Possible for Nexus to map its roles to a SLAM group?

Feature Request

Nexus roles are set within a yaml file here https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/nexus/-/blob/main/chart/values.yaml#L38. A user can be added to a SLAM group in GCDS, which is put into a string in their "IV_Groups" from GCDS. We would like to be able to parse which SLAM group they are in (via the IV_Groups), and then assign them a role based on which SLAM group they are in.

For example, a new Nexus role of "nexus-readonly" could be created, and if a user has the "nexus-readonly" SLAM group, then they get assigned to this role.

Why

We have users that want to use the Nexus within BigBang (one that we stood up ourselves), and they want to be able to have various tiers of roles, and manage each other. We find it would be best if we used SLAM groups for this, in order for the groups to map to roles. We don't want to give them overly broad permissions within Nexus, where they can manage everyone, and using SLAM groups should help to minimize the amount of accesses they have.

Proposed Solution

To support the "slam_groups" as seen below. If the user is in the overall "CVAH" SLAM group, and then more specifically in the child group of "nexus-admin", then they will be automatically mapped to this nexus-admin role.

  role:
    id: "nexus"
    name: "nexus"
    description: "nexus group"
    privileges:
      - "nx-all"
    roles:
      - "nx-admin"
    slam_groups:
      - "CVAH.nexus-admin"

Alternatively, instead of the "slam_groups" being in there, is there some way to have some external process that maps a slam/iv to the "id" of a role?

edit: SLAM and SLAM groups can be read about here:

• https://confluence.di2e.net/display/AFCCE2/SLAM
• https://confluence.di2e.net/display/AFCCE2/SLAM+GROUPS

added teamXForce label

changed the description

FYI @BrandenCobb - we are going to start work on this feature ourselves, starting off with the below of making it so a role isn't hardcoded within Nexus by default.

After that, we are going to standup Keycloak within BigBang, and try to implement a Nexus / Keycloak connection where it will have the Nexus roles & Keycloak realm/groups linked (we hope this will get us most of the way there, while we wait for our GCDS connection to be complete - once that is complete we will be able to use SLAM groups).

After the above is done, we will need to modify the code to accept multiple roles - we have this as a ticket here (https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/nexus/-/issues/16) and if @grant.duncklee needs us to take over that work late next week or the week after, we can do that. We're very new to BigBang and Nexus, so don't mind us if we ask questions in the chat room next week :)

added BB Customer Issues label

added priority8 label

set weight to 1

Should be able to be closed once this MR is merged:

https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/1034

Will need to follow up with Michael Knoth.

mentioned in merge request !1034 (merged)

@michael.knoth the above linked MR included changes to be able to template in full YAML for roles in Nexus, can you test and let us know if you need additional templating to support this function?

@michael.knoth @ryan.j.garcia I have recently added changes to Nexus using multiple repositories using your additions. I was able to add multiple roles at the same time while adding repositories. No need for additional templating to support this function.

added stale label

Closing MR since templating support within the package is available.

closed

removed stale label