Custom Script-Sourced User Attributes

Using one or more custom scripts, you can source user attributes from bespoke systems, such as custom REST APIs or data stores. The script is invoked when user attributes are requested for a user (and are not present in the in-memory cache), with the username as an argument. The output from the script must be a JSON document in which the keys are the attribute names and the values are the attribute values.

Example Script

#!/usr/bin/env python3
import json
import sys

USER=sys.argv[1]
attributes = {
    "attribute1": "%s-foo" % USER,
    "attribute2": "%s-bar" % USER,
}
print(json.dumps(attributes))

This script returns two attributes for each user, attribute1 and attribute2, with values of <username>-foo and <username>-bar respectively.

Configuration

To configure a custom script, specify the following configuration property:

USER_ATTRIBUTES_SCRIPT: <path to script 1>,<path to script 2>,...

Note: If multiple scripts are specified, all scripts are executed and the results are merged, with the last listed script having the highest priority.

If you use okctl, <path to script> can be a local file, an S3 path or an ADLS path. okctl properly injects the script contents into the pods as part of their configuration.

If you manually configure Okera (you manually configure the odas-config ConfigMap), then the paths must be paths inside the pod.

By default, Okera only runs scripts in its allowed script directory (default of /opt/scripts), and automatically makes the scripts specified in USER_ATTRIBUTES_SCRIPT available in this directory with the right permissions. You can change the default allow script directory by specifying a different value for the OKERA_SCRIPTS_DIR configuration setting.