[ARVADOS] updated: 1.3.0-2557-g28e68f813
Git user
git at public.arvados.org
Wed May 13 19:25:33 UTC 2020
Summary of changes:
build/rails-package-scripts/arvados-sso-server.sh | 2 +-
doc/_config.yml | 2 -
doc/admin/metrics.html.textile.liquid | 1 -
doc/admin/migrating-providers.html.textile.liquid | 35 +--
doc/admin/upgrading.html.textile.liquid | 6 +-
doc/admin/user-management.html.textile.liquid | 2 +-
doc/install/google-auth.html.textile.liquid | 27 ---
doc/install/install-components.html.textile.liquid | 1 -
...nstall-manual-prerequisites.html.textile.liquid | 22 +-
doc/install/install-sso.html.textile.liquid | 237 ---------------------
doc/install/setup-login.html.textile.liquid | 24 ++-
lib/config/config.default.yml | 4 +-
lib/config/generated_config.go | 4 +-
lib/controller/localdb/login_ldap.go | 7 +-
lib/controller/localdb/login_ldap_docker_test.go | 10 +-
services/api/config/arvados_config.rb | 4 +-
services/api/config/initializers/omniauth_init.rb | 8 +-
tools/arvbox/lib/arvbox/docker/cluster-config.sh | 5 +-
18 files changed, 56 insertions(+), 345 deletions(-)
delete mode 100644 doc/install/google-auth.html.textile.liquid
delete mode 100644 doc/install/install-sso.html.textile.liquid
via 28e68f813bd7c48847c39a9e07d66ff5cf61662d (commit)
via ad00c515d3a34a8247a08be5a332470f8563086c (commit)
via 3198e16b3e7ae214a2e739c1676d7550c5e6209c (commit)
via e7e1b1114a550b462d73f3887074799b6b6e5e66 (commit)
via 0780fdfbd08ca817ffeabc88b46f39130ac1e6c4 (commit)
from f0d798af105d042e3129fca334c080ce9a90293f (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
commit 28e68f813bd7c48847c39a9e07d66ff5cf61662d
Author: Tom Clegg <tom at tomclegg.ca>
Date: Wed May 13 15:25:11 2020 -0400
15881: Add "remove sso-provider" to upgrade notes.
Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom at tomclegg.ca>
diff --git a/doc/admin/upgrading.html.textile.liquid b/doc/admin/upgrading.html.textile.liquid
index 23d712043..070e58983 100644
--- a/doc/admin/upgrading.html.textile.liquid
+++ b/doc/admin/upgrading.html.textile.liquid
@@ -38,7 +38,11 @@ h2(#master). development master (as of 2020-02-07)
"Upgrading from 2.0.0":#v2_0_0
-None in current development master.
+h3. Removing sso-provider
+
+The SSO (single sign-on) component is deprecated and will not be supported in future releases. Existing configurations will continue to work in this release, but you should switch to one of the built-in authentication mechanisms as soon as possible. See "setting up web based login":{{site.baseurl}}/install/setup-login.html for details.
+
+After migrating your configuration, uninstall the @arvados-sso-provider@ package.
h2(#v2_0_0). v2.0.0 (2020-02-07)
commit ad00c515d3a34a8247a08be5a332470f8563086c
Author: Tom Clegg <tom at tomclegg.ca>
Date: Wed May 13 15:13:34 2020 -0400
15881: Remove SSO install instructions.
Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom at tomclegg.ca>
diff --git a/build/rails-package-scripts/arvados-sso-server.sh b/build/rails-package-scripts/arvados-sso-server.sh
index fff582bb1..e88da0d3a 100644
--- a/build/rails-package-scripts/arvados-sso-server.sh
+++ b/build/rails-package-scripts/arvados-sso-server.sh
@@ -8,6 +8,6 @@
PACKAGE_NAME=arvados-sso-server
INSTALL_PATH=/var/www/arvados-sso
CONFIG_PATH=/etc/arvados/sso
-DOC_URL="http://doc.arvados.org/install/install-sso.html#configure"
+DOC_URL="https://doc.arvados.org/v2.0/install/install-sso.html#configure"
RAILSPKG_DATABASE_LOAD_TASK=db:schema:load
RAILSPKG_SUPPORTS_CONFIG_CHECK=0
diff --git a/doc/_config.yml b/doc/_config.yml
index 9917b0fdf..48fe1b53d 100644
--- a/doc/_config.yml
+++ b/doc/_config.yml
@@ -209,7 +209,6 @@ navbar:
- install/install-keep-balance.html.textile.liquid
- User interface:
- install/setup-login.html.textile.liquid
- - install/install-sso.html.textile.liquid
- install/install-workbench-app.html.textile.liquid
- install/install-workbench2-app.html.textile.liquid
- install/install-composer.html.textile.liquid
@@ -227,5 +226,4 @@ navbar:
- install/install-postgresql.html.textile.liquid
- install/ruby.html.textile.liquid
- install/nginx.html.textile.liquid
- - install/google-auth.html.textile.liquid
- install/install-docker.html.textile.liquid
diff --git a/doc/admin/metrics.html.textile.liquid b/doc/admin/metrics.html.textile.liquid
index a6a0862c4..1d6b87da6 100644
--- a/doc/admin/metrics.html.textile.liquid
+++ b/doc/admin/metrics.html.textile.liquid
@@ -42,7 +42,6 @@ table(table table-bordered table-condensed table-hover).
|keepstore|✓|
|keep-balance|✓|
|keep-web|✓|
-|sso-provider||
|workbench1||
|workbench2||
diff --git a/doc/admin/migrating-providers.html.textile.liquid b/doc/admin/migrating-providers.html.textile.liquid
index 6dd0d866e..89a5d18a7 100644
--- a/doc/admin/migrating-providers.html.textile.liquid
+++ b/doc/admin/migrating-providers.html.textile.liquid
@@ -9,37 +9,8 @@ Copyright (C) The Arvados Authors. All rights reserved.
SPDX-License-Identifier: CC-BY-SA-3.0
{% endcomment %}
-This page describes how to enable users to use more than one upstream identity provider to log into the same Arvados account. This can be used to migrate account providers, for example, from LDAP to Google. In order to do this, users must be able to log into both the "old" and "new" providers.
+When a user logs in to Arvados, their email address (as returned by the authentication provider) is used as the primary key for their Arvados account.
-h2. Configure multiple or alternate provider in SSO
+If you reconfigure Arvados to use a different authentication provider after some users have created accounts, you should either ensure the new provider returns the same email addresses as the old one, or update your Arvados users' @email@ attributes to match the email addresses returned by the new provider.
-In @application.yml@ for the SSO server, you can enable both @google_oauth2@ and @ldap@ providers:
-
-<pre>
-production:
- google_oauth2_client_id: abcd
- google_oauth2_client_secret: abcd
-
- use_ldap:
- title: Example LDAP
- host: ldap.example.com
- port: 636
- method: ssl
- base: "ou=Users, dc=example, dc=com"
- uid: uid
- username: uid
-</pre>
-
-Restart the SSO server after changing the configuration.
-
-h2. Matching on email address
-
-If the new account provider supplies an email address (primary or alternate) that matches an existing user account, the user will be logged into that account. No further migration is necessary, and the old provider can be removed from the SSO configuration.
-
-h2. Link accounts
-
-If the new provider cannot provide matching email addresses, users will have to migrate manually by "linking accounts":{{site.baseurl}}/user/topics/link-accounts.html
-
-After linking accounts, users can use the new provider to access their existing Arvados account.
-
-Once all users have migrated, the old account provider can be removed from the SSO configuration.
+Otherwise, next time users log in, they will be given new accounts intead of logging in to their existing accounts.
diff --git a/doc/admin/user-management.html.textile.liquid b/doc/admin/user-management.html.textile.liquid
index 177abd8db..9e53775ed 100644
--- a/doc/admin/user-management.html.textile.liquid
+++ b/doc/admin/user-management.html.textile.liquid
@@ -24,7 +24,7 @@ After completing the log in and authentication process, the API server receives
If a provider identifier is given, the API server searches for a matching user record.
-If a provider identifier is not given, no match is found, it next searches by primary email and then alternate email address. This enables "provider migration":migrating-providers.html and a "pre-activated accounts.":#pre-activated
+If a provider identifier is not given, no match is found, it next searches by primary email and then alternate email address. This enables "provider migration":migrating-providers.html and "pre-activated accounts.":#pre-activated
If no user account is found, a new user account is created with the information from the identity provider.
diff --git a/doc/install/google-auth.html.textile.liquid b/doc/install/google-auth.html.textile.liquid
deleted file mode 100644
index fad10ff35..000000000
--- a/doc/install/google-auth.html.textile.liquid
+++ /dev/null
@@ -1,27 +0,0 @@
----
-layout: default
-navsection: installguide
-title: Setting up Google auth
-...
-{% comment %}
-Copyright (C) The Arvados Authors. All rights reserved.
-
-SPDX-License-Identifier: CC-BY-SA-3.0
-{% endcomment %}
-
-In order to use Google for authentication, you must use the <a href="https://console.developers.google.com" target="_blank">Google Developers Console</a> to create a set of client credentials.
-
-# Go to the <a href="https://console.developers.google.com" target="_blank">Google Developers Console</a> and select or create a project; this will take you to the project page.
-# Click on *+ Enable APIs and Services*
-## Search for *People API* and click on *Enable API*.
-# Navigate back to the main "APIs & Services" page
-# On the sidebar, click on *OAuth consent screen*
-## On consent screen settings, enter your identifying details
-## Under *Authorized domains* add @example.com@
-## Click on *Save*.
-# On the sidebar, click on *Credentials*; then click on *Create credentials*→*OAuth Client ID*
-# Under *Application type* select *Web application*.
-# You must set the authorization origins. Edit @auth.example.com@ to the appropriate hostname that you will use to access the SSO service:
-## JavaScript origin should be @https://ClusterID.example.com/@ (using Arvados-controller based login) or @https://auth.example.com/@ (for the SSO server)
-## Redirect URI should be @https://ClusterID.example.com/login@ (using Arvados-controller based login) or @https://auth.example.com/users/auth/google_oauth2/callback@ (for the SSO server)
-# Copy the values of *Client ID* and *Client secret* from the Google Developers Console and add them to the appropriate configuration.
diff --git a/doc/install/install-components.html.textile.liquid b/doc/install/install-components.html.textile.liquid
index 15fbe1162..cdaa71ce5 100644
--- a/doc/install/install-components.html.textile.liquid
+++ b/doc/install/install-components.html.textile.liquid
@@ -16,7 +16,6 @@ table(table table-bordered table-condensed).
|"Keep-web":install-keep-web.html |Gateway service providing read/write HTTP and WebDAV support on top of Keep.|Required to be able to download files from Keep over plain HTTP in Workbench.|
|"Keep-balance":install-keep-balance.html |Storage cluster maintenance daemon responsible for moving blocks to their optimal server location, adjusting block replication levels, and trashing unreferenced blocks.|Required to free deleted data from underlying storage, and to ensure proper replication and block distribution (including support for storage classes).|
|\3=. *User interface*|
-|"Single Sign On server":install-sso.html |Login server.|Required for web based login to Workbench.|
|"Workbench":install-workbench-app.html, "Workbench2":install-workbench2-app.html |Primary graphical user interface for working with file collections and running containers.|Optional. Depends on API server, SSO server, keep-web, websockets server.|
|"Workflow Composer":install-composer.html |Graphical user interface for editing Common Workflow Language workflows.|Optional. Depends on git server (arv-git-httpd).|
|\3=. *Additional services*|
diff --git a/doc/install/install-manual-prerequisites.html.textile.liquid b/doc/install/install-manual-prerequisites.html.textile.liquid
index ea6ad4779..2ce6e36a6 100644
--- a/doc/install/install-manual-prerequisites.html.textile.liquid
+++ b/doc/install/install-manual-prerequisites.html.textile.liquid
@@ -53,8 +53,7 @@ table(table table-bordered table-condensed).
|"Keep-web":install-keep-web.html |Gateway service providing read/write HTTP and WebDAV support on top of Keep.|Required to access files from Workbench.|
|"Keep-balance":install-keep-balance.html |Storage cluster maintenance daemon responsible for moving blocks to their optimal server location, adjusting block replication levels, and trashing unreferenced blocks.|Required to free deleted data from underlying storage, and to ensure proper replication and block distribution (including support for storage classes).|
|\3=. *User interface*|
-|"Single Sign On server":install-sso.html |Web based login to Workbench.|Depends on identity provider. Not required for Google. Required for LDAP or standalone database.|
-|"Workbench":install-workbench-app.html, "Workbench2":install-workbench2-app.html |Primary graphical user interface for working with file collections and running containers.|Optional. Depends on API server, SSO server, keep-web, websockets server.|
+|"Workbench":install-workbench-app.html, "Workbench2":install-workbench2-app.html |Primary graphical user interface for working with file collections and running containers.|Optional. Depends on API server, keep-web, websockets server.|
|"Workflow Composer":install-composer.html |Graphical user interface for editing Common Workflow Language workflows.|Optional. Depends on git server (arv-git-httpd).|
|\3=. *Additional services*|
|"Websockets server":install-ws.html |Event distribution server.|Required to view streaming container logs in Workbench.|
@@ -68,9 +67,9 @@ h2(#identity). Identity provider
Choose which backend you will use to authenticate users.
-* Google login to authenticate users with a Google account. Note: if you only use this identity provider, login can be handled by @arvados-controller@ (recommended), and you do not need to install the Arvados Single Sign-On server (SSO).
-* LDAP login to authenticate users using the LDAP protocol, supported by many services such as OpenLDAP and Active Directory. Supports username/password authentication.
-* Standalone SSO server user database. Supports username/password authentication. Supports new user sign-up.
+* Google login to authenticate users with a Google account.
+* LDAP login to authenticate users by username/password using the LDAP protocol, supported by many services such as OpenLDAP and Active Directory.
+* PAM login to authenticate users by username/password according to the PAM configuration on the controller node.
h2(#storage). Storage backend
@@ -102,16 +101,14 @@ For a production installation, this is a reasonable starting point:
table(table table-bordered table-condensed).
|_. Function|_. Number of nodes|_. Recommended specs|
|Postgres database, Arvados API server, Arvados controller, Git, Websockets, Container dispatcher|1|16+ GiB RAM, 4+ cores, fast disk for database|
-|Single Sign-On (SSO) server ^1^|1|2 GiB RAM|
|Workbench, Keepproxy, Keep-web, Keep-balance|1|8 GiB RAM, 2+ cores|
-|Keepstore servers ^2^|2+|4 GiB RAM|
-|Compute worker nodes ^2^|0+ |Depends on workload; scaled dynamically in the cloud|
-|User shell nodes ^3^|0+|Depends on workload|
+|Keepstore servers ^1^|2+|4 GiB RAM|
+|Compute worker nodes ^1^|0+ |Depends on workload; scaled dynamically in the cloud|
+|User shell nodes ^2^|0+|Depends on workload|
</div>
-^1^ May be omitted when using Google login support in @arvados-controller@
-^2^ Should be scaled up as needed
-^3^ Refers to shell nodes managed by Arvados, that provide ssh access for users to interact with Arvados at the command line. Optional.
+^1^ Should be scaled up as needed
+^2^ Refers to shell nodes managed by Arvados, that provide ssh access for users to interact with Arvados at the command line. Optional.
{% include 'notebox_begin' %}
For a small demo installation, it is possible to run all the Arvados services on a single node. Special considerations for single-node installs will be noted in boxes like this.
@@ -140,7 +137,6 @@ table(table table-bordered table-condensed).
|Arvados API|@ClusterID.example.com@|
|Arvados Git server|git. at ClusterID.example.com@|
|Arvados Websockets endpoint|ws. at ClusterID.example.com@|
-|Arvados SSO Server|@auth.example.com@|
|Arvados Workbench|workbench. at ClusterID.example.com@|
|Arvados Workbench 2|workbench2. at ClusterID.example.com@|
|Arvados Keepproxy server|keep. at ClusterID.example.com@|
diff --git a/doc/install/install-sso.html.textile.liquid b/doc/install/install-sso.html.textile.liquid
deleted file mode 100644
index c3e1947b4..000000000
--- a/doc/install/install-sso.html.textile.liquid
+++ /dev/null
@@ -1,239 +0,0 @@
----
-layout: default
-navsection: installguide
-title: Install the Single Sign On (SSO) server
-...
-{% comment %}
-Copyright (C) The Arvados Authors. All rights reserved.
-
-SPDX-License-Identifier: CC-BY-SA-3.0
-{% endcomment %}
-
-{% include 'notebox_begin_warning' %}
-Skip this section if you are using Google login via @arvados-controller at .
-{% include 'notebox_end' %}
-
-# "Install dependencies":#dependencies
-# "Set up database":#database-setup
-# "Update config.yml":#update-config
-# "Configure the SSO server":#create-application-yml
-# "Update Nginx configuration":#update-nginx
-# "Install arvados-sso-server":#install-packages
-# "Create arvados-server client record":#client
-# "Restart the API server and controller":#restart-api
-
-h2(#dependencies). Install dependencies
-
-# "Install PostgreSQL":install-postgresql.html
-# "Install Ruby and Bundler":ruby.html Important! The Single Sign On server only supports Ruby 2.3, to avoid version conflicts we recommend installing it on a different server from the API server. When installing Ruby, ensure that you get the right version by installing the "ruby2.3" package, or by using RVM with @--ruby=2.3@
-# "Install nginx":nginx.html
-# "Install Phusion Passenger":https://www.phusionpassenger.com/library/walkthroughs/deploy/ruby/ownserver/nginx/oss/install_passenger_main.html
-
-h2(#database-setup). Set up the database
-
-{% assign service_role = "arvados_sso" %}
-{% assign service_database = "arvados_sso_production" %}
-{% assign use_contrib = false %}
-{% include 'install_postgres_database' %}
-
-Now create @/etc/arvados/sso/database.yml@
-
-<pre>
-production:
- adapter: postgresql
- encoding: utf8
- database: arvados_sso_production
- username: arvados_sso
- password: $password
- host: localhost
- template: template0
-</pre>
-
-h2(#update-config). Update config.yml
-
-<pre>
- Services:
- SSO:
- ExternalURL: auth.ClusterID.example.com
- Login:
- SSO:
- Enable: true
- ProviderAppID: "arvados-server"
- ProviderAppSecret: $app_secret
-</pre>
-
-Generate @ProviderAppSecret@:
-
-<notextile>
-<pre><code>~$ <span class="userinput">ruby -e 'puts rand(2**400).to_s(36)'</span>
-zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
-</code></pre></notextile>
-
-h2(#create-application-yml). Configure the SSO server
-
-The SSO server runs from the @/var/www/arvados-sso/current/@ directory. The files @/var/www/arvados-sso/current/config/application.yml@ and @/var/www/arvados-sso/current/config/database.yml@ will be symlinked to the configuration files in @/etc/arvados/sso/@.
-
-The SSO server reads the @config/application.yml@ file, as well as the @config/application.defaults.yml@ file. Values in @config/application.yml@ take precedence over the defaults that are defined in @config/application.defaults.yml at . The @config/application.yml.example@ file is not read by the SSO server and is provided for installation convenience only.
-
-Consult @config/application.default.yml@ for a full list of configuration options. Local configuration goes in @/etc/arvados/sso/application.yml@, do not edit @config/application.default.yml at .
-
-Create @/etc/arvados/sso/application.yml@ and add these keys:
-
-<pre>
-production:
- uuid_prefix: xxxxx
- secret_token: zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
-</pre>
-
-h3(#uuid_prefix). uuid_prefix
-
-Most of the time, you want this to be the same as your @ClusterID at . If not, generate a new one from the command line listed previously.
-
-h3(#secret_token). secret_token
-
-Generate a new secret token for signing cookies:
-
-<notextile>
-<pre><code>~$ <span class="userinput">ruby -e 'puts rand(2**400).to_s(36)'</span>
-zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
-</code></pre></notextile>
-
-h3(#authentication_methods). Authentication methods
-
-Authentication methods are configured in @application.yml at . Currently three authentication methods are supported: local accounts, LDAP, and Google. If neither Google nor LDAP are enabled, the SSO server defaults to local user accounts. Only one authentication mechanism should be in use at a time. Choose your authentication method and add the listed configuration items to the @production@ section.
-
-h4(#local_accounts). Local account authentication
-
-There are two configuration options for local accounts:
-
-<pre>
- # If true, allow new creation of new accounts in the SSO server's internal
- # user database.
- allow_account_registration: false
-
- # If true, send an email confirmation before activating new accounts in the
- # SSO server's internal user database (otherwise users are activated immediately.)
- require_email_confirmation: false
-</pre>
-
-For more information about configuring backend support for sending email (required to send email confirmations) see "Configuring Action Mailer":http://guides.rubyonrails.org/configuring.html#configuring-action-mailer
-
-If @allow_account_registration@ is false, you may manually create local accounts on the SSO server from the Rails console. {% include 'install_rails_command' %}
-
-Enter the following commands at the console.
-
-<notextile>
-<pre><code>:001 > <span class="userinput">user = User.new(:email => "test at example.com")</span>
-:002 > <span class="userinput">user.password = "passw0rd"</span>
-:003 > <span class="userinput">user.save!</span>
-:004 > <span class="userinput">quit</span>
-</code></pre>
-</notextile>
-
-h4(#ldap). LDAP authentication
-
-The following options are available to configure LDAP authentication. Note that you must preserve the indentation of the fields listed under @use_ldap at .
-
-<pre>
- use_ldap:
- title: Example LDAP
- host: ldap.example.com
- port: 636
- method: ssl
- base: "ou=Users, dc=example, dc=com"
- uid: uid
- email_domain: example.com
- #bind_dn: "some_user"
- #password: "some_password"
-</pre>
-
-table(table).
-|_. Option|_. Description|
-|title |Title displayed to the user on the login page|
-|host |LDAP server hostname|
-|port |LDAP server port|
-|method|One of "plain", "ssl", "tls"|
-|base |Directory lookup base|
-|uid |User id field used for directory lookup|
-|email_domain|Strip off specified email domain from login and perform lookup on bare username|
-|bind_dn|If required by server, username to log with in before performing directory lookup|
-|password|If required by server, password to log with before performing directory lookup|
-
-h4(#google). Google authentication
-
-First, visit "Setting up Google auth.":google-auth.html
-
-Next, copy the values of *Client ID* and *Client secret* from the Google Developers Console into the Google section of @config/application.yml@, like this:
-
-<notextile>
-<pre><code> # Google API tokens required for OAuth2 login.
- google_oauth2_client_id: <span class="userinput">"---YOUR---CLIENT---ID---HERE--"-</span>
- google_oauth2_client_secret: <span class="userinput">"---YOUR---CLIENT---SECRET---HERE--"-</span></code></pre></notextile>
-
-h2(#update-nginx). Update nginx configuration
-
-Use a text editor to create a new file @/etc/nginx/conf.d/arvados-sso.conf@ with the following configuration. Options that need attention are marked in <span class="userinput">red</span>.
-
-<notextile>
-<pre><code>server {
- listen <span class="userinput">auth.ClusterID.example.com</span>:443 ssl;
- server_name <span class="userinput">auth.ClusterID.example.com</span>;
-
- ssl on;
- ssl_certificate <span class="userinput">/YOUR/PATH/TO/cert.pem</span>;
- ssl_certificate_key <span class="userinput">/YOUR/PATH/TO/cert.key</span>;
-
- root /var/www/arvados-sso/current/public;
- index index.html;
-
- passenger_enabled on;
-
- # <span class="userinput">If you are using RVM, uncomment the line below.</span>
- # <span class="userinput">If you're using system ruby, leave it commented out.</span>
- #passenger_ruby /usr/local/rvm/wrappers/default/ruby;
-}
-</code></pre>
-</notextile>
-
-h2(#install-packages). Install arvados-sso-server package
-
-h3. Centos 7
-
-<notextile>
-<pre><code># <span class="userinput">yum install arvados-sso-server</span>
-</code></pre>
-</notextile>
-
-h3. Debian and Ubuntu
-
-<notextile>
-<pre><code># <span class="userinput">apt-get install --no-install-recommends arvados-sso-server</span>
-</code></pre>
-</notextile>
-
-h2(#client). Create arvados-server client record
-
-{% assign railshost = "" %}
-{% assign railsdir = "/var/www/arvados-sso/current" %}
-Use @rails console@ to create a @Client@ record that will be used by the Arvados API server. {% include 'install_rails_command' %}
-
-Enter the following commands at the console. The values that appear after you assign @app_id@ and @app_secret@ will be copied to @Login.ProviderAppID@ and @Login.ProviderAppSecret@ in @config.yml at .
-
-<notextile>
-<pre><code>:001 > <span class="userinput">c = Client.new</span>
-:002 > <span class="userinput">c.name = "joshid"</span>
-:003 > <span class="userinput">c.app_id = "arvados-server"</span>
-:004 > <span class="userinput">c.app_secret = "the value of Login.ProviderAppSecret"</span>
-:005 > <span class="userinput">c.save!</span>
-:006 > <span class="userinput">quit</span>
-</code></pre>
-</notextile>
-
-h2(#restart-api). Restart the API server and controller
-
-After adding the SSO server to the Services section, make sure the cluster config file is up to date on the API server host, and restart the API server and controller processes to ensure the changes are applied.
-
-<notextile>
-<pre><code># <span class="userinput">systemctl restart nginx arvados-controller</span>
-</code></pre>
-</notextile>
diff --git a/doc/install/setup-login.html.textile.liquid b/doc/install/setup-login.html.textile.liquid
index 069519a26..3fe442c75 100644
--- a/doc/install/setup-login.html.textile.liquid
+++ b/doc/install/setup-login.html.textile.liquid
@@ -14,15 +14,25 @@ Select one of the following login mechanisms for your cluster.
# If all users will authenticate with Google, "configure Google login":#google.
# If all users will authenticate with an existing LDAP service, "configure LDAP":#ldap.
# If all users will authenticate using PAM as configured on your controller node, "configure PAM":#pam.
-# If you need to enable multiple authentication methods, "configure a separate single sign-on (SSO) server":#sso.
h2(#google). Google login
With this configuration, users will sign in with their Google accounts.
-First, visit "Setting up Google auth.":google-auth.html
-
-Next, enable Google login and copy the values of *Client ID* and *Client secret* from the Google Developers Console into the @Login.Google@ section of @config.yml@:
+Use the <a href="https://console.developers.google.com" target="_blank">Google Developers Console</a> to create a set of client credentials.
+# Select or create a project.
+# Click *+ Enable APIs and Services*.
+#* Search for *People API* and click *Enable API*.
+#* Navigate back to the main "APIs & Services" page.
+# On the sidebar, click *OAuth consent screen*.
+#* On consent screen settings, enter your identifying details.
+#* Under *Authorized domains* add your domain (@example.com@).
+#* Click *Save*.
+# On the sidebar, click *Credentials*, then click *Create credentials*→*OAuth client ID*
+# Under *Application type* select *Web application*.
+# Add the JavaScript origin: @https://ClusterID.example.com/@
+# Add the Redirect URI: @https://ClusterID.example.com/login@
+# Copy the values of *Client ID* and *Client secret* to the @Login.Google@ section of @config.yml at .
<pre>
Login:
@@ -77,9 +87,3 @@ The default PAM configuration on most Linux systems uses the local password data
PAM can also be configured to use different backends like LDAP. In a production environment, PAM configuration should use the service name ("arvados" by default) to set a separate policy for Arvados logins: generally, Arvados users should not have shell accounts on the controller node.
For information about configuring PAM, refer to the "PAM System Administrator's Guide":http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_SAG.html.
-
-h2(#sso). Separate single-sign-on (SSO) server
-
-With this configuration, Arvados passes off authentication to a separate SSO server that supports Google, LDAP, and a local password database.
-
-See "Install the Single Sign On (SSO) server":install-sso.html
diff --git a/lib/config/config.default.yml b/lib/config/config.default.yml
index e24845889..a25b1f610 100644
--- a/lib/config/config.default.yml
+++ b/lib/config/config.default.yml
@@ -633,12 +633,12 @@ Clusters:
UsernameAttribute: uid
SSO:
- # Authenticate with a separate SSO server.
+ # Authenticate with a separate SSO server. (Deprecated)
Enable: false
# ProviderAppID and ProviderAppSecret are generated during SSO
# setup; see
- # https://doc.arvados.org/install/install-sso.html#update-config
+ # https://doc.arvados.org/v2.0/install/install-sso.html#update-config
ProviderAppID: ""
ProviderAppSecret: ""
diff --git a/lib/config/generated_config.go b/lib/config/generated_config.go
index df08dd00e..639247216 100644
--- a/lib/config/generated_config.go
+++ b/lib/config/generated_config.go
@@ -639,12 +639,12 @@ Clusters:
UsernameAttribute: uid
SSO:
- # Authenticate with a separate SSO server.
+ # Authenticate with a separate SSO server. (Deprecated)
Enable: false
# ProviderAppID and ProviderAppSecret are generated during SSO
# setup; see
- # https://doc.arvados.org/install/install-sso.html#update-config
+ # https://doc.arvados.org/v2.0/install/install-sso.html#update-config
ProviderAppID: ""
ProviderAppSecret: ""
commit 3198e16b3e7ae214a2e739c1676d7550c5e6209c
Author: Tom Clegg <tom at tomclegg.ca>
Date: Wed May 13 13:47:37 2020 -0400
15881: Enable docker tests, unless -short mode.
Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom at tomclegg.ca>
diff --git a/lib/controller/localdb/login_ldap_docker_test.go b/lib/controller/localdb/login_ldap_docker_test.go
index 2f0d22075..bf37409f6 100644
--- a/lib/controller/localdb/login_ldap_docker_test.go
+++ b/lib/controller/localdb/login_ldap_docker_test.go
@@ -2,19 +2,20 @@
//
// SPDX-License-Identifier: AGPL-3.0
-// Skip this slow test unless invoked as "go test -tags docker".
-// +build docker
-
package localdb
import (
"os"
"os/exec"
+ "testing"
check "gopkg.in/check.v1"
)
func (s *LDAPSuite) TestLoginLDAPViaPAM(c *check.C) {
+ if testing.Short() {
+ c.Skip("skipping docker test in short mode")
+ }
cmd := exec.Command("bash", "login_ldap_docker_test.sh")
cmd.Stdout = os.Stderr
cmd.Stderr = os.Stderr
@@ -24,6 +25,9 @@ func (s *LDAPSuite) TestLoginLDAPViaPAM(c *check.C) {
}
func (s *LDAPSuite) TestLoginLDAPBuiltin(c *check.C) {
+ if testing.Short() {
+ c.Skip("skipping docker test in short mode")
+ }
cmd := exec.Command("bash", "login_ldap_docker_test.sh")
cmd.Stdout = os.Stderr
cmd.Stderr = os.Stderr
commit e7e1b1114a550b462d73f3887074799b6b6e5e66
Author: Tom Clegg <tom at tomclegg.ca>
Date: Wed May 13 13:45:11 2020 -0400
15881: Update config keys.
Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom at tomclegg.ca>
diff --git a/doc/install/install-sso.html.textile.liquid b/doc/install/install-sso.html.textile.liquid
index 72d4ed13a..c3e1947b4 100644
--- a/doc/install/install-sso.html.textile.liquid
+++ b/doc/install/install-sso.html.textile.liquid
@@ -56,8 +56,10 @@ h2(#update-config). Update config.yml
SSO:
ExternalURL: auth.ClusterID.example.com
Login:
- ProviderAppID: "arvados-server"
- ProviderAppSecret: $app_secret
+ SSO:
+ Enable: true
+ ProviderAppID: "arvados-server"
+ ProviderAppSecret: $app_secret
</pre>
Generate @ProviderAppSecret@:
diff --git a/services/api/config/arvados_config.rb b/services/api/config/arvados_config.rb
