-
Notifications
You must be signed in to change notification settings - Fork 100
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding external authentication httpd configuration files #210
Conversation
abellotti
commented
Sep 1, 2017
- Introduced HTTPD_AUTH_CONFIGURATION to select which authentication configuration files to include
- authentication.conf includes the configuration-* file based on HTTPD_AUTH_CONFIGURATION
- common configurations sections are shared by different types minimizing duplication.
- Introduced HTTPD_AUTH_KERBEROS_REALMS needed for kerberos authentication
Need to test:
Also need to:
|
This pull request is not mergeable. Please rebase and repush. |
Kerberos SSO support will require ManageIQ/container-httpd#24 |
0cec376
to
bce85c6
Compare
README.md
Outdated
@@ -638,6 +653,8 @@ Excluding the content of the files, a SAML auth-config map data section may look | |||
apiVersion: v1 | |||
data: | |||
auth-type: saml | |||
auth-configuration: saml |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is the distinction between auth-type
and auth-configuration
? In what situations will they not be the same value?
Maybe it would be worth making the example one of those cases to avoid confusion?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 I've added an auth-type / auth-configuration specification matrix table.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, the table is really helpful. It allows me to ask better questions 😉 haha
templates/miq-template-ext-db.yaml
Outdated
ProxyPreserveHost on | ||
ProxyPass /ws/ ws://${NAME}/ws/ | ||
ProxyPassReverse /ws/ ws://${NAME}/ws/ | ||
ProxyPass / http://${NAME}/ | ||
|
||
# For httpd, some ErrorDocuments must by served by the front-end httpd |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think front-end is overloaded here. I think "httpd pod" would be better to distinguish it from the miq-frontend pod
templates/miq-template-ext-db.yaml
Outdated
# For httpd, some ErrorDocuments must by served by the front-end httpd | ||
RewriteCond %{REQUEST_URI} !^/proxy_pages | ||
|
||
# For SAML /saml2 is only served by front-end httpd by mod_auth_mellon |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same as above, we should avoid using "front-end" to reference the auth httpd pod
- Introduced HTTPD_AUTH_CONFIGURATION to select which authentication configuration files to include - authentication.conf includes the configuration-* file based on HTTPD_AUTH_CONFIGURATION - common configurations sections are shared by different types minimizing duplication. - Introduced HTTPD_AUTH_KERBEROS_REALMS needed for kerberos authentication
- With :80 virtualhost, need to tell mod_auth_mellon that IdP access us via https - /saml2 is only server by front-end httpd, do not redirect to back-end httpd.
- Added an auth-type/auth-configuration specification matrix.
ba1503c
to
b8aa658
Compare
README.md
Outdated
@@ -573,6 +573,22 @@ The config map includes the following: | |||
|
|||
`internal` is the default type, anything else is considered external. `auth-type` could include strings like: ipa, ldap, active_directory, saml or simply custom. | |||
|
|||
* The httpd configuration type `auth-configuration`, default is `internal` | |||
|
|||
This parameter drive which configuration files httpd will load upon start-up. Supported values are: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Typo
"This parameter drive" -> "This parameter drives"
README.md
Outdated
| active-directory | Active Directory domain realm join | ||
| saml | SAML based authentication (Keycloak, etc.) | ||
|
||
* The kerberos realms joined `auth-kerberos-realms`, default is `undefined` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"The kerberos realms joined" seems strangely worded to me. Maybe "The kerberos realm to join"?
Also if this is indeed plural, how do you specify multiple? Comma separated?
README.md
Outdated
@@ -607,7 +623,19 @@ _Examples_: | |||
|
|||
Binary files can be specified in the configuration map in their base64 encoded format with a basename having a `.base64` extension. Such files are then converted back to binary as they are copied to their target path. | |||
|
|||
When an /etc/sssd/sssd.conf file is included in the configuration map, the httpd pod automatically enables the sssd service upon startup. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this no longer true? Why remove this line? I feel like the table doesn't make this point clear.
README.md
Outdated
| auth-type | auth-configuration | Note | | ||
|-----------|--------------------|------| | ||
| internal | internal | Database / ManageIQ Ldap(s) / Amazon | | ||
| ldap | external | | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What happens if someone configures a nonsense combination of these parameters (e.g. ldap + active-directory or saml + external)? It seems like the only one with multiple combinations is active-directory
so can we assume the auth-configuration
value for the others?
Or even better, can we make auth-configuration
specific to active-directory
? Maybe something like active-directory-config-set
or do we intend to add more auth-configuration
options for other auth-type
s in the future?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The auth-configuration is directly drives what Apache configurations we support. they cannot specify anything else. As we add support for others in the future, i.e. openid, we'd be adding Apache config/include files to reflect the new auth-configuration. So the auth-configuration set is strict/concrete. The auth-type identifies the identify provider we're targeting, note how multiple types share the same auth-configuration apache include files. As far as the values there, if we want/need to to differentiate via the auth-config CLI a generated config map for Keycloak vs. let's say Active Directory Federated Services, we can have auth-type (saml | adfs | okta | etc.), but the auth-configuration must be saml.
Hopefully this helps a bit.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay, that's fine. So we can't make auth-configuration more specific to AD (even though right now that is the only auth-type that could possibly have more than one valid auth-configuration). But my first question still stands. Are we doing anything to validate against nonsense combinations of auth-type + auth-configuration?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After discussion, it seems like the values in the left column do not have any effect on the runtime of the application.
The values in the right column can be used for the same purpose as the auth-type is currently being used for (deciding whether to copy config files listed in auth-configuration.conf
) as well as which specific httpd auth configuration files we should include in the authentication.conf
file, so we can remove the values on the left side (but can keep using the existing auth-type name for the field).
README.md
Outdated
@@ -638,6 +653,8 @@ Excluding the content of the files, a SAML auth-config map data section may look | |||
apiVersion: v1 | |||
data: | |||
auth-type: saml | |||
auth-configuration: saml |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, the table is really helpful. It allows me to ask better questions 😉 haha
- Brought back text about effect of including sssd.conf
the definition of the auth-config maps where we removed the need for (and confusion) of the auth-configuration parameter. Now simply driven by auth-type (internal, external, active-direectory, saml) and auth-kerberos-realms.
@carbonin simplified and updated. also updated the auth-config CLI and tested end-to-end for IPA. still good. Thanks!! |
Checked commits abellotti/manageiq-pods@bb939d9~...26258c9 with ruby 2.3.3, rubocop 0.47.1, and haml-lint 0.20.0 |
|
||
When configuring external authentication against IPA, Active Directory or Ldap, this parameter defines the kerberos realm httpd is configured against, i.e. `example.com` | ||
|
||
When specifying multiple Kerberos realms, they need to be space separated. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