Merge pull request #2536 from lsst-sqre/tickets/DM-23878

DM-23878: Use Keycloak on base-lsp.lsst.codes
lsst-sqre · Nov 28, 2023 · dfd85dc · dfd85dc
2 parents 4e1b0e4 + fddef43
commit dfd85dc
Show file tree

Hide file tree

Showing 5 changed files with 39 additions and 78 deletions.
diff --git a/applications/gafaelfawr/README.md b/applications/gafaelfawr/README.md
@@ -49,6 +49,7 @@ Authentication and identity system
 | config.ldap.groupBaseDn | string | None, must be set | Base DN for the LDAP search to find a user's groups |
 | config.ldap.groupMemberAttr | string | `"member"` | Member attribute of the object class. Values must match the username returned in the token from the OpenID Connect authentication server. |
 | config.ldap.groupObjectClass | string | `"posixGroup"` | Object class containing group information |
+| config.ldap.groupSearchByDn | bool | `false` | Whether to search for group membership by user DN rather than bare usernames. Most LDAP servers use full DNs for group membership, so normally this should be set to true, but it requires `userBaseDn` also be set. |
 | config.ldap.kerberosConfig | string | Use anonymous binds | Enable GSSAPI (Kerberos) binds to LDAP using this `krb5.conf` file. If set, `ldap-keytab` must be set in the Gafaelfawr Vault secret. Set either this or `userDn`, not both. |
 | config.ldap.nameAttr | string | `"displayName"` | Attribute containing the user's full name |
 | config.ldap.uidAttr | string | Get UID from upstream authentication provider | Attribute containing the user's UID number (set to `uidNumber` for most LDAP servers) |

diff --git a/applications/gafaelfawr/templates/configmap.yaml b/applications/gafaelfawr/templates/configmap.yaml
@@ -129,6 +129,7 @@
       {{- end }}
       groupObjectClass: {{ .Values.config.ldap.groupObjectClass | quote }}
       groupMemberAttr: {{ .Values.config.ldap.groupMemberAttr | quote }}
+      groupSearchByDn: {{ .Values.config.ldap.groupSearchByDn }}
       {{- if .Values.config.ldap.userBaseDn }}
       userBaseDn: {{ .Values.config.ldap.userBaseDn | quote }}
       userSearchAttr: {{ .Values.config.ldap.userSearchAttr | quote }}

diff --git a/applications/gafaelfawr/values-base.yaml b/applications/gafaelfawr/values-base.yaml
@@ -3,11 +3,28 @@ redis:
     storageClass: "rook-ceph-block"
 
 config:
+  logLevel: "DEBUG"
   slackAlerts: true
   databaseUrl: "postgresql://[email protected]/gafaelfawr"
 
-  github:
-    clientId: "ec88b9b897f302b620d1"
+  oidc:
+    clientId: "rsp-bts"
+    audience: "rsp-bts"
+    loginUrl: "https://keycloak.ls.lsst.org/realms/master/protocol/openid-connect/auth"
+    tokenUrl: "https://keycloak.ls.lsst.org/realms/master/protocol/openid-connect/token"
+    issuer: "https://keycloak.ls.lsst.org/realms/master"
+    scopes:
+      - "openid"
+    usernameClaim: "preferred_username"
+
+  ldap:
+    url: "ldap://ipa1.ls.lsst.org"
+    userDn: "uid=svc_rsp,cn=users,cn=accounts,dc=lsst,dc=cloud"
+    userBaseDn: "cn=users,cn=accounts,dc=lsst,dc=cloud"
+    uidAttr: "uidNumber"
+    gidAttr: "gidNumber"
+    groupBaseDn: "cn=groups,cn=accounts,dc=lsst,dc=cloud"
+    groupSearchByDn: true
 
   # Support OpenID Connect clients like Chronograf.
   oidcServer:
@@ -16,85 +33,21 @@ config:
   # Allow access by GitHub team.
   groupMapping:
     "admin:provision":
-      - github:
-          organization: "lsst-sqre"
-          team: "square"
+      - "sqre"
     "exec:admin":
-      - github:
-          organization: "lsst-sqre"
-          team: "square"
-      - github:
-          organization: "lsst-ts"
-          team: "integration-testing-team"
+      - "sqre"
     "exec:internal-tools":
-      - github:
-          organization: "lsst-sqre"
-          team: "square"
-      - github:
-          organization: "lsst-sqre"
-          team: "friends"
-      - github:
-          organization: "lsst-ts"
-          team: "base-access"
-      - github:
-          organization: "rubin-summit"
-          team: "rsp-access"
+      - "rsp-bts"
     "exec:notebook":
-      - github:
-          organization: "lsst-sqre"
-          team: "square"
-      - github:
-          organization: "lsst-sqre"
-          team: "friends"
-      - github:
-          organization: "lsst-ts"
-          team: "base-access"
-      - github:
-          organization: "rubin-summit"
-          team: "rsp-access"
+      - "rsp-bts"
     "exec:portal":
-      - github:
-          organization: "lsst-sqre"
-          team: "square"
-      - github:
-          organization: "lsst-sqre"
-          team: "friends"
-      - github:
-          organization: "lsst-ts"
-          team: "base-access"
-      - github:
-          organization: "rubin-summit"
-          team: "rsp-access"
+      - "rsp-bts"
     "read:image":
-      - github:
-          organization: "lsst-sqre"
-          team: "square"
-      - github:
-          organization: "lsst-sqre"
-          team: "friends"
-      - github:
-          organization: "lsst-ts"
-          team: "base-access"
-      - github:
-          organization: "rubin-summit"
-          team: "rsp-access"
+      - "rsp-bts"
     "read:tap":
-      - github:
-          organization: "lsst-sqre"
-          team: "square"
-      - github:
-          organization: "lsst-sqre"
-          team: "friends"
-      - github:
-          organization: "lsst-ts"
-          team: "base-access"
-      - github:
-          organization: "rubin-summit"
-          team: "rsp-access"
+      - "rsp-bts"
     "write:sasquatch":
-      - github:
-          organization: "lsst-sqre"
-          team: "square"
+      - "sqre"
 
   initialAdmins:
     - "afausti"

diff --git a/applications/gafaelfawr/values.yaml b/applications/gafaelfawr/values.yaml
@@ -199,6 +199,12 @@ config:
     # returned in the token from the OpenID Connect authentication server.
     groupMemberAttr: "member"
 
+    # -- Whether to search for group membership by user DN rather than bare
+    # usernames. Most LDAP servers use full DNs for group membership, so
+    # normally this should be set to true, but it requires `userBaseDn` also
+    # be set.
+    groupSearchByDn: false
+
     # -- Base DN for the LDAP search to find a user's entry
     # @default -- Get user metadata from the upstream authentication provider
     userBaseDn: ""

diff --git a/applications/nublado/values-base.yaml b/applications/nublado/values-base.yaml
@@ -30,16 +30,16 @@ controller:
         - containerPath: "/home"
           mode: "rw"
           source:
-            serverPath: "/jhome"
-            server: "nfs-jhome.ls.lsst.org"
+            serverPath: "/rsphome"
+            server: "nfs-rsphome.ls.lsst.org"
             type: "nfs"
       volumes:
       - containerPath: "/home"
         mode: "rw"
         source:
           type: "nfs"
-          serverPath: "/jhome"
-          server: "nfs-jhome.ls.lsst.org"
+          serverPath: "/rsphome"
+          server: "nfs-rsphome.ls.lsst.org"
       - containerPath: "/project"
         mode: "rw"
         source: