma-2UT7n1iigDaMUD9ArhUR-2aL",
        "redirectURI": "http(s)://<insert-external-ip-or-dns-name>/dex/callback",
        "scopes": ["groups", "email", "profile"],
        "claimMapping":{
            "groups": "http://pachyderm.com/groups"
        },
        "insecureEnableGroups": true
        }
    }
    type: oidc
    id: auth0
    name: Auth0
    version: 1
    config:
        issuer: https://dev-k34x5yjn.us.auth0.com/
        clientID: hegmOc5rTotLPu5ByRDXOvBAzgs3wuw5
        clientSecret: 7xk8O71Uhp5T-bJp_aP2Squwlh4zZTJs65URPma-2UT7n1iigDaMUD9ArhUR-2aL
        redirectURI: http(s)://<insert-external-ip-or-dns-name>/dex/callback
        scopes: 
        - groups
        - email
        - profile
        claimMapping:
            groups: http://pachyderm.com/groups
        insecureEnableGroups: true

  3. Update the config by running the following command:

    pachctl idp update-connector <connector-id> --version 2
  4. Grant the group roles by running the following command:

    pachctl auth set <resource-type>  <resource-name> <role-name> group:<group-name>
  5. Confirm the group’s roles were updated for the given resource:

    pachctl auth get project <project-name>
    pachctl auth get repo <repo-name>

Tip
The command pachctl auth get-groups lists the groups that have been defined on your cluster.