Page MenuHomePhabricator
Create Task
Maniphest T286716

Create solution for developer account authentication for services hosted in Cloud VPS
Closed, ResolvedPublic
Actions

Description

There are a few services running on Cloud VPS, mostly cloud infrastructure related (such as metricsinfra alertmanager) but also just in generic projects (such as logstash-beta.wmcloud.org) that could benefict from being able to authenticate the user against the developer account database, in most cases requiring membership in some Cloud VPS project.

LDAP authentication directly is not allowed in WMCS for good reasons and according to @MoritzMuehlenhoff the production CAS SSO service shouldn't be used directly in WMCS for security/realm separation reasons. This task is to investigate and possibly implement an alternative solution (for example a separate CAS installation somewhere).

Details

SubjectRepoBranchLines +/-
WMCS branch: create a wmcs specific branch to add Delegated Authenticationoperations/software/cas-overlay-templatemaster+1 -0
P:idp: update profile to support delegated authenticatorsoperations/puppetproduction+103 -80
C:apereo_cas: Add ability to support delegated authenticatorsoperations/puppetproduction+29 -3
hiera cloud idp: Add the idp cloud as a service provideroperations/puppetproduction+3 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

taavi created this task.Jul 15 2021, 12:58 PM
Restricted Application added a project: Infrastructure-Foundations. · View Herald TranscriptJul 15 2021, 12:58 PM
taavi added a parent task: T285055: Allow project members/admins to ack/silence alerts of that project.Jul 15 2021, 1:04 PM
MoritzMuehlenhoff added a subscriber: jbond.Jul 15 2021, 1:07 PM
MoritzMuehlenhoff added a project: User-MoritzMuehlenhoff.Jul 15 2021, 1:52 PM
taavi updated the task description. (Show Details)Jul 15 2021, 7:26 PM
taavi edited projects, added Cloud Services Proposals; removed Cloud-Services.Jul 17 2021, 3:15 PM
jbond added a project: User-jbond.Jul 19 2021, 2:13 PM
gerritbot added a comment.Jul 20 2021, 9:17 AM

Change 705624 had a related patch set uploaded (by Jbond; author: John Bond):

[operations/puppet@production] hiera cloud idp: Add the idp cloud as a service provider

https://gerrit.wikimedia.org/r/705624

gerritbot added a project: Patch-For-Review.Jul 20 2021, 9:17 AM
gerritbot added a comment.Jul 20 2021, 9:20 AM

Change 705624 merged by Jbond:

[operations/puppet@production] hiera cloud idp: Add the idp cloud as a service provider

https://gerrit.wikimedia.org/r/705624

gerritbot added a comment.Jul 20 2021, 9:24 AM

Change 705625 had a related patch set uploaded (by Jbond; author: John Bond):

[operations/software/cas-overlay-template@master] WMCS branch: create a wmcs specific branch to add Delegated Authentication

https://gerrit.wikimedia.org/r/705625

jbond moved this task from Unsorted 💣 to Active 🚁 on the User-jbond board.Jul 20 2021, 9:35 AM
gerritbot added a comment.Jul 20 2021, 11:42 AM

Change 705657 had a related patch set uploaded (by Jbond; author: John Bond):

[operations/puppet@production] C:apereo_cas: Add ability to support delegated authenticators

https://gerrit.wikimedia.org/r/705657

gerritbot added a comment.Jul 20 2021, 11:55 AM

Change 705660 had a related patch set uploaded (by Jbond; author: John Bond):

[operations/puppet@production] P:idp: update profile to support delegated authenticators

https://gerrit.wikimedia.org/r/705660

gerritbot added a comment.Jul 20 2021, 12:24 PM

Change 705657 merged by Jbond:

[operations/puppet@production] C:apereo_cas: Add ability to support delegated authenticators

https://gerrit.wikimedia.org/r/705657

gerritbot added a comment.Jul 20 2021, 12:24 PM

Change 705660 merged by Jbond:

[operations/puppet@production] P:idp: update profile to support delegated authenticators

https://gerrit.wikimedia.org/r/705660

jbond added a comment.Jul 20 2021, 12:56 PM

We currently have a cloud version of idp which is mostly used for testing and development. This use to rely on a local ldap database as "LDAP authentication directly is not allowed in WMCS". However I have updated this idp instance so that it delegates authentication to the production idp server. As the idp server in cloud is currently configured to allow any service in *.wmcloud.org to authenticate against there should be no further configuration required unless one is doing something a bit more advanced.

This has configueration has the benefits that:

  • All authentication and direct access to the ldap database happens on the production idp severs.
  • The production idp server only talks to the cloud idp server meaning updates to production will not be blocked on various cloud projects
  • cloud project can get authentication to cloud services using developer account ldap credentials

such as logstash-beta.wmcloud.org

Logstash is one of the few services that are not currently working with IDP in production so this one will not be easy

jbond added a comment.Jul 20 2021, 1:15 PM

Also worth pointing out the following debugging end point https://idp-test-login.wmcloud.org/. This will dump all the headers/environment variables set by the mod_auth_cas module (look for the ones prefixed HTTP_X_CAS_)

jbond triaged this task as Medium priority.Jul 20 2021, 1:16 PM
fgiunchedi awarded a token.Jul 20 2021, 2:02 PM
gerritbot added a comment.Jul 21 2021, 8:58 AM

Change 705625 merged by Jbond:

[operations/software/cas-overlay-template@master] WMCS branch: create a wmcs specific branch to add Delegated Authentication

https://gerrit.wikimedia.org/r/705625

Maintenance_bot removed a project: Patch-For-Review.Jul 21 2021, 9:10 AM
jbond closed this task as Resolved.Nov 25 2021, 2:50 PM
jbond claimed this task.

I think this is complete but please re-open if i missed something

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL