Setup
- Rancher version: 2.9.x, 2.10-head
- Rancher UI Extensions: NA
- Browser type & version: NA
Describe the bug
When enabling an auth provider, the warning/notification text near the top of the page reads as follows.
The <auth provider> account that is used to enable the external provider will be granted admin permissions. If you use a test account or non-admin account, that account will still be granted admin-level permissions. See [External Authentication Configuration and Principal Users](https://ranchermanager.docs.rancher.com/v2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config#external-authentication-configuration-and-principal-users) to understand why.
That statement isn't quite right. More accurately, "The account that is ued to enable the external provider will be granted permissions equal to the currently logged in Rancher user." (feel free to word it as you see fit)
The current text is only correct if you are enabling the auth provider while logged-in as the default admin user. While that is possible, and in that case the auth provider user would be granted admin access, it is also possible to assign a standard user an extra global role of "configure authentication". If you are logged in as a standard + configure authentication user, then the auth provider user that is used to login will be bound to the standard + configure authentication Rancher user and will NOT have full admin right. It will only have standard + configure authentication.
To Reproduce
Attempt to set up an auth provider via the UI
Result
Incorrect text
Expected Result
Clear and correct text
Screenshots
Additional context
I plan to submit a doc change to provide more clarity there.
Setup
Describe the bug
When enabling an auth provider, the warning/notification text near the top of the page reads as follows.
The <auth provider> account that is used to enable the external provider will be granted admin permissions. If you use a test account or non-admin account, that account will still be granted admin-level permissions. See [External Authentication Configuration and Principal Users](https://ranchermanager.docs.rancher.com/v2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config#external-authentication-configuration-and-principal-users) to understand why.That statement isn't quite right. More accurately, "The account that is ued to enable the external provider will be granted permissions equal to the currently logged in Rancher user." (feel free to word it as you see fit)
The current text is only correct if you are enabling the auth provider while logged-in as the default admin user. While that is possible, and in that case the auth provider user would be granted admin access, it is also possible to assign a standard user an extra global role of "configure authentication". If you are logged in as a standard + configure authentication user, then the auth provider user that is used to login will be bound to the standard + configure authentication Rancher user and will NOT have full admin right. It will only have standard + configure authentication.
To Reproduce
Attempt to set up an auth provider via the UI
Result
Incorrect text
Expected Result
Clear and correct text
Screenshots
Additional context
I plan to submit a doc change to provide more clarity there.