[pve-devel] [PATCH SERIES openid/access-control/docs/manager] fix #4411: add support for openid groups
Thomas Skinner
thomas at atskinner.net
Thu Dec 12 06:50:48 CET 2024
> It seemed to work reliably once Keycloak was configured correctly. One
> thing that was confusing, even with `Overwrite Groups` no groups are set
> if they aren't already configured on the PVE cluster.
This is by design (and mentioned in docs patch) to prevent an
arbitrary number of groups being created in the event there are other
groups in the claim that do not exist in PVE (e.g. imagine every group
for a large directory service is included in the claim but not all of
them apply to PVE). There could be an option added to auto-create
groups (maybe default disabled) to allow users to have this
capability, too.
More information about the pve-devel
mailing list