Skip to content

Custom Script-Sourced User Attributes

Using one or more custom scripts, you can source user attributes from bespoke systems, such as custom REST APIs or data stores. The script is invoked when user attributes are requested for a user (and are not present in the in-memory cache), with the username as an argument. The output from the script must be a JSON document in which the keys are the attribute names and the values are the attribute values.

Note: As a preview feature, Okera supports the use of Sailpoint to obtain user attributes. See Obtaining SailPoint User Attributes in Okera.

Example Script

#!/usr/bin/env python3
import json
import sys

USER=sys.argv[1]
attributes = {
    "attribute1": "%s-foo" % USER,
    "attribute2": "%s-bar" % USER,
}
print(json.dumps(attributes))

This script returns two attributes for each user, attribute1 and attribute2, with values of <username>-foo and <username>-bar respectively.

Configuration Using Helm Charts

To configure a custom script, specify the following configuration property:

USER_ATTRIBUTES_SCRIPT: <path to script 1>,<path to script 2>,...

Note: If multiple scripts are specified, all scripts are executed and the results are merged, with the last listed script having the highest priority.

If you use the Okera Helm chart to configure the script, <path to script> must be a local file in the files directory of the Helm chart.

Add the USER_ATTRIBUTES_SCRIPT configuration parameter to the common.configs section of the Okera configuration file. For example:

common:
  ...
  configs:
    ...
    USER_ATTRIBUTES_SCRIPT: /etc/secrets/USER_ATTRIBUTE_SCRIPT_1,/etc/secrets/USER_ATTRIBUTE_SCRIPT_2

Then, in the common.secret_files section of the configuration file, specify the path to the user attribute scripts.

secret_files:
    USER_ATTRIBUTE_SCRIPT_1: files/user_attr_script_1.sh
    USER_ATTRIBUTE_SCRIPT_2: files/user_attr_script_1.sh

The Okera Helm chart properly injects the script contents into the pods as part of their configuration.

If you manually configure Okera (you manually configure the odas-config ConfigMap), then the paths must be paths inside the pod.

By default, Okera only runs scripts in its allowed script directory (default of /opt/scripts), and automatically makes the scripts specified in USER_ATTRIBUTES_SCRIPT available in this directory with the correct permissions. You can change the default allow script directory by specifying a different value for the OKERA_SCRIPTS_DIR configuration setting.