Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding external authentication httpd configuration files #210

Merged
merged 8 commits into from
Oct 10, 2017

Conversation

abellotti
Copy link
Member

  • Introduced HTTPD_AUTH_CONFIGURATION to select which authentication configuration files to include
  • authentication.conf includes the configuration-* file based on HTTPD_AUTH_CONFIGURATION
  • common configurations sections are shared by different types minimizing duplication.
  • Introduced HTTPD_AUTH_KERBEROS_REALMS needed for kerberos authentication

@miq-bot miq-bot added the wip label Sep 1, 2017
@abellotti
Copy link
Member Author

abellotti commented Sep 1, 2017

Need to test:

  • Form based login
  • Kerberos SSO
  • Ldap
  • Active Directory
  • API Authentication
  • SAML / Keycloak

Also need to:

  • Update README.md to talk about the auth-config entries, auth-configuration and auth-kerberos-realms
  • Duplicate to the ext-db yaml.

@miq-bot
Copy link
Member

miq-bot commented Sep 25, 2017

This pull request is not mergeable. Please rebase and repush.

@abellotti
Copy link
Member Author

Kerberos SSO support will require ManageIQ/container-httpd#24

@abellotti abellotti force-pushed the ext-auth-apache-config branch from 0cec376 to bce85c6 Compare September 25, 2017 20:11
@abellotti abellotti changed the title [WIP] Adding external authentication httpd configuration files Adding external authentication httpd configuration files Sep 25, 2017
@miq-bot miq-bot removed the wip label Sep 25, 2017
@abellotti
Copy link
Member Author

No changes needed here for a while, I'm good with this.

ping @carbonin @bdunne can I borrow your 👀 for review/merge ? Thanks.

README.md Outdated
@@ -638,6 +653,8 @@ Excluding the content of the files, a SAML auth-config map data section may look
apiVersion: v1
data:
auth-type: saml
auth-configuration: saml
Copy link
Member

@carbonin carbonin Oct 6, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the distinction between auth-type and auth-configuration? In what situations will they not be the same value?

Maybe it would be worth making the example one of those cases to avoid confusion?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 I've added an auth-type / auth-configuration specification matrix table.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, the table is really helpful. It allows me to ask better questions 😉 haha

ProxyPreserveHost on
ProxyPass /ws/ ws://${NAME}/ws/
ProxyPassReverse /ws/ ws://${NAME}/ws/
ProxyPass / http://${NAME}/

# For httpd, some ErrorDocuments must by served by the front-end httpd
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think front-end is overloaded here. I think "httpd pod" would be better to distinguish it from the miq-frontend pod

# For httpd, some ErrorDocuments must by served by the front-end httpd
RewriteCond %{REQUEST_URI} !^/proxy_pages

# For SAML /saml2 is only served by front-end httpd by mod_auth_mellon
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above, we should avoid using "front-end" to reference the auth httpd pod

- Introduced HTTPD_AUTH_CONFIGURATION to select which authentication configuration files to include
- authentication.conf includes the configuration-* file based on HTTPD_AUTH_CONFIGURATION
- common configurations sections are shared by different types minimizing duplication.
- Introduced HTTPD_AUTH_KERBEROS_REALMS needed for kerberos authentication
- With :80 virtualhost, need to tell mod_auth_mellon that IdP access us via https
- /saml2 is only server by front-end httpd, do not redirect to back-end httpd.
- Added an auth-type/auth-configuration specification matrix.
@abellotti abellotti force-pushed the ext-auth-apache-config branch from ba1503c to b8aa658 Compare October 7, 2017 02:53
README.md Outdated
@@ -573,6 +573,22 @@ The config map includes the following:

`internal` is the default type, anything else is considered external. `auth-type` could include strings like: ipa, ldap, active_directory, saml or simply custom.

* The httpd configuration type `auth-configuration`, default is `internal`

This parameter drive which configuration files httpd will load upon start-up. Supported values are:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Typo

"This parameter drive" -> "This parameter drives"

README.md Outdated
| active-directory | Active Directory domain realm join
| saml | SAML based authentication (Keycloak, etc.)

