Hello, If someone could guide me on this issues on Datahub. I don’t see the options to add/edit users/groups nor even policies. I have the OIDC enable authentications and also when logged in with root users I just see the following in the Settings. No options or cant add/update users and groups.

Login as datahub/datahub and grant the other users "platform privileges"

I have the default datahub/datahub username password changed for security reason and I am successfully logged in as well but I don’t see or find an options to change the privileges as shown in the image

So you're logged in as 'datahub' but do not see the privileges tab? Probably something went wrong and the default policies didn't get ingested into the system.

yes.

Cos the default policies only target 'datahub' user.

It might be possible to recover the system by injecting some temporary credentials into the frontend, adding your new admin user to the admin group (so that it has admin access) and then removing the file. The smoke tests do this by creating a file that gets mounted into the frontend by docker compose. This means that you might be able to set the contents of

/etc/datahub/plugins/frontend/auth/user.props

with

datahub:somepass

temporarily to gain access. If the change isn’t picked-up might have to adjust the k8 manifest to create that file before the frontend is started. I am not sure if the oidc configuration would prevent this from working at all though. Certainly during the tests there is no oidc configuration present.

I have one users mounted to frontend as well as

admin:somepass

• logged in successfully as well, as shown in image Problem: is I can’t do anything on the group section, it is non-clickable.

I know there are a couple different ways to configure oidc and one of them includes adding a group claim. The groups would be created as oidc users login (JIT). There is some advanced configuration which I am wondering how it is setup in your instance. Specifically, the docs here, I would expect something like this however the claim might be different depending on your oidc provider.

# User and groups provisioning
AUTH_OIDC_JIT_PROVISIONING_ENABLED=true
AUTH_OIDC_PRE_PROVISIONING_REQUIRED=false
AUTH_OIDC_EXTRACT_GROUPS_ENABLED=true
AUTH_OIDC_GROUPS_CLAIM=groups

Thanks for the reply, In our case our OIDC provider is Google. and we have the following settings

AUTH_OIDC_DISCOVERY_URI=
AUTH_OIDC_CLIENT_ID=
AUTH_OIDC_CLIENT_SECRET=
AUTH_OIDC_ENABLED=true
AUTH_OIDC_USER_NAME_CLAIM=email
AUTH_OIDC_SCOPE=openid profile email
AUTH_OIDC_USER_NAME_CLAIM_REGEX=([^@]+)
AUTH_OIDC_BASE_URL=

What I am wondering is why even the default users , don’t have any permissions. And can I add the JIT configuration as well along with the settings we have.

Let me see if I can find info on Google, I have only used Okta myself. In the Okta case it was configured to populate the groups claim. Assuming you do have that populated it should work to add the additional configuration above.

I’m not sure I would also recommend visiting the well known configuration URL and you should see if it’s there

I removed the custom

username:pass

and let it to have the default

datahub:datahub

admin users and then it worked.

@strong-belgium-32572 I would strongly recommend you add users using an invite link rather than via `user.props`https://datahubproject.io/docs/authentication/guides/add-users/#send-prospective-users-an-invite-link

We generally invite users to add users. but even if we don’t invite any users the main admin account will still be there. We were just trying to update the default users as it comes as

datahub:datahub

which is not good for security.

Got it! We’re actively looking into changing how the default users are ingested so that their passwords are not set via

user.props