index c4f89e13c..7dc648100 100644
--- a/services/api/config/arvados_config.rb
+++ b/services/api/config/arvados_config.rb
@@ -37,8 +37,8 @@ EOS
# Real values will be copied from globals by omniauth_init.rb. For
# now, assign some strings so the generic *.yml config loader
# doesn't overwrite them or complain that they're missing.
- Rails.configuration.Login["ProviderAppID"] = 'xxx'
- Rails.configuration.Login["ProviderAppSecret"] = 'xxx'
+ Rails.configuration.Login["SSO"]["ProviderAppID"] = 'xxx'
+ Rails.configuration.Login["SSO"]["ProviderAppSecret"] = 'xxx'
Rails.configuration.Services["SSO"]["ExternalURL"] = '//xxx'
WARNED_OMNIAUTH_CONFIG = true
end
diff --git a/services/api/config/initializers/omniauth_init.rb b/services/api/config/initializers/omniauth_init.rb
index 5610999a9..5557be1dc 100644
--- a/services/api/config/initializers/omniauth_init.rb
+++ b/services/api/config/initializers/omniauth_init.rb
@@ -9,14 +9,14 @@
if defined? CUSTOM_PROVIDER_URL
Rails.logger.warn "Copying omniauth from globals in legacy config file."
- Rails.configuration.Login["ProviderAppID"] = APP_ID
- Rails.configuration.Login["ProviderAppSecret"] = APP_SECRET
+ Rails.configuration.Login["SSO"]["ProviderAppID"] = APP_ID
+ Rails.configuration.Login["SSO"]["ProviderAppSecret"] = APP_SECRET
Rails.configuration.Services["SSO"]["ExternalURL"] = CUSTOM_PROVIDER_URL
else
Rails.application.config.middleware.use OmniAuth::Builder do
provider(:josh_id,
- Rails.configuration.Login["ProviderAppID"],
- Rails.configuration.Login["ProviderAppSecret"],
+ Rails.configuration.Login["SSO"]["ProviderAppID"],
+ Rails.configuration.Login["SSO"]["ProviderAppSecret"],
Rails.configuration.Services["SSO"]["ExternalURL"])
end
OmniAuth.config.on_failure = StaticController.action(:login_failure)
diff --git a/tools/arvbox/lib/arvbox/docker/cluster-config.sh b/tools/arvbox/lib/arvbox/docker/cluster-config.sh
index ed4795d1c..dbcbc913c 100755
--- a/tools/arvbox/lib/arvbox/docker/cluster-config.sh
+++ b/tools/arvbox/lib/arvbox/docker/cluster-config.sh
@@ -139,8 +139,9 @@ Clusters:
DefaultReplication: 1
TrustAllContent: true
Login:
- ProviderAppSecret: $sso_app_secret
- ProviderAppID: arvados-server
+ SSO:
+ ProviderAppSecret: $sso_app_secret
+ ProviderAppID: arvados-server
Users:
NewUsersAreActive: true
AutoAdminFirstUser: true
commit 0780fdfbd08ca817ffeabc88b46f39130ac1e6c4
Author: Tom Clegg <tom at tomclegg.ca>
Date: Wed May 13 13:45:00 2020 -0400
15881: Fail faster on config error.
Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom at tomclegg.ca>
diff --git a/lib/controller/localdb/login_ldap.go b/lib/controller/localdb/login_ldap.go
index 373b11324..6c430d69b 100644
--- a/lib/controller/localdb/login_ldap.go
+++ b/lib/controller/localdb/login_ldap.go
@@ -38,6 +38,9 @@ func (ctrl *ldapLoginController) UserAuthenticate(ctx context.Context, opts arva
conf := ctrl.Cluster.Login.LDAP
errFailed := httpserver.ErrorWithStatus(fmt.Errorf("LDAP: Authentication failure (with username %q and password)", opts.Username), http.StatusUnauthorized)
+ if conf.SearchAttribute == "" {
+ return arvados.APIClientAuthorization{}, errors.New("config error: SearchAttribute is blank")
+ }
if opts.Password == "" {
log.WithField("username", opts.Username).Error("refusing to authenticate with empty password")
return arvados.APIClientAuthorization{}, errFailed
@@ -89,10 +92,6 @@ func (ctrl *ldapLoginController) UserAuthenticate(ctx context.Context, opts arva
}
}
- if conf.SearchAttribute == "" {
- return arvados.APIClientAuthorization{}, errors.New("config error: must provide SearchAttribute")
- }
-
search := fmt.Sprintf("(%s=%s)", ldap.EscapeFilter(conf.SearchAttribute), ldap.EscapeFilter(username))
if conf.SearchFilters != "" {
search = fmt.Sprintf("(&%s%s)", conf.SearchFilters, search)
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list