Custom Script-Sourced User Attributes¶
Using one or more custom scripts, you can source user attributes from bespoke systems, such as custom REST APIs or data stores. The script is invoked when user attributes are requested for a user (and are not present in the in-memory cache), with the username as an argument. The output from the script must be a JSON document in which the keys are the attribute names and the values are the attribute values.
Note: As a preview feature, Okera supports the use of Sailpoint to obtain user attributes. See Obtaining SailPoint User Attributes in Okera.
Example Script¶
#!/usr/bin/env python3
import json
import sys
USER=sys.argv[1]
attributes = {
"attribute1": "%s-foo" % USER,
"attribute2": "%s-bar" % USER,
}
print(json.dumps(attributes))
This script returns two attributes for each user, attribute1
and attribute2
, with values of <username>-foo
and <username>-bar
respectively.
Configuration Using Helm Charts¶
To configure a custom script, specify the following configuration property:
USER_ATTRIBUTES_SCRIPT: <path to script 1>,<path to script 2>,...
Note: If multiple scripts are specified, all scripts are executed and the results are merged, with the last listed script having the highest priority.
If you use the Okera Helm chart to configure the script, <path to script>
must be a local file in the files
directory of the Helm chart.
Add the USER_ATTRIBUTES_SCRIPT
configuration parameter to the common.configs
section of the Okera configuration file. For example:
common:
...
configs:
...
USER_ATTRIBUTES_SCRIPT: /etc/secrets/USER_ATTRIBUTE_SCRIPT_1,/etc/secrets/USER_ATTRIBUTE_SCRIPT_2
Then, in the common.secret_files
section of the configuration file, specify the path to the user attribute scripts.
secret_files:
USER_ATTRIBUTE_SCRIPT_1: files/user_attr_script_1.sh
USER_ATTRIBUTE_SCRIPT_2: files/user_attr_script_1.sh
The Okera Helm chart properly injects the script contents into the pods as part of their configuration.
If you manually configure Okera (you manually configure the odas-config
ConfigMap
), then the paths must be paths inside the pod.
By default, Okera only runs scripts in its allowed script directory (default of /opt/scripts
), and automatically makes the scripts specified in USER_ATTRIBUTES_SCRIPT
available in this directory with the correct permissions.
You can change the default allow script directory by specifying a different value for the OKERA_SCRIPTS_DIR
configuration setting.