Skip to content

Only a user logged in via external auth provider can access Rancher user and group attributes from auth provider

This document (000021679) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Rancher configured with an external authentication provider

Situation

When SUSE Rancher is configured to use an external authentication provider, such as Active Directory, Keycloack, or OpenLDAP etc., you may be interested in searching across external authentication users or groups to configure their permissions or add them to the correspondent clusters. However, if this search is made using any local user, including the Rancher local admin, the operation won't retrieve any information.

Resolution

In order to retrieve this information, you need to log in with a user with the proper external permissions. Thus, the user that needs to be used has to be a properly configured user, with access to the external authentication provider.

Cause

This is the expected behaviour by design. When you are logged in with a local account, this user won't have the necessary permissions in the external authentication provider to search for users/groups. Then, Rancher won't be able to search users/groups, as intended.

Since you are trying to access information that does not belong to the user in the external authentication provider, the same information cannot be fetched from Rancher as well. Even if the local user is an administrator user in Rancher, if this user doesn't have permission to access this information in the external authentication provider, then Rancher will not be able to.

Additional Information

https://github.com/rancher/rancher/issues/45496#issuecomment-2228581165

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.