[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

OpenShift behind reverse proxy (was) Re: OpenShift Authentication alternative options?



Awesome, the tricky bit was on the reverse proxy end as it was picky
on where it wanted to have the request headers set..

I then disabled the basic auth (on both broker and console) and
replaced them with a sane but useless check,

SetEnvIf X-Remote-User "(..*)" REMOTE_USER=$1

  <IfVersion >= 2.4>
    Require env REMOTE_USER
  </IfVersion>
  <IfVersion < 2.4>
    Allow from env=REMOTE_USER
  </IfVersion>

Everything is working great, the reverse proxy also lets me set a
logout URL along with external auth, eg.

<Location /logout>
    SetHandler form-logout-handler
    Session On
    SessionMaxAge 1
    SessionCookieName session path=/
</Location>

All is well, except rhc setup seems to switch to the broker directly
after the second query. As PRIVATE_BROKER is only set to respond to
the reverse proxy, the step fails, I also tried setting the BROKER_URL
in /etc/openshift/broker.conf but no luck

DEBUG: Request GET https://REVERSE_PROXY/broker/rest/api
DEBUG: SSL Verification failed -- Using self signed cert
DEBUG:    code 200  156 ms
DEBUG: Server supports API versions 1.0, 1.1, 1.2, 1.3, 1.4, 1.5, 1.6
DEBUG:    Using API version 1.6
DEBUG: Client API version 1.6 is not current. Refetching API
DEBUG: Request GET https://REVERSE_PROXY/broker/rest/api
DEBUG:    code 200  150 ms
DEBUG: Getting user info
DEBUG: Request GET https://PRIVATE_BROKER/broker/rest/user

Thoughts?

On Tue, Jul 15, 2014 at 10:57 AM, Clayton Coleman <ccoleman redhat com> wrote:
> Sounds like passthrough is not working correctly - if you can, turn on apache logging in the broker and print the value of that header to the logs, to make sure it's making it from the console all the way to the broker
>
>> On Jul 14, 2014, at 8:40 PM, Andrew Lau <andrew andrewklau com> wrote:
>>
>>> On Tue, Jul 15, 2014 at 9:26 AM, Andrew Lau <andrew andrewklau com> wrote:
>>>
>>>> On 15/07/2014 12:31 am, "Brenton Leanhardt" <bleanhar redhat com> wrote:
>>>>
>>>> +++ Andrew Lau [14/07/14 23:57 +1000]:
>>>>
>>>>> Could anyone confirm which HEADER is required to pass through to the
>>>>> console if I stick a reverse proxy infront of it?
>>>>
>>>>
>>>> Is the reverse proxy handling auth?
>>>
>>> Yep. I am trying to put the auth on the reverse proxy and remove it from the
>>> openshift components.
>>>
>>>>
>>>>
>>>>>
>>>>> I've been playing around with mod_authnz_external combined with
>>>>> mod_auth_form, giving me a fully styled HTML login experience with the
>>>>> ability to integrate with other authentication backends very easily.
>>>>>
>>>>> The console seems to just want to save X-Remote-User,
>>>>>
>>>>> RewriteCond %{LA-U:REMOTE_USER} (.+)
>>>>> RewriteRule . - [E=RU:%1]
>>>>> RequestHeader set X-Remote-User "%{RU}e" env=RU
>>>>
>>>>
>>>> It's not obvious from looking at that configuration but there's no
>>>> special header required to be passed to the console.  That snippet is
>>>> actually using the value of REMOTE_USER set in the auth phase (by
>>>> whatever auth mechanism you choose) and is then setting a header that
>>>> the rails code will pass on to the Broker.
>>>>
>>>> Take a look at
>>>>
>>>> https://github.com/openshift/origin-server/blob/master/console/app/controllers/console/auth/remote_user.rb#L54.
>>>>
>>>> That code is why the setting used in that config file and the value
>>>> for REMOTE_USER_COPY_HEADERS in /etc/openshift/console.conf must
>>>> match.  I'm not entirely sure why it was done that way but hopefully
>>>> this helps.
>>>
>>> Thanks for some clarification. I was trying to pass through X-Remote-User
>>> wondering why it didn't pickup any headers.
>>
>> Well, I got it working to an extent.. on the proxy:
>>
>> RewriteEngine On
>> RewriteRule .* - [E=PROXY_USER:%{LA-U:REMOTE_USER}]
>> RequestHeader set Proxy-User %{PROXY_USER}e
>>
>> Now for the login auth on the console,
>>
>> RewriteEngine On
>> RewriteCond %{HTTP:Proxy-user} ^(.*)$
>> RewriteRule .* - [E=RU:%1]
>> RequestHeader set X-Remote-User "%{RU}e" env=RU
>>
>> All works well with the login, "You are authenticated to the server
>> broker.example.net with the login test." but once I head over to
>> creating a new application
>>
>> It gives the unauthenticated message "The console was unable to
>> authenticate you with the OpenShift server.". Is it passing through
>> another config file again, or is there another layer of authentication
>> in play when it goes to creating applications/modifying settings.
>>
>>>
>>>>
>>>>>
>>>>> I tried a few things like trying to pass the header through the
>>>>> proxypass, but they all seem to come back and give me 'not
>>>>> authenticated' error from the console. Seems the console isn't
>>>>> receiving the headers from the proxy, or perhaps I'm just passing the
>>>>> wrong variable?
>>>>>
>>>>>
>>>>>
>>>>> On Sun, Jul 13, 2014 at 10:57 PM, Andrew Lau <andrew andrewklau com>
>>>>> wrote:
>>>>>>
>>>>>>
>>>>>> Oh that's cool!
>>>>>>
>>>>>> Now the bit when you were telling me your console was a release behind
>>>>>> makes sense :D
>>>>>>
>>>>>> Cheers!
>>>>>>
>>>>>> On Sun, Jul 13, 2014 at 10:45 PM, Mateus Caruccio
>>>>>> <mateus caruccio getupcloud com> wrote:
>>>>>>>
>>>>>>>
>>>>>>> We've implemented a simple login page in a separated branch:
>>>>>>>
>>>>>>> https://github.com/getupcloud/origin-server/blob/getup-openshift-origin-release-3/getup-console/app/views/authentication/signin.html.haml
>>>>>>>
>>>>>>>
>>>>>>> On Sat, Jul 12, 2014 at 10:49 PM, Andrew Lau <andrew andrewklau com>
>>>>>>> wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Sun, Jul 13, 2014 at 4:57 AM, Clayton Coleman <ccoleman redhat com>
>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> OpenShift Online implements a custom broker auth plugin in Rails to
>>>>>>>>> connect to our internal Red Hat authentication server (complex version of
>>>>>>>>> the mongo auth plugin).
>>>>>>>>>
>>>>>>>>> It has been a long standing goal to make the console cookie session
>>>>>>>>> aware, use an auth token as a session key, and to separate the login/logout
>>>>>>>>> function out into a separate, pluggable set of pages.  I started a branch a
>>>>>>>>> while back that took code from online and moved it up.  The challenge is
>>>>>>>>> that it would make mod_auth integration change slightly and I was hesitant
>>>>>>>>> to inflict that on downstream consumers.  I'll try to publish that branch so
>>>>>>>>> folks can see it.
>>>>>>>>>
>>>>>>>>> In a future revision of OpenShift we are considering moving the
>>>>>>>>> broker api to be 100% auth token based, and only allowing custom
>>>>>>>>> authentication (excluding client certs which are carried with https
>>>>>>>>> automatically) on a single endpoint - the POST /authorizations hook.  That
>>>>>>>>> would dramatically simplify the work to integrate for clients, but it's a
>>>>>>>>> somewhat large change.  Note that if we did this we'd introduce a new API
>>>>>>>>> version (the long awaited v2 API).  The console would then be forced to
>>>>>>>>> become auth token compatible and we'd have to split that out.  As part of
>>>>>>>>> that, it might be time to add an general auth component to Openshift
