feat(controller): Adding LDAP/AD auth support #3174
Conversation
👍 this would be really useful |
👍 |
@@ -136,6 +140,8 @@ | |||
'django.contrib.sites', | |||
'django.contrib.staticfiles', | |||
# Third-party apps | |||
'django_auth_ldap', | |||
'django_fsm', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this shouldn't be here, right? :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not a django expert, some people said that would be better if we put the module here, some people don't. For safe precautions I prefer to have it explicit. I can remove if you think that its better. 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We don't use django_fsm any more, so it shouldn't be necessary. The only reason we keep it around are for legacy South migrations. Let's remove it so the module's not taking up precious resources when the server boots. django_auth_ldap should be kept though, of course.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Haha, I'm talking about the django_auth_ldap into this list, the fsm probably came in some merge I did, had not noticed, I obviously do not use this module, sorry I will remove. 😄
looks good, but how do you replace the token auth with LDAP? I don't see any changes in /api/urls.py or in the views. As far as I can tell this doesn't actually replace the |
@bacongobbler looks like the PR is modifying the authentication backend, which means token auth and API endpoints should work without any changes -- which is terrific. @phspagiari nice work, I look forward to seeing this merged! A few questions:
|
@bacongobbler as @gabrtv said, token auth and API endpoints works with ldap or with default auth without any changes. If you configure LDAP, the /auth/login will try to login via LDAP, if you dont configure, the django will pass the ldap backend and try to login with other backend (default). @gabrtv If all the values of LDAP is left blank (not configured) django will pass to the next auth backend and try to login on it. At first I thought that I would need a ugly if to add or remove the ldap auth backend, but latter I saw that django does this automatically. |
Sounds good to me! 👍 |
@gabrtv I guess we'll just have to hope that django_auth_ldap doesn't make any critically breaking changes... Either that or we're gonna have to set up an LDAP server in the future to test updates ;) |
@bacongobbler @gabrtv A question: I want to make a documentation of how to use LDAP with Deis. What is the best way to do it? Put together with this PR or creating another one after this PR is accepted? |
b215f87
to
b4a09a3
Compare
I'd throw it into this PR so others can test LDAP support by building off your branch via http://docs.deis.io/en/latest/contributing/hacking/ |
I added the documentation 😄. I use the "Managing Deis" tree because I saw the "Using a Proxy Server" here, I can move if you guys prefer in another place. |
--------------------- | ||
|
||
========================================= ================================================================================= | ||
setting description |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be moved over to http://docs.deis.io/en/latest/customizing_deis/controller_settings/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wrote this doc at controller_settings and moved to a separated doc before. I think that since this is optional, should be equal to the proxy settings. But if its better on controller I can move again.
Another thing: I said some considerations at docs about the admin user and disabling the default registration, It would be great if you guys give your opinions about it. |
22b1049
to
010415e
Compare
👍 This would be useful... |
Thanks for the contribution! Please ensure your commits follow our style guide. This code will be tested once a Deis maintainer reviews it. |
7653756
to
010415e
Compare
just tested it, works like a charm |
good to disable registration doesn't workcore@coreos1 ~ $ deisctl config controller set registrationEnabled='False' workscore@coreos1 ~ $ etcdctl set /deis/controller/registrationEnabled |
@lorieri In LDAP Docs is referenced the disable_user_registration. The key registrationEnabled is boolean, not string. This changes the value in confd_settings.py L41. |
@bacongobbler there is a reason for confd_settings.py uses a "syntax" different from the default from confd? |
It's based on an older version of confd. 0.4.6, I believe. We're in the process of upgrading to 0.8 in #3361 |
I see.. and #3361 answered my doubt about why the |
I was thinking more along the lines of it being enabled equivalent to this. In that example, if the user sets /deis/registry/smtpHost then the registry will send emails based on that config. IOW I agree |
20dead5
to
237e943
Compare
I went with the I made a rebase too. :) Lets test it again 👍 |
Sorry @phspagiari. This'll need another rebase as we just merged #3361 so you'll need to update the confd_settings.py template. |
@bacongobbler holy cow... this merge is just the confd update =( We are talking about this earlier... Ok I will change all to the new confd template version. |
279453b
to
5f2671e
Compare
I saw the error, the problem is dont know another way to do this filterstr="(" + USER_FILTER + "=%(user)s)" The usually pythonic way to do this |
Set up |
you can also run |
@bacongobbler Yes, I imagine that was a lint error first, I am fixing the two problems right now. |
5f2671e
to
9eb9472
Compare
Sorry for my mistake, all fixed. EDIT: $: venv/bin/pip install -q -r requirements.txt -r dev_requirements.txt
Could not find a tag or branch '7413317', assuming commit.
$: |
Code LGTM. Thanks again @phspagiari! |
feat(controller): Adding LDAP/AD auth support
# AUTH | ||
# LDAP | ||
{{ if exists "/deis/controller/auth/ldap/endpoint" }} | ||
LDAP_ENDPOINT = '{{ if exists "/deis/controller/auth/ldap/endpoint" }}{{ getv "/deis/controller/auth/ldap/endpoint"}}{{ else }} {{ end }}' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd remove the whitespace between {{else}}
and {{end}}
so the end result is an empty string if the key's unset.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oops, sorry I missed this comment before merging. Should we typo-commit the space change?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nah, it's not a huge issue. Everything will sort itself out once all ldap keys are set :)
small nit, but LGTM otherwise :) |
Typo :( Thanks guys, I'm very help to be contributing with Deis 😄 |
Thanks for pushing this one through, @phspagiari 🎈 |
This is the Pull Request for the Proposal that we discussed at #3135 using the PoC in the gist.
I didn't write any test because I imagine that it's not good have specific tests for auth with ldap, so my opinion is that if the actual auth tests pass its good enough.
If sounds good I will make a doc with the README content and create another PR.