Preauthentication filter #1883

Merged
merged 11 commits into from Aug 1, 2016

Projects

None yet

7 participants

@tlots
Contributor
tlots commented Jun 7, 2016

Hi,

Thanks to the team for all of the work you’ve put into this project.

Here is a contribution towards preauthenticating with a reverse proxy, works towards resolving #1229 - Feedback is appreciated.

We are currently using https://github.com/bitly/oauth2_proxy to auth with Github and send a remote user and roles (as defined by teams) along to Rundeck. I’ve written a Spring filter that intercepts the request object at the beginning of the filter chain and modifies it to be sent along.

There are a number of manual configuration changes. Here are the steps we take for rundeck-launcher

  • Set rundeck.security.authorization.preauthenticated.enabled=true
  • Build the project
    $ ./gradlew clean build
  • Run jar with install option on (default)
    $ java -jar rundeck-launcher/launcher/build/libs/rundeck-launcher-2.6.8-SNAPSHOT.jar --install-only
  • Modify rundeck-launcher/launcher/build/libs/server/exp/webapp/WEB-INF/web.xml
    • Add the filter to the top of the filter chain.
<filter>
    <filter-name>AuthFilter</filter-name>
    <filter-class>com.dtolabs.rundeck.server.filters.AuthFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>AuthFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
  • Remove the auth-constraint element
<auth-constraint>
    <role-name>*</role-name>
</auth-constraint>
  • Run the jar again, this time use --skip-install to avoid overwriting the new web.xml

    $ java -jar rundeck-launcher/launcher/build/libs/rundeck-launcher-2.6.8-SNAPSHOT.jar --skipinstall

Improvements / todo,

  • Automate some of the manual configuration of web.xml above (we are doing it with our provisioning scripts).
  • Access preauthenticated.attributeName value to be set from config in AuthFilter.
  • Understanding and support of other use cases.
@gschueler
Contributor

So some ideas for the todos:

Automate some of the manual configuration of web.xml above (we are doing it with our provisioning scripts).

I would like to take that step out altogether. For the DisablingAdminServlet We add the servlet into the built web.xml to always be configured (via a grails plugin), yet it uses the Grails configs to determine whether it should actually do anything. If we added the AuthFilter that way, it would only require a config change to enable/disable it.

Access preauthenticated.attributeName value to be set from config in AuthFilter.

This can be done in the same was as DisablingAdminServlet.

@gschueler
Contributor

oops, the auth-constraint change would still be a manual step tho

tlots and others added some commits Jun 10, 2016
@tlots tlots Forward to oauth2_proxy logout URL after invalidating session ff13493
@kindlyseth kindlyseth Change log out redirect to use all of serverURL
... not just the host name.
3fb30f3
@tlots tlots Support for role / principal changes during active session, configura…
…tion switch

to bypass pre-auth filter per Rundeck team and reading in expected attributeName
from configuration.
d1f17ed
@tlots
Contributor
tlots commented Jun 29, 2016

@gschueler We've got the preauth enable/disable configuration logic written and in testing. I am assuming that writing a Grails plugin to inject the AuthFilter into the web.xml is the proper way to make that modification, is that correct?

@gschueler
Contributor

@tlots yes. Looking forward to it! 👍

tlots added some commits Jul 6, 2016
@tlots tlots Auth filter Grails plugin
Adds auth filter configuration to generated web.xml
740a3a5
@tlots tlots Configuration for logout redirect
Allow you to log out of a pre-auth source.
11ad299
@tlots
Contributor
tlots commented Jul 7, 2016

I've added a Grails plugin that modifies the web.xml to inject the AuthFilter, configuration for enabling and defining a redirect location which in our case is oauth2_proxy's logout endpoint, and intra-session updating of roles for the user from the upstream authentication system.

@gschueler
Contributor

very cool, do you have an example setup using oath2_proxy you can share?

@cjpetrus
cjpetrus commented Jul 8, 2016

+1 for the example setup

@cjpetrus
cjpetrus commented Jul 9, 2016

@tlots please.... lol, I would love to see this PR get merged.

@tlots
Contributor
tlots commented Jul 10, 2016

Hi @gschueler and @cjpetrus, will be glad to share a full example as soon as it can be prepared. In the meantime, here are some notes to get you started:

We've done some work on oauth2_proxy to forward Github teams as roles. I plan on creating a PR to move those efforts upstream soon.
The fork is here - https://github.com/kindlyops/oauth2_proxy/commits/github-teams-tweaks

On the oauth2_proxy side,

  • Configuring pass-roles-header will pass the roles to Rundeck, which AuthFilter maps to REMOTE_USER_GROUPS.
  • Using cookie-refresh for the Github provider allows for role updates without the need for a new session; modifications were made to Rundeck's AuthorizationFilter to accommodate this enhancement.

In terms of Rundeck configuration,

  • The instructions in the top comment are mostly relevant with the following exceptions,
  • Configuration of a logout URL for the preauth method:
    rundeck.security.authorization.preauthenticated.redirectLogout=false rundeck.security.authorization.preauthenticated.redirectUrl=/oauth2/sign_in
  • Adding AuthFilter to web.xml has been automated
  • preauthenticated.attributeName is configurable
@cjpetrus
cjpetrus commented Jul 10, 2016 edited

@tlots , I'm using nginx in front of oauth_proxy and passing a user's google groups along to outh_proxy via an X-Forwarded-Roles header. Thank you for your work on this issue, the community appreciates it!

@tlots
Contributor
tlots commented Jul 14, 2016

I spoke with @cjpetrus elsewhere and he got it working on his own, but still wanted to share this gist of the two pertinent configuration files: https://gist.github.com/tlots/730a123054b9a737b78cf59661bd3274

@statik statik referenced this pull request in bitly/oauth2_proxy Jul 14, 2016
Open

Roles header with refresh configuration #277

@cjpetrus

@statik @tlots @gschueler I merged this PR onto my fork, all is well. I'm also using a flask call back in a container to send specific google groups headers over as roles. This allows me to setup an acl policy. I'll share my configuration when I get a chance.

@gschueler gschueler merged commit 121840f into rundeck:master Aug 1, 2016

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
@gschueler gschueler added this to the 2.6.9 milestone Aug 1, 2016
@tlots tlots deleted the kindlyops:feature/auth branch Aug 2, 2016
@gschueler gschueler referenced this pull request Aug 11, 2016
Open

Oauth login module #2000

@donaldguy

I posted a gist here: https://gist.github.com/donaldguy/eaa99fb0d1f17c0576255c3cf3ffc7ea

for using https://github.com/grammarly/rocker to build a container containing the kindlyops fork of oauth2_proxy and running it with rundeck per the runtime configuration of https://github.com/jjethwa/rundeck

@tlots tlots restored the kindlyops:feature/auth branch Sep 30, 2016
@amontalban
Contributor

@cjpetrus would be awesome if you can share your config using Google groups as roles as I'm trying to do the same. Thanks in advance!

@Akhena
Akhena commented Dec 13, 2016

Hi everybody,

This feature is incredibly useful in some enterprises environments like ours. Thanks to this PR, we are now able to feed authentication to Rundeck from our existing reverse proxy.

We have now one last issue to sort before being able to roll out the preauthentication version : api consumption, by using api tokens.
And we tried is to generate an api token with an administrator account. But using that token when calling the api does not seem to work, we have zero authorizations.

When using preauthentication scenario, how are api tokens supposed to work?

Any tip you could give us will be precious!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment