Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HP-2429 | feat: migrate old user from Tunnistamo to Keycloak #102

Merged
merged 2 commits into from
Jun 25, 2024
Merged

HP-2429 | feat: migrate old user from Tunnistamo to Keycloak #102

merged 2 commits into from
Jun 25, 2024

Conversation

charn
Copy link
Contributor

@charn charn commented Jun 19, 2024
edited
Loading

Migration happens one user at a time upon login.

By default, the migration logic is configured to support migrating users from Tunnistamo AD authentication to Keycloak AD authentication.

Feature can be configured using the following settings.

  • HELUSERS_USER_MIGRATE_ENABLED enable the feature. Defaults to False.
  • HELUSERS_USER_MIGRATE_EMAIL_DOMAINS whitelisted email domains for migration. Defaults to ["hel.fi"].
  • HELUSERS_USER_MIGRATE_AMRS which authentication methods are used for migration. Defaults to ["helsinkiad"].

Migration logic is only run on certain conditions:

  • Correct authentication method is used (AMR-claim)
  • Email domain is correct
  • User with the new UUID doesn't exist yet
  • Old user is found by email
  • Old user has username generated by helusers.utils.uuid_to_username

Instead of allowing a new user to be created the migration is done by replacing the old user UUID with the one from the incoming token payload. Logic which is run later should take care of updating other user related fields.

Primary key is separate from the user UUID, so the user UUID can besound changed. This migration should therefore retain all the data related to the user.

Migration logic only supports authentication methods from this package and Python Social Auth pipeline helusers.defaults.SOCIAL_AUTH_PIPELINE. This doesn't support migrating users which are using e.g. a different
pipeline for Python Social Auth (e.g. the default pipeline).

Refs: HP-2429

@charn charn requested a review from a team June 19, 2024 07:01
@charn charn force-pushed the HP-2429-ad-migrate branch 5 times, most recently from 72d30c1 to 61e9838 Compare June 19, 2024 12:24
tuomas777
tuomas777 reviewed Jun 20, 2024
View reviewed changes
README.md Outdated Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
helusers/user_utils.py Outdated Show resolved Hide resolved
@charn charn force-pushed the HP-2429-ad-migrate branch 4 times, most recently from 62abe22 to b59c550 Compare June 20, 2024 20:00
@charn charn changed the title HP-2429 | feat: migrate old AD user from Tunnistamo to Keycloak HP-2429 | feat: migrate old user from Tunnistamo to Keycloak Jun 24, 2024
@charn charn force-pushed the HP-2429-ad-migrate branch 2 times, most recently from 670d70b to 13adbc0 Compare June 24, 2024 19:36
@charn
feat: migrate old user from Tunnistamo to Keycloak
cbd4771 
Migration happens one user at a time upon login.

Feature can be configured using the following settings.
- `HELUSERS_USER_MIGRATE_ENABLED` enable the feature.
  Defaults to `False`.
- `HELUSERS_USER_MIGRATE_EMAIL_DOMAINS` whitelisted email domains
  for migration. Defaults to `["hel.fi"]`.
- `HELUSERS_USER_MIGRATE_AMRS` which authentication methods are
  used for migration. Defaults to `["helsinkiad"]`.

Migration logic is only run on certain conditions:
- Correct authentication method is used (AMR-claim)
- Email domain is correct
- User with the new UUID doesn't exist yet
- Old user is found by email
- Old user has username generated by helusers.utils.uuid_to_username

Instead of allowing a new user to be created the migration is done by
replacing the old user UUID with the one from the incoming token
payload. Logic which is run later should take care of updating other
user related fields.

Primary key is separate from the user UUID, so the user UUID can be
changed. This migration should therefore retain all the data related
to the user.

Migration logic only supports authentication methods from this package
and Python Social Auth pipeline helusers.defaults.SOCIAL_AUTH_PIPELINE.
This doesn't support migrating users which are using e.g. a different
pipeline for Python Social Auth (e.g. the default pipeline).

Refs: HP-2429
@charn charn force-pushed the HP-2429-ad-migrate branch from 13adbc0 to cbd4771 Compare June 24, 2024 19:47
@charn charn requested review from tuomas777 and nicobav June 24, 2024 19:49
nicobav
nicobav approved these changes Jun 25, 2024
View reviewed changes
Copy link

@nicobav nicobav left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM :shipit:

@charn charn merged commit 8823e85 into master Jun 25, 2024
10 checks passed
@charn charn deleted the HP-2429-ad-migrate branch June 25, 2024 07:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nicobav nicobav nicobav approved these changes

@tuomas777 tuomas777 Awaiting requested review from tuomas777

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@charn @tuomas777 @nicobav