From fddef43c08e818ac04a43e06bb1417bb7869fc0c Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 18 Sep 2023 16:57:42 -0700 Subject: [PATCH] Use Keycloak on base-lsp.lsst.codes Point Gafaelfawr at local Keycloak on base-lsp.lsst.codes instead of using GitHub. Get user metadata from the IPA LDAP server. Switch to the new home directory source. Add values.yaml documentation for the new groupSearchByDn setting. --- applications/gafaelfawr/README.md | 1 + .../gafaelfawr/templates/configmap.yaml | 1 + applications/gafaelfawr/values-base.yaml | 101 +++++------------- applications/gafaelfawr/values.yaml | 6 ++ applications/nublado/values-base.yaml | 8 +- 5 files changed, 39 insertions(+), 78 deletions(-) diff --git a/applications/gafaelfawr/README.md b/applications/gafaelfawr/README.md index b88a433aa2..ed3427506c 100644 --- a/applications/gafaelfawr/README.md +++ b/applications/gafaelfawr/README.md @@ -49,6 +49,7 @@ Authentication and identity system | config.ldap.groupBaseDn | string | None, must be set | Base DN for the LDAP search to find a user's groups | | config.ldap.groupMemberAttr | string | `"member"` | Member attribute of the object class. Values must match the username returned in the token from the OpenID Connect authentication server. | | config.ldap.groupObjectClass | string | `"posixGroup"` | Object class containing group information | +| config.ldap.groupSearchByDn | bool | `false` | Whether to search for group membership by user DN rather than bare usernames. Most LDAP servers use full DNs for group membership, so normally this should be set to true, but it requires `userBaseDn` also be set. | | config.ldap.kerberosConfig | string | Use anonymous binds | Enable GSSAPI (Kerberos) binds to LDAP using this `krb5.conf` file. If set, `ldap-keytab` must be set in the Gafaelfawr Vault secret. Set either this or `userDn`, not both. | | config.ldap.nameAttr | string | `"displayName"` | Attribute containing the user's full name | | config.ldap.uidAttr | string | Get UID from upstream authentication provider | Attribute containing the user's UID number (set to `uidNumber` for most LDAP servers) | diff --git a/applications/gafaelfawr/templates/configmap.yaml b/applications/gafaelfawr/templates/configmap.yaml index 93c2f61976..d5511ecc23 100644 --- a/applications/gafaelfawr/templates/configmap.yaml +++ b/applications/gafaelfawr/templates/configmap.yaml @@ -129,6 +129,7 @@ {{- end }} groupObjectClass: {{ .Values.config.ldap.groupObjectClass | quote }} groupMemberAttr: {{ .Values.config.ldap.groupMemberAttr | quote }} + groupSearchByDn: {{ .Values.config.ldap.groupSearchByDn }} {{- if .Values.config.ldap.userBaseDn }} userBaseDn: {{ .Values.config.ldap.userBaseDn | quote }} userSearchAttr: {{ .Values.config.ldap.userSearchAttr | quote }} diff --git a/applications/gafaelfawr/values-base.yaml b/applications/gafaelfawr/values-base.yaml index ceef9a995f..1d7f4775be 100644 --- a/applications/gafaelfawr/values-base.yaml +++ b/applications/gafaelfawr/values-base.yaml @@ -3,11 +3,28 @@ redis: storageClass: "rook-ceph-block" config: + logLevel: "DEBUG" slackAlerts: true databaseUrl: "postgresql://gafaelfawr@postgresdb01.ls.lsst.org/gafaelfawr" - github: - clientId: "ec88b9b897f302b620d1" + oidc: + clientId: "rsp-bts" + audience: "rsp-bts" + loginUrl: "https://keycloak.ls.lsst.org/realms/master/protocol/openid-connect/auth" + tokenUrl: "https://keycloak.ls.lsst.org/realms/master/protocol/openid-connect/token" + issuer: "https://keycloak.ls.lsst.org/realms/master" + scopes: + - "openid" + usernameClaim: "preferred_username" + + ldap: + url: "ldap://ipa1.ls.lsst.org" + userDn: "uid=svc_rsp,cn=users,cn=accounts,dc=lsst,dc=cloud" + userBaseDn: "cn=users,cn=accounts,dc=lsst,dc=cloud" + uidAttr: "uidNumber" + gidAttr: "gidNumber" + groupBaseDn: "cn=groups,cn=accounts,dc=lsst,dc=cloud" + groupSearchByDn: true # Support OpenID Connect clients like Chronograf. oidcServer: @@ -16,85 +33,21 @@ config: # Allow access by GitHub team. groupMapping: "admin:provision": - - github: - organization: "lsst-sqre" - team: "square" + - "sqre" "exec:admin": - - github: - organization: "lsst-sqre" - team: "square" - - github: - organization: "lsst-ts" - team: "integration-testing-team" + - "sqre" "exec:internal-tools": - - github: - organization: "lsst-sqre" - team: "square" - - github: - organization: "lsst-sqre" - team: "friends" - - github: - organization: "lsst-ts" - team: "base-access" - - github: - organization: "rubin-summit" - team: "rsp-access" + - "rsp-bts" "exec:notebook": - - github: - organization: "lsst-sqre" - team: "square" - - github: - organization: "lsst-sqre" - team: "friends" - - github: - organization: "lsst-ts" - team: "base-access" - - github: - organization: "rubin-summit" - team: "rsp-access" + - "rsp-bts" "exec:portal": - - github: - organization: "lsst-sqre" - team: "square" - - github: - organization: "lsst-sqre" - team: "friends" - - github: - organization: "lsst-ts" - team: "base-access" - - github: - organization: "rubin-summit" - team: "rsp-access" + - "rsp-bts" "read:image": - - github: - organization: "lsst-sqre" - team: "square" - - github: - organization: "lsst-sqre" - team: "friends" - - github: - organization: "lsst-ts" - team: "base-access" - - github: - organization: "rubin-summit" - team: "rsp-access" + - "rsp-bts" "read:tap": - - github: - organization: "lsst-sqre" - team: "square" - - github: - organization: "lsst-sqre" - team: "friends" - - github: - organization: "lsst-ts" - team: "base-access" - - github: - organization: "rubin-summit" - team: "rsp-access" + - "rsp-bts" "write:sasquatch": - - github: - organization: "lsst-sqre" - team: "square" + - "sqre" initialAdmins: - "afausti" diff --git a/applications/gafaelfawr/values.yaml b/applications/gafaelfawr/values.yaml index 07d0b88c11..fba8421537 100644 --- a/applications/gafaelfawr/values.yaml +++ b/applications/gafaelfawr/values.yaml @@ -199,6 +199,12 @@ config: # returned in the token from the OpenID Connect authentication server. groupMemberAttr: "member" + # -- Whether to search for group membership by user DN rather than bare + # usernames. Most LDAP servers use full DNs for group membership, so + # normally this should be set to true, but it requires `userBaseDn` also + # be set. + groupSearchByDn: false + # -- Base DN for the LDAP search to find a user's entry # @default -- Get user metadata from the upstream authentication provider userBaseDn: "" diff --git a/applications/nublado/values-base.yaml b/applications/nublado/values-base.yaml index 046db05ee7..05ab4aaba7 100644 --- a/applications/nublado/values-base.yaml +++ b/applications/nublado/values-base.yaml @@ -30,16 +30,16 @@ controller: - containerPath: "/home" mode: "rw" source: - serverPath: "/jhome" - server: "nfs-jhome.ls.lsst.org" + serverPath: "/rsphome" + server: "nfs-rsphome.ls.lsst.org" type: "nfs" volumes: - containerPath: "/home" mode: "rw" source: type: "nfs" - serverPath: "/jhome" - server: "nfs-jhome.ls.lsst.org" + serverPath: "/rsphome" + server: "nfs-rsphome.ls.lsst.org" - containerPath: "/project" mode: "rw" source: