Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow ACL Token to be provided by a Reverse Proxy #10561

Closed
legege opened this issue May 10, 2021 · 8 comments
Closed

Allow ACL Token to be provided by a Reverse Proxy #10561

legege opened this issue May 10, 2021 · 8 comments
Assignees
@lgfa29 @ChaiWithJai
Labels
stage/accepted Confirmed, and intend to work on. No timeline committment though. theme/auth theme/ui type/enhancement

Comments

@legege
Copy link
Contributor

legege commented May 10, 2021

Proposal

It would be useful to allow a Reverse Proxy to set the Nomad ACL Token via the header X-Nomad-Token.

Use-cases

Allowing a Reverse Proxy to inject this ACL Token can help to implement some login flow with 3rd party SSO. Consul does support that today.

The idea is also mentioned in this comment (issue #6054).

Attempted Solutions

  • With current version (1.0 or 1.1 beta), when you configure the Reverse Proxy to inject this header, most of the UI features work: jobs listing, servers/clients listing, etc. But some features are not working properly (e.g. the "Run job" button is greyed out).
  • With the new One-Time Token feature introduced in 1.1, it would probably be easy to implement such feature, as there is already a UI flow to get a token and start using it in the UI. We simply need the UI to be aware that a token is provided.

References
legege added a commit to legege/nomad that referenced this issue May 11, 2021
@legege
Proposed fix for hashicorp#10561
d6238de 
Signed-off-by: Georges-Etienne Legendre <[email protected]>
@legege legege mentioned this issue May 11, 2021
Merged
@drewbailey drewbailey self-assigned this May 11, 2021
@drewbailey drewbailey removed their assignment May 17, 2021
@tgross
Copy link
Member

tgross commented May 17, 2021

Thanks for opening this issue @legege! I've assigned this to @backspace so that once we review that PR we can determine whether that really closes out the issue described here.

@legege
Copy link
Contributor Author

legege commented Jun 4, 2021

@tgross Anything I can do to help the discussion here for PR #10563?

@tgross
Copy link
Member

tgross commented Jun 4, 2021

Sorry @legege, we're in the middle of onboarding some folks onto the UI side of the team and that's creating a bit of delay there. I've changed the reviewer and pulled in one of our product security folks for review as well.

@tfeyereisen-exactsciences
Copy link

We use enterprise versions of Nomad, Vault, Consul and Terraform. Currently Nomad is the only product that doesnt support SSO. Our current Nomad authentication method is based on AWS credentials and reading from the Nomad secrets engine in Vault to obtain a short lived token. We have 100s of developers that we'd like to onboard to Nomad across some 15+ Nomad namespaces. In the end, we gain very little adoption from engineering teams because it's simply too inconvenient to navigate the authenticate workflow. We want our developers in Nomad, but we have to make it easy. This also goes for our operations teams. They should be comfortable getting into Nomad to potentially do first pass troubleshooting, restarting failed jobs, etc. It's hard to fathom integrating a product into an enterprise these days without SSO. We view Nomad as an enterprise product and need SSO to successfully integrate.

lgfa29 added a commit that referenced this issue Jul 13, 2021
@legege @lgfa29
Capture ACL Token from self API call for Reverse Proxy use-case (#10563)
86fca8f 
* Proposed fix for #10561

Signed-off-by: Georges-Etienne Legendre <[email protected]>

* Add acceptance tests for reverse proxy use-case

Signed-off-by: Georges-Etienne Legendre <[email protected]>

* Use reads instead of computed/get

Signed-off-by: Georges-Etienne Legendre <[email protected]>

* Move back the line closer to the task

Signed-off-by: Georges-Etienne Legendre <[email protected]>

* skip a11y-audit-called lint rule on reverse proxy tests

Co-authored-by: Luiz Aoqui <[email protected]>
@josegonzalez
Copy link
Contributor

Looks like #10563 potentially fixes this issue (though native integration with Okta would be great).

@lgfa29
Copy link
Contributor

lgfa29 commented Aug 3, 2021

You are right @josegonzalez, this particular issue was fixed in #10563, so I am going to close this as fixed 🙂

@tfeyereisen-exactsciences SSO support is part of a larger discussion, so I created #10999 for us to track it. Feel free to 👍 and add any additional comments you may have.

@lgfa29 lgfa29 closed this as completed Aug 3, 2021
@lgfa29 lgfa29 added stage/accepted Confirmed, and intend to work on. No timeline committment though. and removed stage/needs-discussion labels Aug 3, 2021
@josegonzalez
Copy link
Contributor

@legege do you happen to have an nginx conf or some similar thing that implements the auth reverse proxy flow for reference?

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 16, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@lgfa29 lgfa29

@ChaiWithJai ChaiWithJai

Labels
stage/accepted Confirmed, and intend to work on. No timeline committment though. theme/auth theme/ui type/enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@backspace @josegonzalez @legege @lgfa29 @tgross @drewbailey @ChaiWithJai @tfeyereisen-exactsciences