User filtering is an important aspect when it comes to integrating Custos with external systems. Consumers might have various modes of user filtering scenarios based on their business logic in the application. In this section, we discuss such use cases and provide the mechanisms to enforce them using the user authorization schemes of Custos
- Manual User Whitelisting
Consumers might need to have users logging into their systems through Custos but restrict these users' access to critical services or resources until those users are manually approved. There might be different permission scopes that are distinct or hierarchical. We can easily implement this using the group-based authorization mechanism in Custos. First, the consumer/tenant admin needs to create a group or set of groups in Custos which maps to the permission scopes he wants. These groups can be created either as a distinct entity or a hierarchical entity that derives permissions from the parent gropus. When it comes to enforcing this, once the user is authenticated, application can talk to Custos to veirfy
Custos provides different layers of user filtering for authentication and authorization.
User filtering in authentication
- Institutional filtering
Custos provides the flexibility of configuring OIDC-based Identity federation services. By default, CILogon is integrated with Custos and supports all institutions provided by the In common federation. Any users from those institutions should be able to authenticate. In addition, the Custos provides an Institutional whitelisting API where clients can store a selected set of institutions with relevant metadata such as entityId to filter out the institutional loading only for those selected Institutions.
User filtering in authorization
Custos supports the following authorization schemes.
Users can be assigned different roles and roles need to be pre-configured in the Custos tenant. (e.g gateway-admin, gateway-user)
Users can be assigned different attributes. (e.g email, phone)
a. Flat group creation, assign members to groups, assign group admins
b. Hiearachichal group creation, assing child groups, assign members to groups, assign group admins
In addition attributes and roles can be assigned to groups and they will be automatically inherited by member groups and users.
All aforementioned authorization schemes can be used to filter out the users. Group-based authorization is the most popular and fine-grained authorization. The configuration shows how group-based authorization is configured to allow access for Juypterhub users to access notebook servers.