>>>>>>>>> (supporting oauth2 and multiple logins per user).
>>>>>>>>>
>>>>>>>>> Any other things folks want out of auth on Openshift?
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Awesome! Do you know if there is any hidden documentation on how the
>>>>>>>> current state of the mongo auth plugin for Openshift Origin works? It seems
>>>>>>>> to be an option for things like the puppet modules, but nothing about user
>>>>>>>> creatione tc.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Jul 12, 2014, at 1:36 PM, Mateus Caruccio
>>>>>>>>> <mateus caruccio getupcloud com> wrote:
>>>>>>>>>
>>>>>>>>> At getupcloud we use a pretty standard django backend for
>>>>>>>>> authentication.
>>>>>>>>>
>>>>>>>>> Here is a snippet of our
>>>>>>>>> /var/www/openshift/broker/httpd/conf.d/openshift-origin-auth-remote-user.conf
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> WSGIPythonPath
>>>>>>>>> /var/www/html/getup/admin:/var/www/html/getup/.env/lib/python2.6/site-packages
>>>>>>>>> WSGIScriptAlias /getup /var/www/html/getup/admin/admin/wsgi.py
>>>>>>>>> ...
>>>>>>>>> <Location /broker>
>>>>>>>>>    AuthName "OpenShift Broker API"
>>>>>>>>>    AuthType Basic
>>>>>>>>>    AuthBasicProvider wsgi
>>>>>>>>>    WSGIAuthUserScript /var/www/html/getup/admin/admin/wsgi.py
>>>>>>>>>
>>>>>>>>>    Require valid-user
>>>>>>>>>
>>>>>>>>>    SetEnvIfNoCase Authorization Bearer passthrough
>>>>>>>>>
>>>>>>>>>    # The node->broker auth is handled in the Ruby code
>>>>>>>>>    BrowserMatchNoCase "^OpenShift" passthrough
>>>>>>>>>    BrowserMatchNoCase "^Java OpenShift" passthrough
>>>>>>>>>
>>>>>>>>>    Allow from env=passthrough
>>>>>>>>>
>>>>>>>>>    # Console traffic will hit the local port.  mod_proxy will set
>>>>>>>>> this header automatically.
>>>>>>>>>    SetEnvIf X-Forwarded-For "^$" local_traffic=1
>>>>>>>>>    # Turn the Console output header into the Apache environment
>>>>>>>>> variable for the broker remote-user plugin
>>>>>>>>>    SetEnvIf X-Remote-User "(..*)" REMOTE_USER=$1
>>>>>>>>>    Allow from env=local_traffic
>>>>>>>>>
>>>>>>>>>    Order Deny,Allow
>>>>>>>>>    Deny from all
>>>>>>>>>    Satisfy any
>>>>>>>>> </Location>
>>>>>>>> Looks very similar to how my mod_authnz_external attempt worked, but I
>>>>>>>> was using PHP and a remote API instead. How about the console aspect, the
>>>>>>>> concept of that popup login prompt feels so dated..
>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Mateus Caruccio
>>>>>>>>> Master of Puppets
>>>>>>>>> +55 (51) 8298.0026
>>>>>>>>> gtalk: mateus caruccio getupcloud com
>>>>>>>>> twitter: @MateusCaruccio
>>>>>>>>>
>>>>>>>>> This message and any attachment are solely for the intended
>>>>>>>>> recipient and may contain confidential or privileged information
>>>>>>>>> and it can not be forwarded or shared without permission.
>>>>>>>>> Thank you!
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Sat, Jul 12, 2014 at 8:54 AM, Andrew Lau <andrew andrewklau com>
>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Hi all,
>>>>>>>>>>
>>>>>>>>>> I've been experimenting options to integrate openshift
>>>>>>>>>> authentication
>>>>>>>>>> with other alternatives, plus add another option that pesky no
>>>>>>>>>> logout
>>>>>>>>>> button that seems to be asked a lot.
>>>>>>>>>>
>>>>>>>>>> I've so far found two methods, which 'should' work in theory. I
>>>>>>>>>> haven't tested it on an openshift install yet.. So let me throw some
>>>>>>>>>> ideas in the pit
>>>>>>>>>>
>>>>>>>>>> - Using mod_authnz_external, it's possible to query a
>>>>>>>>>> php/perl/python
>>>>>>>>>> file for a simple exit (0) or exit (1). The script could query a
>>>>>>>>>> remote API or database, easy enough and works well. I've used this
>>>>>>>>>> for
>>>>>>>>>> MySQL queries before, redmine, etc. It works, but sometimes has some
>>>>>>>>>> weird selinux issues depending on the backend. For most cases with
>>>>>>>>>> querying a PHP file, it works great!
>>>>>>>>>>
>>>>>>>>>> - Using httpd24, mod_auth_form is an option. Pretty much, it allows
>>>>>>>>>> you to create a full style'd HTML form which can do a POST for
>>>>>>>>>> user/password. The way I could see this working, is creating a
>>>>>>>>>> dedicated 'authserver' which would accept these auths and then
>>>>>>>>>> reverse
>>>>>>>>>> proxy that over the openshift broker. Short of, modifying all of the
>>>>>>>>>> config to work with httpd24.
>>>>>>>>>>
>>>>>>>>>> Both seem to support a 'logout derivative' ie,
>>>>>>>>>>
>>>>>>>>>> http://httpd.apache.org/docs/current/mod/mod_auth_form.html#authformlogoutlocation
>>>>>>>>>>
>>>>>>>>>> If I understand correctly, as openshift origin relies on httpd to do
>>>>>>>>>> auth. We don't have to create users? Previously when using kerberos,
>>>>>>>>>> I
>>>>>>>>>> never had to register user accounts. I assume that would be the same
>>>>>>>>>> for these methods.
>>>>>>>>>>
>>>>>>>>>> Alternatively, any hints on how the production deployments like
>>>>>>>>>> getupcloud and rh's openshift doing it?
>>>>>>>>>>
>>>>>>>>>> Thanks,
>>>>>>>>>> Andrew
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> dev mailing list
>>>>>>>>>> dev lists openshift redhat com
>>>>>>>>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> dev mailing list
>>>>>>>>> dev lists openshift redhat com
>>>>>>>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
>>>>>
>>>>> _______________________________________________
>>>>> dev mailing list
>>>>> dev lists openshift redhat com
>>>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
>>
>> _______________________________________________
>> dev mailing list
>> dev lists openshift redhat com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]