Skip to content

Only a user logged in via external auth provider can access Rancher user and group attributes from auth provider

Article Number: 000021679

Environment

SUSE Rancher configured with an external authentication provider

Situation

When SUSE Rancher is configured to use an external authentication provider, such as Active Directory, Keycloack, or OpenLDAP etc., you may be interested in searching across external authentication users or groups to configure their permissions or add them to the correspondent clusters. However, if this search is made using any local user, including the Rancher local admin, the operation won't retrieve any information.

Cause

This is the expected behaviour by design. When you are logged in with a local account, this user won't have the necessary permissions in the external authentication provider to search for users/groups. Then, Rancher won't be able to search users/groups, as intended.

Since you are trying to access information that does not belong to the user in the external authentication provider, the same information cannot be fetched from Rancher as well. Even if the local user is an administrator user in Rancher, if this user doesn't have permission to access this information in the external authentication provider, then Rancher will not be able to.

Resolution

In order to retrieve this information, you need to log in with a user with the proper external permissions. Thus, the user that needs to be used has to be a properly configured user, with access to the external authentication provider.