diff --git a/applications/gafaelfawr/README.md b/applications/gafaelfawr/README.md index b88a433aa2..ed3427506c 100644 --- a/applications/gafaelfawr/README.md +++ b/applications/gafaelfawr/README.md @@ -49,6 +49,7 @@ Authentication and identity system | config.ldap.groupBaseDn | string | None, must be set | Base DN for the LDAP search to find a user's groups | | config.ldap.groupMemberAttr | string | `"member"` | Member attribute of the object class. Values must match the username returned in the token from the OpenID Connect authentication server. | | config.ldap.groupObjectClass | string | `"posixGroup"` | Object class containing group information | +| config.ldap.groupSearchByDn | bool | `false` | Whether to search for group membership by user DN rather than bare usernames. Most LDAP servers use full DNs for group membership, so normally this should be set to true, but it requires `userBaseDn` also be set. | | config.ldap.kerberosConfig | string | Use anonymous binds | Enable GSSAPI (Kerberos) binds to LDAP using this `krb5.conf` file. If set, `ldap-keytab` must be set in the Gafaelfawr Vault secret. Set either this or `userDn`, not both. | | config.ldap.nameAttr | string | `"displayName"` | Attribute containing the user's full name | | config.ldap.uidAttr | string | Get UID from upstream authentication provider | Attribute containing the user's UID number (set to `uidNumber` for most LDAP servers) | diff --git a/applications/gafaelfawr/templates/configmap.yaml b/applications/gafaelfawr/templates/configmap.yaml index 93c2f61976..d5511ecc23 100644 --- a/applications/gafaelfawr/templates/configmap.yaml +++ b/applications/gafaelfawr/templates/configmap.yaml @@ -129,6 +129,7 @@ {{- end }} groupObjectClass: {{ .Values.config.ldap.groupObjectClass | quote }} groupMemberAttr: {{ .Values.config.ldap.groupMemberAttr | quote }} + groupSearchByDn: {{ .Values.config.ldap.groupSearchByDn }} {{- if .Values.config.ldap.userBaseDn }} userBaseDn: {{ .Values.config.ldap.userBaseDn | quote }} userSearchAttr: {{ .Values.config.ldap.userSearchAttr | quote }} diff --git a/applications/gafaelfawr/values-base.yaml b/applications/gafaelfawr/values-base.yaml index ceef9a995f..1d7f4775be 100644 --- a/applications/gafaelfawr/values-base.yaml +++ b/applications/gafaelfawr/values-base.yaml @@ -3,11 +3,28 @@ redis: storageClass: "rook-ceph-block" config: + logLevel: "DEBUG" slackAlerts: true databaseUrl: "postgresql://gafaelfawr@postgresdb01.ls.lsst.org/gafaelfawr" - github: - clientId: "ec88b9b897f302b620d1" + oidc: + clientId: "rsp-bts" + audience: "rsp-bts" + loginUrl: "https://keycloak.ls.lsst.org/realms/master/protocol/openid-connect/auth" + tokenUrl: "https://keycloak.ls.lsst.org/realms/master/protocol/openid-connect/token" + issuer: "https://keycloak.ls.lsst.org/realms/master" + scopes: + - "openid" + usernameClaim: "preferred_username" + + ldap: + url: "ldap://ipa1.ls.lsst.org" + userDn: "uid=svc_rsp,cn=users,cn=accounts,dc=lsst,dc=cloud" + userBaseDn: "cn=users,cn=accounts,dc=lsst,dc=cloud" + uidAttr: "uidNumber" + gidAttr: "gidNumber" + groupBaseDn: "cn=groups,cn=accounts,dc=lsst,dc=cloud" + groupSearchByDn: true # Support OpenID Connect clients like Chronograf. oidcServer: @@ -16,85 +33,21 @@ config: # Allow access by GitHub team. groupMapping: "admin:provision": - - github: - organization: "lsst-sqre" - team: "square" + - "sqre" "exec:admin": - - github: - organization: "lsst-sqre" - team: "square" - - github: - organization: "lsst-ts" - team: "integration-testing-team" + - "sqre" "exec:internal-tools": - - github: - organization: "lsst-sqre" - team: "square" - - github: - organization: "lsst-sqre" - team: "friends" - - github: - organization: "lsst-ts" - team: "base-access" - - github: - organization: "rubin-summit" - team: "rsp-access" + - "rsp-bts" "exec:notebook": - - github: - organization: "lsst-sqre" - team: "square" - - github: - organization: "lsst-sqre" - team: "friends" - - github: - organization: "lsst-ts" - team: "base-access" - - github: - organization: "rubin-summit" - team: "rsp-access" + - "rsp-bts" "exec:portal": - - github: - organization: "lsst-sqre" - team: "square" - - github: - organization: "lsst-sqre" - team: "friends" - - github: - organization: "lsst-ts" - team: "base-access" - - github: - organization: "rubin-summit" - team: "rsp-access" + - "rsp-bts" "read:image": - - github: - organization: "lsst-sqre" - team: "square" - - github: - organization: "lsst-sqre" - team: "friends" - - github: - organization: "lsst-ts" - team: "base-access" - - github: - organization: "rubin-summit" - team: "rsp-access" + - "rsp-bts" "read:tap": - - github: - organization: "lsst-sqre" - team: "square" - - github: - organization: "lsst-sqre" - team: "friends" - - github: - organization: "lsst-ts" - team: "base-access" - - github: - organization: "rubin-summit" - team: "rsp-access" + - "rsp-bts" "write:sasquatch": - - github: - organization: "lsst-sqre" - team: "square" + - "sqre" initialAdmins: - "afausti" diff --git a/applications/gafaelfawr/values.yaml b/applications/gafaelfawr/values.yaml index 07d0b88c11..fba8421537 100644 --- a/applications/gafaelfawr/values.yaml +++ b/applications/gafaelfawr/values.yaml @@ -199,6 +199,12 @@ config: # returned in the token from the OpenID Connect authentication server. groupMemberAttr: "member" + # -- Whether to search for group membership by user DN rather than bare + # usernames. Most LDAP servers use full DNs for group membership, so + # normally this should be set to true, but it requires `userBaseDn` also + # be set. + groupSearchByDn: false + # -- Base DN for the LDAP search to find a user's entry # @default -- Get user metadata from the upstream authentication provider userBaseDn: "" diff --git a/applications/nublado/values-base.yaml b/applications/nublado/values-base.yaml index 046db05ee7..05ab4aaba7 100644 --- a/applications/nublado/values-base.yaml +++ b/applications/nublado/values-base.yaml @@ -30,16 +30,16 @@ controller: - containerPath: "/home" mode: "rw" source: - serverPath: "/jhome" - server: "nfs-jhome.ls.lsst.org" + serverPath: "/rsphome" + server: "nfs-rsphome.ls.lsst.org" type: "nfs" volumes: - containerPath: "/home" mode: "rw" source: type: "nfs" - serverPath: "/jhome" - server: "nfs-jhome.ls.lsst.org" + serverPath: "/rsphome" + server: "nfs-rsphome.ls.lsst.org" - containerPath: "/project" mode: "rw" source: