Skip to content

Commit

Permalink
Merge pull request #201 from abellotti/ext-auth-configmap
Browse files Browse the repository at this point in the history
Enhancement to support the httpd authentication configuration map.
  • Loading branch information
carbonin authored Aug 29, 2017
2 parents 5e8ca5a + 6465faa commit a781640
Show file tree
Hide file tree
Showing 4 changed files with 158 additions and 0 deletions.
97 changes: 97 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -526,3 +526,100 @@ $ oc new-app --template=manageiq \
-p APPLICATION_IMG_TAG=latest \
...
```

## Configuring External Authentication
Configuring the httpd pod for external authentication is done by updating the `httpd-auth-configs` configuration map to include all necessary config files and certificates. Upon startup, the httpd pod overlays its files with the ones specified in the `auth-configuration.conf` file in the configuration map. This is done by the `initialize-httpd-auth` service that runs before httpd.

The config map includes the following:

* The authentication type `auth-type`, default is `internal`

`internal` is the default type, anything else is considered external. `auth-type` could include strings like: ipa, ldap, active_directory, saml or simply custom.

* The external authentication configuration file `auth-configuration.conf` which declares the list of files to overlay upon startup if `auth-type` is other than `internal`.

Syntax for the file is as follows:

```
# for comments
file = basename1 target_path1 permission1
file = basename2 target_path2 permission2
```



For the files to overlay on the httpd pod, one `file` directive is needed per file.

* the `basename` is the name of the source file in the configuration map.
* `target_path` is the path of the file on the pod to overwrite, i.e. `/etc/sssd/sssd.conf`
* `permission` is optional, by default files are copied using the pod's default umask, owner and group, so files are created as mode 644 owner root, group root.

optional `permission` can be specified as follows:

* mode
* mode:owner
* mode:owner:group

Reflecting the mode and ownership to set the copied files to.

_Examples_:

* 755
* 640:root
* 644:root:apache

Binary files can be specified in the configuration map in their base64 encoded format with a basename having a `.base64` extension. Such files are then converted back to binary as they are copied to their target path.

When an /etc/sssd/sssd.conf file is included in the configuration map, the httpd pod automatically enables the sssd service upon startup.

### Sample external authentication configuration:

Excluding the content of the files, a SAML auth-config map data section may look like:

```bash
apiVersion: v1
data:
auth-type: saml
auth-configuration.conf: |
#
# Configuration for SAML authentication
#
file = manageiq-remote-user.conf /etc/httpd/conf.d/manageiq-remote-user.conf 644
file = manageiq-external-auth-saml.conf /etc/httpd/conf.d/manageiq-external-auth-saml.conf 644
file = idp-metadata.xml /etc/httpd/saml2/idp-metadata.xml 644
file = miqsp-key.key /etc/httpd/saml2/miqsp-key.key 600:root:root
file = miqsp-cert.cert /etc/httpd/saml2/miqsp-cert.cert 644
file = miqsp-metadata.xml /etc/httpd/saml2/miqsp-metadata.xml 644
manageiq-remote-user.conf: |
RequestHeader unset X_REMOTE_USER
...
manageiq-external-auth-saml.conf: |
LoadModule auth_mellon_module modules/mod_auth_mellon.so
...
idp-metadata.xml: |
<EntitiesDescriptor ...
...
</EntitiesDescriptor>
miqsp-key.key: |
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
miqsp-cert.cert: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
miqsp-metadata.xml: |
<EntityDescriptor ...
...
</EntityDescriptor>
```

The authentication configuration map can be defined and customized in the httpd pod as follows:

```bash
$ oc edit configmaps httpd-auth-configs
```

Then redeploy the httpd pod for the new authentication configuration to take effect.


1 change: 1 addition & 0 deletions teardown
Original file line number Diff line number Diff line change
Expand Up @@ -15,3 +15,4 @@ oc delete serviceaccount miq-sysadmin

oc delete cm postgresql-configs
oc delete cm httpd-configs
oc delete cm httpd-auth-configs
30 changes: 30 additions & 0 deletions templates/miq-template-ext-db.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -449,6 +449,16 @@ objects:
ProxyPass / http://${NAME}/
ProxyPassReverse / http://${NAME}/
</VirtualHost>
- apiVersion: v1
kind: ConfigMap
metadata:
name: "${HTTPD_SERVICE_NAME}-auth-configs"
data:
auth-type: internal
auth-configuration.conf: |
# External Authentication Configuration File
#
# For details on usage please see https://github.com/ManageIQ/manageiq-pods/blob/master/README.md#configuring-external-authentication
- apiVersion: v1
kind: Service
metadata:
Expand Down Expand Up @@ -489,6 +499,9 @@ objects:
- name: httpd-config
configMap:
name: "${HTTPD_SERVICE_NAME}-configs"
- name: httpd-auth-config
configMap:
name: "${HTTPD_SERVICE_NAME}-auth-configs"
containers:
- name: httpd
image: "${HTTPD_IMG_NAME}:${HTTPD_IMG_TAG}"
Expand All @@ -509,12 +522,25 @@ objects:
volumeMounts:
- name: httpd-config
mountPath: "${HTTPD_CONFIG_DIR}"
- name: httpd-auth-config
mountPath: "${HTTPD_AUTH_CONFIG_DIR}"
resources:
requests:
memory: "${HTTPD_MEM_REQ}"
cpu: "${HTTPD_CPU_REQ}"
limits:
memory: "${HTTPD_MEM_LIMIT}"
env:
- name: HTTPD_AUTH_TYPE
valueFrom:
configMapKeyRef:
name: "${HTTPD_SERVICE_NAME}-auth-configs"
key: auth-type
lifecycle:
postStart:
exec:
command:
- "/usr/bin/save-container-environment"
serviceAccount: miq-sysadmin
serviceAccountName: miq-sysadmin
parameters:
Expand Down Expand Up @@ -722,6 +748,10 @@ parameters:
displayName: Apache httpd Configuration Directory
description: Directory used to store the Apache configuration files.
value: "/etc/httpd/conf.d"
- name: HTTPD_AUTH_CONFIG_DIR
displayName: External Authentication Configuration Directory
description: Directory used to store the external authentication configuration files.
value: "/etc/httpd/auth-conf.d"
- name: HTTPD_CPU_REQ
displayName: Apache httpd Min CPU Requested
required: true
Expand Down
30 changes: 30 additions & 0 deletions templates/miq-template.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -132,6 +132,16 @@ objects:
ProxyPass / http://${NAME}/
ProxyPassReverse / http://${NAME}/
</VirtualHost>
- apiVersion: v1
kind: ConfigMap
metadata:
name: "${HTTPD_SERVICE_NAME}-auth-configs"
data:
auth-type: internal
auth-configuration.conf: |
# External Authentication Configuration File
#
# For details on usage please see https://github.com/ManageIQ/manageiq-pods/blob/master/README.md#configuring-external-authentication
- apiVersion: v1
kind: Service
metadata:
Expand Down Expand Up @@ -636,6 +646,9 @@ objects:
- name: httpd-config
configMap:
name: "${HTTPD_SERVICE_NAME}-configs"
- name: httpd-auth-config
configMap:
name: "${HTTPD_SERVICE_NAME}-auth-configs"
containers:
- name: httpd
image: "${HTTPD_IMG_NAME}:${HTTPD_IMG_TAG}"
Expand All @@ -656,12 +669,25 @@ objects:
volumeMounts:
- name: httpd-config
mountPath: "${HTTPD_CONFIG_DIR}"
- name: httpd-auth-config
mountPath: "${HTTPD_AUTH_CONFIG_DIR}"
resources:
requests:
memory: "${HTTPD_MEM_REQ}"
cpu: "${HTTPD_CPU_REQ}"
limits:
memory: "${HTTPD_MEM_LIMIT}"
env:
- name: HTTPD_AUTH_TYPE
valueFrom:
configMapKeyRef:
name: "${HTTPD_SERVICE_NAME}-auth-configs"
key: auth-type
lifecycle:
postStart:
exec:
command:
- "/usr/bin/save-container-environment"
serviceAccount: miq-sysadmin
serviceAccountName: miq-sysadmin
parameters:
Expand Down Expand Up @@ -899,6 +925,10 @@ parameters:
displayName: Apache Configuration Directory
description: Directory used to store the Apache configuration files.
value: "/etc/httpd/conf.d"
- name: HTTPD_AUTH_CONFIG_DIR
displayName: External Authentication Configuration Directory
description: Directory used to store the external authentication configuration files.
value: "/etc/httpd/auth-conf.d"
- name: HTTPD_CPU_REQ
displayName: Apache httpd Min CPU Requested
required: true
Expand Down

0 comments on commit a781640

Please sign in to comment.