Allow st2web proxy auth mode to work in HA environments#6041
Merged
arm4b merged 3 commits intoStackStorm:masterfrom Oct 23, 2023
Merged
Allow st2web proxy auth mode to work in HA environments#6041arm4b merged 3 commits intoStackStorm:masterfrom
arm4b merged 3 commits intoStackStorm:masterfrom
Conversation
6089322 to
9b9d37b
Compare
arm4b
reviewed
Oct 22, 2023
Member
arm4b
left a comment
There was a problem hiding this comment.
Great stuff, thanks a lot @floatingstatic for the contribution!
Are there any Unit Tests that you could add to support this PR?
Contributor
Author
|
@armab good call. Added a unit test to cover this. Looks like there is already a test case that would cover lack of header and no remote user env var. Let me know if you think we need any other cases. |
Contributor
Author
|
Theres one test that failed unrelated to my change: https://github.com/StackStorm/st2/actions/runs/6604759729/job/17939241233?pr=6041 Perhaps something flaky with that particular test? It seems it passed everywhere else. |
cognifloyd
approved these changes
Oct 23, 2023
|
If it's part of the 3.9.0 milestone, why do I see these changes in the 3.8 HA release? |
Contributor
|
Thanks for pointing that out. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
It appears that proxy auth mode only works with
REMOTE_USERset as a cgi environment variable. This does not appear to work for those of us using the HA helm chart. I saw #5766 but it does not appear this has been fixed or addressed yet.I had previously worked around this by modifying st2auth with a custom standalone auth module that always returns true without inspecting the username but it seems it would be beneficial to the wider community to get this working with the built-in proxy mode in st2auth. My use case is to continue to use Google IAP (identity aware proxy) in GKE which can forward remote user info to st2web (nginx) without having to roll patched version of st2auth and st2web to support this.