Bug description
LDAP imported users (from Aactive Directory), cannot see Stacks, Services, Containers, Volumes or Networks. The only section that works is Images. The users are given access to endpoint directly using manage access option. Either giving access to user directly or via imported LDAP group doesn't work.
Expected behavior
Imported LDAP users should be able to access all the resources that are part of the endpoint the administrator gave them access to.
Steps to reproduce the issue:
Steps to reproduce the behavior:
Technical details:
docker run -p 9000:9000 portainer/portainer
): docker stack deploy --compose-file=portainer-agent-stack.yml portainer (default composer file on deployment instructions)Hi there,
IF you login as an admin, and look at each of the pages (stacks, services, containers, volumes, networks, configs, secrets), take a look at the column “ownership”. If that says “administrators” then standard users will NOT be able to see the resource.
You can elevate your LDAP user to an admin (click on their user account in Portainer and mark them an admin), or change the access control to “public” so all users can see the resources.
This is not a bug and it is actually the normal behavior of the Portainer application.
All of the resources created outside of Portainer will be restricted to administrator users only, this is also the default policy when creating a resource inside Portainer.
When using LDAP/OAuth authentication, newly created users will be assigned the regular user role on creation and thus will not be able to access any existing resources that are restricted to administrators.
As Neil stated, you'll need to assign the administrator role to each of these users.
We have an evolution request to allow a user to change the default ownership available in the app:
https://github.com/portainer/portainer/issues/685
And you can also expect a more robust approach from our next extension that is going to introduce advanced role based access control management.
Thank guys! It was a little confusing to me at first, but this explains everything.
Most helpful comment
This is not a bug and it is actually the normal behavior of the Portainer application.
All of the resources created outside of Portainer will be restricted to administrator users only, this is also the default policy when creating a resource inside Portainer.
When using LDAP/OAuth authentication, newly created users will be assigned the regular user role on creation and thus will not be able to access any existing resources that are restricted to administrators.
As Neil stated, you'll need to assign the administrator role to each of these users.
We have an evolution request to allow a user to change the default ownership available in the app:
https://github.com/portainer/portainer/issues/685
And you can also expect a more robust approach from our next extension that is going to introduce advanced role based access control management.