Conversation
midu-git
force-pushed
the
CLOUD-394
branch
2 times, most recently
from
9ff35da to
33a4dda
Compare
astropanic
approved these changes
Oct 11, 2023
midu-git
force-pushed
the
CLOUD-394
branch
6 times, most recently
from
be1f1b0 to
113be40
Compare
* A new Google connector option have been introduced, i.e., `serviceAccountToImpersonate`. If this field is non-empty, it is assumed that Workload Identity Federation shall be used, and the linked service account needs to be configured for domain-wide delegation. Moreover, the service account used for Workload Identity Federation must include `Service Account Token Creator` for this service account. * Print some warnings if the configuration is not consistent or erroneous. * Fix fetching groups to rely on `groups` as scope. In the case `groups` is specified as a scope, the oauth authentication call will fail as Google doesn't support it. Moreover, as fetching groups requires the group directory service, it is enough to assume the existence of this service as a prerequisite for the fetch. If `groups` is specified as a scope, a warning is printed, instead of erroring out, for backwards compatibility reasons. * When specifying `groups` in the configuration, but no group directory service will be created, a warning is printed that the groups configuration will be ignored. Signed-off-by: Michael Dudzinski <michael.dudzinski@web.de>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
serviceAccountToImpersonate. If this field is non-empty, it isassumed that Workload Identity Federation shall be used, and the
linked service account needs to be configured for domain-wide
delegation. Moreover, the service account used for Workload Identity
Federation must include
Service Account Token Creatorfor thisservice account.
groupsas scope. In the casegroupsis specified as a scope, the oauth authentication call will fail as
Google doesn't support it. Moreover, as fetching groups requires the
group directory service, it is enough to assume the existence of this
service as a prerequisite for the fetch. If
groupsis specified as ascope, a warning is printed, instead of erroring out, for backwards
compatibility reasons.
groupsin the configuration, but no group directoryservice will be created, a warning is printed that the groups
configuration will be ignored.