* The kerberos realms joined `auth-kerberos-realms`, default is `undefined`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"The kerberos realms joined" seems strangely worded to me. Maybe "The kerberos realm to join"?

Also if this is indeed plural, how do you specify multiple? Comma separated?

README.md Outdated
@@ -607,7 +623,19 @@ _Examples_:

Binary files can be specified in the configuration map in their base64 encoded format with a basename having a `.base64` extension. Such files are then converted back to binary as they are copied to their target path.

When an /etc/sssd/sssd.conf file is included in the configuration map, the httpd pod automatically enables the sssd service upon startup.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this no longer true? Why remove this line? I feel like the table doesn't make this point clear.

README.md Outdated
| auth-type | auth-configuration | Note |
|-----------|--------------------|------|
| internal | internal | Database / ManageIQ Ldap(s) / Amazon |
| ldap | external | |
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What happens if someone configures a nonsense combination of these parameters (e.g. ldap + active-directory or saml + external)? It seems like the only one with multiple combinations is active-directory so can we assume the auth-configuration value for the others?

Or even better, can we make auth-configuration specific to active-directory? Maybe something like active-directory-config-set or do we intend to add more auth-configuration options for other auth-types in the future?

Copy link
Member Author

@abellotti abellotti Oct 10, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The auth-configuration is directly drives what Apache configurations we support. they cannot specify anything else. As we add support for others in the future, i.e. openid, we'd be adding Apache config/include files to reflect the new auth-configuration. So the auth-configuration set is strict/concrete. The auth-type identifies the identify provider we're targeting, note how multiple types share the same auth-configuration apache include files. As far as the values there, if we want/need to to differentiate via the auth-config CLI a generated config map for Keycloak vs. let's say Active Directory Federated Services, we can have auth-type (saml | adfs | okta | etc.), but the auth-configuration must be saml.

Hopefully this helps a bit.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay, that's fine. So we can't make auth-configuration more specific to AD (even though right now that is the only auth-type that could possibly have more than one valid auth-configuration). But my first question still stands. Are we doing anything to validate against nonsense combinations of auth-type + auth-configuration?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After discussion, it seems like the values in the left column do not have any effect on the runtime of the application.

The values in the right column can be used for the same purpose as the auth-type is currently being used for (deciding whether to copy config files listed in auth-configuration.conf) as well as which specific httpd auth configuration files we should include in the authentication.conf file, so we can remove the values on the left side (but can keep using the existing auth-type name for the field).

README.md Outdated
@@ -638,6 +653,8 @@ Excluding the content of the files, a SAML auth-config map data section may look
apiVersion: v1
data:
auth-type: saml
auth-configuration: saml
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, the table is really helpful. It allows me to ask better questions 😉 haha

- Brought back text about effect of including sssd.conf
the definition of the auth-config maps where we removed the need
for (and confusion) of the auth-configuration parameter.
Now simply driven by auth-type (internal, external, active-direectory, saml)
and auth-kerberos-realms.
@abellotti
Copy link
Member Author

@carbonin simplified and updated. also updated the auth-config CLI and tested end-to-end for IPA. still good. Thanks!!

@miq-bot
Copy link
Member

miq-bot commented Oct 10, 2017

Checked commits abellotti/manageiq-pods@bb939d9~...26258c9 with ruby 2.3.3, rubocop 0.47.1, and haml-lint 0.20.0
0 files checked, 0 offenses detected
Everything looks fine. 🏆


When configuring external authentication against IPA, Active Directory or Ldap, this parameter defines the kerberos realm httpd is configured against, i.e. `example.com`

When specifying multiple Kerberos realms, they need to be space separated.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@carbonin carbonin self-assigned this Oct 10, 2017
@carbonin carbonin merged commit f74c933 into ManageIQ:master Oct 10, 2017
@carbonin carbonin added this to the Sprint 71 Ending Oct 16, 2017 milestone Oct 10, 2017
@abellotti abellotti deleted the ext-auth-apache-config branch October 10, 2017 20:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants