Add google authd-broker documentation #724
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #724 +/- ##
==========================================
- Coverage 83.43% 83.02% -0.42%
==========================================
Files 83 89 +6
Lines 8689 8988 +299
Branches 74 74
==========================================
+ Hits 7250 7462 +212
- Misses 1111 1179 +68
- Partials 328 347 +19 ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Thanks @nsklikas -- this is great.
I've added some minor comments and suggestions.
One thing: did we agree to remove the Group Management section from the GDM guide? I think we did, and I'm not sure it adds much to the guide as it stands. Feel free to remove or comment it out. We might find a better place for it.
docs/index.md
Outdated
| @@ -4,9 +4,10 @@ authd is a versatile authentication service for Ubuntu, designed to seamlessly i | |||
|
|
|||
| authd features a modular structure, facilitating straightforward integration with different cloud services. This design aids in maintaining strong security and effective user authentication. It's well-suited for handling access to cloud identities, offering a balance of security and ease of use. | |||
|
|
|||
| authd uses brokers to interface with cloud identity providers through a [DBus API](https://github.com/ubuntu/authd/blob/HEAD/examplebroker/com.ubuntu.auth.ExampleBroker.xml). Currently only [MS Entra ID](https://learn.microsoft.com/en-us/entra/fundamentals/whatis) is supported. For development purposes, authd also provides an example broker to help you develop your own. | |||
| authd uses brokers to interface with cloud identity providers through a [DBus API](https://github.com/ubuntu/authd/blob/HEAD/examplebroker/com.ubuntu.auth.ExampleBroker.xml). Currently only [MS Entra ID](https://learn.microsoft.com/en-us/entra/fundamentals/whatis) and [Google IAM](https://cloud.google.com/iam/docs/overview) are supported. For development purposes, authd also provides an example broker to help you develop your own. | |||
There was a problem hiding this comment.
| authd uses brokers to interface with cloud identity providers through a [DBus API](https://github.com/ubuntu/authd/blob/HEAD/examplebroker/com.ubuntu.auth.ExampleBroker.xml). Currently only [MS Entra ID](https://learn.microsoft.com/en-us/entra/fundamentals/whatis) and [Google IAM](https://cloud.google.com/iam/docs/overview) are supported. For development purposes, authd also provides an example broker to help you develop your own. | |
| authd uses brokers to interface with cloud identity providers through a [DBus API](https://github.com/ubuntu/authd/blob/HEAD/examplebroker/com.ubuntu.auth.ExampleBroker.xml). Currently, both [MS Entra ID](https://learn.microsoft.com/en-us/entra/fundamentals/whatis) and [Google IAM](https://cloud.google.com/iam/docs/overview) are supported. For development purposes, authd also provides an example broker to help you develop your own. |
I would remove "only" here, as it has the potential effect of minimising the offering.
docs/index.md
Outdated
|
|
||
| These brokers allow you to authenticate against MS Entra ID or Google IAM using MFA and the device authentication flow. |
There was a problem hiding this comment.
| These brokers allow you to authenticate against MS Entra ID or Google IAM using MFA and the device authentication flow. | |
| These brokers allow you to authenticate against MS Entra ID or Google IAM using Multi-factor authentication (MFA) and the device authentication flow. |
I would combine this with previous paragraph, as it's the same flow of thought.
I would also spell out MFA because there are already three initialisms in this one sentence and -- for the homepage -- we want to make sure that the broadest range of readers understands what is being offered.
docs/reference/troubleshooting.md
Outdated
| For the Google IAM broker entries, run: | ||
|
|
||
| ```shell | ||
| journalctl -u snap.authd-google.authd-google.service | ||
| ``` | ||
|
|
There was a problem hiding this comment.
| For the Google IAM broker entries, run: | |
| ```shell | |
| journalctl -u snap.authd-google.authd-google.service | |
| ``` | |
| For the broker entries, run the following command, replacing `<broker-name>` with the appropriate broker, such as `google` or `msentraid`: | |
| ```shell | |
| journalctl -u snap.authd-<broker-name>.authd-<broker-name>.service |
Placeholders are used elsewhere in this reference, so we can probably do the same here instead of having two unique entries for each of the two brokers.
As this will be the first use of placeholders in the page, it's helpful to be explicit about the placeholders needing to be substituted.
docs/reference/troubleshooting.md
Outdated
| @@ -68,38 +74,38 @@ Enable=true | |||
|
|
|||
| Then you need to restart the service with `sudo systemctl restart gdm`. | |||
|
|
|||
| #### authd-msentraid service | |||
| #### authd-<broker> service | |||
There was a problem hiding this comment.
| #### authd-<broker> service | |
| #### authd broker service |
Avoid using angle brackets in headers: it doesn't render.
It also doesn't make sense to have placeholder syntax in text that the user will not be copying and running.
docs/reference/troubleshooting.md
Outdated
| snap switch authd-msentraid --edge | ||
| snap refresh authd-msentraid | ||
| snap switch authd-<broker_name> --edge | ||
| snap refresh authd-<broker_name> | ||
| ``` | ||
|
|
||
| Keep in mind that this version is not tested and may be incompatible with current released version of authd. You should switch back to stable after trying the edge channel: |
There was a problem hiding this comment.
| Keep in mind that this version is not tested and may be incompatible with current released version of authd. You should switch back to stable after trying the edge channel: | |
| Keep in mind that this version is not tested and may be incompatible with the current released version of authd. You should switch back to stable after trying the edge channel: |
|
|
||
| Register a new application in the Microsoft Azure portal. Once the application is registered, note the `Application (client) ID` and the `Directory (tenant) ID` from the `Overview` menu. These IDs are respectively the `<CLIENT_ID>` and `<ISSUER_ID>` used in the broker configuration file described in this document. | ||
| In this section we are going to register an OAuth 2.0 application that the broker can use to authenticate users. |
There was a problem hiding this comment.
| In this section we are going to register an OAuth 2.0 application that the broker can use to authenticate users. | |
| In this section we are going to register an OAuth 2.0 application that the broker can use to authenticate users. | |
| The registration process for both Entra ID and Google IAM will be demonstrated. |
Add line to indicate multiple brokers will be demonstrated.
docs/howto/configure-authd.md
Outdated
| Now we can configure the broker, different brokers require different configuration. | ||
|
|
There was a problem hiding this comment.
| Now we can configure the broker, different brokers require different configuration. | |
| Now we can configure the broker. Note that different brokers can require different configuration data. | |
Original was not really a complete sentence, so rewriting for clarity.
docs/howto/login-gdm.md
Outdated
| @@ -2,11 +2,14 @@ | |||
|
|
|||
| ## Logging in with a remote provider | |||
|
|
|||
| Once the system is configured you can log into your system using your MS Entra ID credentials and the device code flow. | |||
| Once the system is configured you can log into your system using your remote provider credentials and the device code flow. | |||
| In this example we are going to use MS Entra ID as the remote provider. | |||
There was a problem hiding this comment.
| In this example we are going to use MS Entra ID as the remote provider. | |
| In this example, we are going to use MS Entra ID as the remote provider but the process is equivalent for other providers. |
Using an example like this is fine and justified, as long as it is representative.
docs/howto/login-gdm.md
Outdated
|
|
||
| The main operation is to restart the broker to reload the configuration when it has changed. You can reload the broker with the command: | ||
|
|
||
| ```shell | ||
| snap restart authd-msentraid | ||
| snap restart authd-<broker_name> |
There was a problem hiding this comment.
As this page is a self-contained example that uses msentraid, I don't think the placeholder is appropriate.
| snap restart authd-<broker_name> | |
| snap restart authd-msentraid |
Maybe then add:
If you are using a different broker to `msentraid`, make sure to change the snap name when running this command.
| @@ -51,7 +44,7 @@ ssh_allowed_suffixes = @example.com,@ubuntu.com | |||
|
|
|||
| Once this is all set up, you can ssh to the server in the same way you'd do with any server: `ssh <username>@<host>`. The format of `<username>` is the user handle on Entra ID such as `[email protected]`. | |||
|
|
|||
| For instance: | |||
| For instance, here is an example using MS Entra ID as a provider: | |||
There was a problem hiding this comment.
It's OK to highlight use of MS Entra as an example here, but in the sentence immediately above we state that <username> is the user on handle on Entra ID -- perhaps change that to the more generic:
Once this is all set up, you can ssh to the server in the same way you'd do with any server:
ssh <username>@<host>. The format of<username>is the user handle on the provider, such as[email protected].
nsklikas
force-pushed
the
UDENG-5740
branch
4 times, most recently
from
1dbad01 to
a3cdbc2
Compare
I think we did say we wanted to move it out as a new, separate, page. I don’t think we want to update the documentation without it? The "group" page should hilight though that for now, this si only supported for MSEntra ID. |
nsklikas
force-pushed
the
UDENG-5740
branch
3 times, most recently
from
2c20152 to
2bc6942
Compare
docs/reference/group-management.md
Outdated
| # Group management | ||
|
|
||
| Groups are used to manage users that all need the same access and permissions to resources. | ||
| Groups from the remove provider can be mapped into local Linux groups for the user. |
There was a problem hiding this comment.
| Groups from the remove provider can be mapped into local Linux groups for the user. | |
| Groups from the remote provider can be mapped to local Linux groups for the user. |
docs/reference/group-management.md
Outdated
| Groups from the remove provider can be mapped into local Linux groups for the user. | ||
|
|
||
| ```{note} | ||
| Groups right now are only supported for the `msentraid` broker. |
There was a problem hiding this comment.
| Groups right now are only supported for the `msentraid` broker. | |
| Groups are currently supported for the `msentraid` broker. |
nsklikas
force-pushed
the
UDENG-5740
branch
2 times, most recently
from
903c971 to
c3e9c8f
Compare
|
Everything should be fine now. I am not sure why the tests are failing, but it should be something unrelated to these changes. I tried to re-trigger the workflow, but they failed again. As discussed, even if this PR is approved (and the tests are fixed), it will remain open until the google snap is released to |
Yeah the PAM integration tests are very flaky again. Cc @3v1n0 |
It is in stable already, just not listed until we do an official release: |
There was a problem hiding this comment.
Thanks for your work on this @nsklikas .
I've added one last suggested change and am approving in advance.
docs/howto/login-ssh.md
Outdated
| @@ -49,9 +42,9 @@ ssh_allowed_suffixes = @example.com,@ubuntu.com | |||
|
|
|||
| ## Usage | |||
|
|
|||
| Once this is all set up, you can ssh to the server in the same way you'd do with any server: `ssh <username>@<host>`. The format of `<username>` is the user handle on Entra ID such as `[email protected]`. | |||
| Once this is all set up, you can ssh to the server in the same way you'd do with any server: ssh <username>@<host>. The format of <username> is the user handle on the provider, such as `[email protected]`. | |||
There was a problem hiding this comment.
| Once this is all set up, you can ssh to the server in the same way you'd do with any server: ssh <username>@<host>. The format of <username> is the user handle on the provider, such as `[email protected]`. | |
| Once this is all set up, you can ssh to the server in the same way that you would do with any server: `ssh <username>@<host>`. The format of `<username>` is the user handle on the provider, such as `[email protected]`. |
Without backticks these translate to incomplete html tags in the browser, I think, so some of the words disappear in the preview:
I hope I didn't suggest those changes (I don't think I did!) but I think the backticks are needed for rendering; also, something like the ssh one is a command, so it makes sense to use them there.
There was a problem hiding this comment.
Oh my bad, copy/pasted from a rendered suggestion and forgot to add the backticks back.
Checks were failing when referencing anchors from different files
UDENG-5740
Added the documentation changes that we discussed to include the newly published google authd broker snap. I deviated very slightly from some of the discussed changes, please let me know if you agree or not.
cc @edibotopic