adding support for SSO based on oauth2-proxy by rkachach · Pull Request #58460 · ceph/ceph

rkachach · 2024-07-08T14:45:27Z

This PR builds on top of the two previous ones: #57535 and #58402. It inroduces the new service oauth2-proxy (the open source project) which provides OIDC support out of the box. In combination with the mgmt-gateway this service provides a seamless SSO to access all the Ceph managment backend services (Ceph Dashboard and monitoring stack).

Changes included in this PR:

Introducing oauth2-proxy new service
Add support for Grafana seamless SSO login (based on oauth2)
Change how we get fqdn for hosts (use inventory information)
Refactoring of Grafana daemon configuration code

Following diagram depicts the new architecture:

Following are the steps to setup working environment in this case using dex idp for testing purpose

1) Run keycloak server using the following command

create a new realm and configure a user with 'admin' role following the steps from the docs

podman run --replace -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin -p 8080:8080 --name keycloak -v /opt/keycloak:/opt/keycloak/data/h2 quay.io/keycloak/keycloak:25.0.2 start-dev

Alternatively, users can use dex as idp with the following config file:

issuer: http://<ip-of-dex-node>:5556/dex

storage:
  type: sqlite3
  config:
    file: /var/dex/dex.db

web:
  http: 0.0.0.0:5556

expiry:
  deviceRequests: 5h
  signingKeys: 6h
  idTokens: 24h
  authRequests: 24h

logger:
  level: info
  format: text

oauth2:
  responseTypes: [code]
  skipApprovalScreen: false
  alwaysShowLoginScreen: false

enablePasswordDB: true

staticClients:
  - id: oauth2-proxy
    redirectURIs:
      - 'https://<ip-of-mgmt-gw-node>/oauth2/callback'
    name: 'oauth2-proxy'
    secret: proxy

connectors:
  - type: mockCallback
    id: mock
    name: Example

staticPasswords:
  - email: "admin@example.com"
    hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
    username: "admin"
    userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"

run dex server:

podman run --rm -p 5556:5556 -p 5555:5555 -v /<path-to-your-config.yaml:/etc/dex/config.docker.yaml --name dex-container ghcr.io/dexidp/dex

2) Configure mgmt-gateway service

ceph orch apply mgmt-gateway --enable_auth=true

Wait for all the services to get reconfigured (it takes less than 1min)

3) Configure oauth2-proxy service

service_type: oauth2-proxy
placement:
  hosts:
    - ceph-node-1
spec:
  https_address: "0.0.0.0:4180"
  provider_display_name: "My OIDC Provider"
  client_id: "oauth2-proxy"
  client_secret: "proxy"
  oidc_issuer_url: "http://<your-ip>:5556/dex"

Following is an example of spec file for Keycloak client, in this case keycloak is running on the node with the ip 192.168.100.1:

service_type: oauth2-proxy
placement:
  hosts:
    - ceph-node-2
spec:
  https_address: "0.0.0.0:4180"
  provider_display_name: "My OIDC Provider"
  client_id: "oauth2-proxy"
  client_secret: "vwCLTITb2rtem583523uXcuSNItDsz1I"
  cookie_secret: "kbAEM9opAmuHskQvt0AW8oeJRaOM2BYy5Loba0kZ0SQ="
  oidc_issuer_url: "http://192.168.100.1:8080/realms/ceph"
  whitelist_domains:
    - 192.168.100.1:8080

Deploy the service:

ceph orch apply -i auth2-proxy.yaml

Wait for all the services to get reconfigured (it takes less than 1min)

4) Open a browser and visit https://<mgmt-gw-node-ip>

Contribution Guidelines

To sign and title your commits, please refer to Submitting Patches to Ceph.
If you are submitting a fix for a stable branch (e.g. "quincy"), please refer to Submitting Patches to Ceph - Backports for the proper workflow.
When filling out the below checklist, you may click boxes directly in the GitHub web UI. When entering or editing the entire PR message in the GitHub web UI editor, you may also select a checklist item by adding an x between the brackets: [x]. Spaces and capitalization matter when checking off items this way.

Checklist

Tracker (select at least one)
- References tracker ticket
- Very recent bug; references commit where it was introduced
- New feature (ticket optional)
- Doc update (no ticket needed)
- Code cleanup (no ticket needed)
Component impact
- Affects Dashboard, opened tracker ticket
- Affects Orchestrator, opened tracker ticket
- No impact that needs to be tracked
Documentation (select at least one)
- Updates relevant documentation
- No doc update is appropriate
Tests (select at least one)
- Includes unit test(s)
- Includes integration test(s)
- Includes bug reproducer
- No tests

Show available Jenkins commands

jenkins retest this please
jenkins test classic perf
jenkins test crimson perf
jenkins test signed
jenkins test make check
jenkins test make check arm64
jenkins test submodules
jenkins test dashboard
jenkins test dashboard cephadm
jenkins test api
jenkins test docs
jenkins render docs
jenkins test ceph-volume all
jenkins test ceph-volume tox
jenkins test windows
jenkins test rook e2e

github-actions · 2024-07-12T06:17:41Z

This pull request can no longer be automatically merged: a rebase is needed and changes have to be manually resolved

adk3798

LGTM, not really any complaints about the code, although I'm not really able to verify if the configs being built are correct. Is there some way we could come up with an integration test for this since it's such a large feature?

adk3798 · 2024-08-11T15:16:32Z

doc/cephadm/services/oauth2-proxy.rst

+Deploying oauth2-proxy
+======================
+
+In Ceph releases starting from Squid, the `oauth2-proxy` service introduces an advanced method


we should be a bit careful with this as it's not guaranteed this makes it into the initial squid release

@adk3798 I agree, what alternative do you propose in this case? something like 19.x?

I'd just leave it out and include an additional docs commit in the squid backport that says this and then in main we can say it's in 19.2.z once we actually know which z release it will be.

doc/cephadm/services/oauth2-proxy.rst

src/cephadm/cephadmlib/daemons/oauth2_proxy.py

src/python-common/ceph/deployment/service_spec.py

rkachach · 2024-08-12T09:54:53Z

jenkins test rook e2e

adk3798 · 2024-08-12T12:11:02Z

https://pulpito.ceph.com/adking-2024-08-10_01:02:35-orch:cephadm-wip-adk-testing-2024-08-09-1319-distro-default-smithi/

reruns: https://pulpito.ceph.com/adking-2024-08-11_18:59:43-orch:cephadm-wip-adk-testing-2024-08-09-1319-distro-default-smithi/

Failures:

tasks/nfs failure was actually caused by a PR in the run
4x mds_upgrade_sequence failure, known issue
staggered upgrade ceph versions vs. ceph orch ps mismatch, known issue
test_monitoring_stack test, broke when updating monitoring stack container images recently, known issue

Run seemed all good other than for the one PR causing the nfs failures

rkachach · 2024-08-12T23:16:07Z

jenkins retest this please

rkachach · 2024-08-14T08:02:23Z

jenkins retest this please

adding new oauth2-proxy service. The enable_auth flag enables SSO authentication via the oauth2-proxy service. The user must ensure the oauth2-proxy service is deployed before enabling this flag in the mgmt-gateway service. FQDN related changes: previously, we were obtaining the FQDN using a call to the Python socket library run inside the container. While this generally works, the FQDN returned inside a container can sometimes differ from the one obtained outside the container. This discrepancy could cause some issues. To ensure consistency, we now use the FQDN from the inventory, which provides the correct value as recognized on the host. Signed-off-by: Redouane Kachach <rkachach@ibm.com>

rkachach · 2024-08-14T14:00:05Z

jenkins test rook e2e

rkachach · 2024-08-14T14:37:36Z

jenkins test make check

rkachach · 2024-08-14T14:37:59Z

jenkins test dashboard

rkachach · 2024-08-14T17:14:21Z

jenkins test dashboard

rkachach · 2024-08-14T17:14:29Z

jenkins test rook e2e

rkachach · 2024-08-14T17:14:57Z

jenkins test dashboard cephadm

rkachach · 2024-08-14T19:31:28Z

jenkins test rook e2e

rkachach · 2024-08-14T19:31:34Z

jenkins test dashboard cephadm

rkachach · 2024-08-14T19:31:44Z

jenkins test dashboard

rkachach · 2024-08-15T06:08:22Z

jenkins test dashboard

rkachach · 2024-08-15T06:08:33Z

jenkins test rook e2e

afreen23 · 2024-08-20T06:32:20Z

Hello,

I tested this using keycloak as IdP, I tried adding "redirect_url" in config itself and it came up as expected.

Thanks

rkachach · 2024-08-20T08:22:05Z

Hello,

I tested this using keycloak as IdP, I tried adding "redirect_url" in config itself and it came up as expected.

Thanks

Thanks Afreen, latest code should add that field automatically 👍

rkachach · 2024-08-20T08:22:23Z

jenkins test rook e2e

rkachach · 2024-08-20T08:22:38Z

jenkins test dashboard

rkachach · 2024-08-20T08:22:46Z

jenkins test dashboard cephadm

rkachach · 2024-08-20T10:03:38Z

jenkins test dashboard

github-actions bot added cephadm dashboard documentation monitoring orchestrator pybind labels Jul 8, 2024

rkachach force-pushed the fix_issue_oauth2_support branch 8 times, most recently from 9bd4c7d to f496379 Compare July 10, 2024 15:04

github-actions bot added the needs-rebase label Jul 12, 2024

Pegonzal mentioned this pull request Jul 30, 2024

mgr/dashboard: add service management for mgmt-gateway #58618

Merged

14 tasks

rkachach force-pushed the fix_issue_oauth2_support branch from f496379 to 533daa9 Compare July 31, 2024 12:14

github-actions bot removed the needs-rebase label Jul 31, 2024

rkachach force-pushed the fix_issue_oauth2_support branch 11 times, most recently from 6787032 to 7c91ac6 Compare August 1, 2024 14:13

rkachach force-pushed the fix_issue_oauth2_support branch from 9b7970c to c324d6e Compare August 9, 2024 09:27

adk3798 added the wip-adk-testing label Aug 9, 2024

adk3798 approved these changes Aug 11, 2024

View reviewed changes

rkachach force-pushed the fix_issue_oauth2_support branch 2 times, most recently from d28cde3 to c237467 Compare August 12, 2024 15:54

rkachach force-pushed the fix_issue_oauth2_support branch 2 times, most recently from 0a607f1 to 5fcefa9 Compare August 13, 2024 11:18

rkachach mentioned this pull request Oct 9, 2024

Adding HA support for mgmt-gateway and oauth2-proxy services #59982

Merged

14 tasks

Conversation

rkachach commented Jul 8, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Contribution Guidelines

Checklist

Uh oh!

github-actions bot commented Jul 12, 2024

Uh oh!

adk3798 left a comment

Choose a reason for hiding this comment

Uh oh!

adk3798 Aug 11, 2024

Choose a reason for hiding this comment

Uh oh!

rkachach Aug 13, 2024

Choose a reason for hiding this comment

Uh oh!

adk3798 Aug 13, 2024

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

rkachach commented Aug 12, 2024

Uh oh!

adk3798 commented Aug 12, 2024

Uh oh!

rkachach commented Aug 12, 2024

Uh oh!

rkachach commented Aug 14, 2024

Uh oh!

rkachach commented Aug 14, 2024

Uh oh!

rkachach commented Aug 14, 2024

Uh oh!

rkachach commented Aug 14, 2024

Uh oh!

rkachach commented Aug 14, 2024

Uh oh!

rkachach commented Aug 14, 2024

Uh oh!

rkachach commented Aug 14, 2024

Uh oh!

rkachach commented Aug 14, 2024

Uh oh!

rkachach commented Aug 14, 2024

Uh oh!

rkachach commented Aug 14, 2024

Uh oh!

rkachach commented Aug 15, 2024

Uh oh!

rkachach commented Aug 15, 2024

Uh oh!

afreen23 commented Aug 20, 2024

Uh oh!

rkachach commented Aug 20, 2024

Uh oh!

rkachach commented Aug 20, 2024

Uh oh!

rkachach commented Aug 20, 2024

Uh oh!

rkachach commented Aug 20, 2024

Uh oh!

rkachach commented Aug 20, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

rkachach commented Jul 8, 2024 •

edited

Loading