Docs: EXTERNAL_AUTH isn't documented

[dmsimard]

What component is this about ?

Documentation

What is happening ?

There's no documentation for EXTERNAL_AUTH:

ara/ara/server/settings.py

Line 80 in 7a192ac

EXTERNAL_AUTH = settings.get("EXTERNAL_AUTH", False, "@bool")

What should be happening ?

There should be docs about it and how to use it.

[viktorkrivak]

Hi, since I use this with apache I add some guide how to setup ARA with apache and mod_wsgi. Second part of configuration won't work without patch from #123
Guide for apache and wsgi setup

apt install apache2 libapache2-mod-wsgi-py3
adduser --system --home /opt/ara ara
pip3 install ara[server] # install ara from pip git or somehow

Locate ARA installation path (with pip /usr/local/lib/python3.7/dist-packages/ara ), this path will be referenced as ARA_ROOT

sudo -u ara ara-manage migrate
sudo -u ara ara-manage createsuperuser
# settings will be generated in /opt/ara/.ara/server/settings.yaml
# make sure ALLOWED_HOSTS are correct

apache config (replace $ARA_ROOT:

<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    ServerName ara.example.com

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    WSGIScriptAlias / $ARA_ROOT/server/wsgi.py
    WSGIDaemonProcess ara user=ara group=www-data
    # Need for internal auth
    WSGIPassAuthorization On

    <Location />
        Allow from all
        Order allow,deny
        Require all granted
        WSGIProcessGroup ara
    </Location>
</VirtualHost>

run

service apache2 restart

Guide for external auth:
This guide show how to setup BasicAuth with passwords in file. It is easy but doesn't make sense in production environment. But with little change it can be use with LDAP or anything else.

add this lines to ara configuration:

  WRITE_LOGIN_REQUIRED: true
  READ_LOGIN_REQUIRED: true
  EXTERNAL_AUTH: true

run command

htpasswd -c /opt/ara/passwords admin
htpasswd /opt/ara/passwords ara_user

Note the missing -c, in second command. It mean that user will be append to file instead od creating new file.
apache configuration:

<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    ServerName ara.example.com

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    WSGIScriptAlias / $ARA_ROOT/server/wsgi.py
    WSGIDaemonProcess ara user=ara group=www-data
        
    <Location />
        AuthName "api"
        AuthType Basic
        AuthBasicProvider file
        AuthUserFile "/opt/ara/passwords"
        Require valid-user
        Allow from all
        Order allow,deny
        WSGIProcessGroup ara
    </Location>
</VirtualHost>

If you also want guide how to setup ARA with LDAP I can help to. My ultimate goal is to make this work in hybrid mode where people can use SSO with OIDC and ansible can still use BasicAuth for data push. But it still need some polishing.

[dmsimard]

Thank you @viktorkrivak, this is useful !

What comes to mind is that the ara_api role only supports gunicorn and nginx as the frontend so adding support for mod_wsgi would be nice even if just for integration test purposes.

For the bits specific to authentication, we could write about it in the security section: https://ara.readthedocs.io/en/latest/api-security.html

However, I think a refactor of the documentation is on the horizon -- it's been growing organically over time but it's a bit all over the place now.

I'll keep this issue opened for now.

[dmsimard]

Hey @keuko, I merged the docs patch and also added the setting to the default settings file with 0d8e4e8 so I think we're all set on this topic for the next release.

Thank you and @viktorkrivak for your help 🎉