I have installed Spinnaker on azure kubernetes (inside docker container) and accessing spinnaker UI with external public IP and port (configured 2 load balancers)
http://externalIP:9000.
I am trying to configure the OAuth2.0 for spinnaker UI. following this link
https://www.spinnaker.io/setup/security/authentication/oauth/
steps done:
in Azure, created client secret, client id , passed redirect url as http://externalIP:9000
On spinnaker ,configured and enabled Oauth with following steps
CLIENT_ID=myClientId
CLIENT_SECRET=myClientSecret
PROVIDER=google|github|azure
hal config security authn oauth2 edit
–client-id $CLIENT_ID
–client-secret $CLIENT_SECRET
–provider $PROVIDER
hal config security authn oauth2 enable
Now if I try to access the spinnaker UI http://externalIP:9000. and see access logs in chrome browser, it says user not found.
What more configuration is required?
should able to access spinnaker UI and it should ask for login
yeah the problem is that you must choose a specific provider then apply the configs.
CLIENT_ID="myClientId"
CLIENT_SECRET="myClientSecret"
PROVIDER="azure"
hal config security authn oauth2 edit
–client-id $CLIENT_ID
–client-secret $CLIENT_SECRET
–provider $PROVIDER
hal config security authn oauth2 enable
hal deploy apply
Then it should work. Check the logs.
Related
We have an application running on Tomcat currently and using LDAP as the means to authenticate users to our enterprise AD.
It is required to migrate this application to cloud (on AWS EC2) and to integrate with ADFS over SAML for login with MFA enabled.
Wondering if there are any guides on the the steps to be followed to make this happen ? What are the configurations that I need to enable in ADFS for my application and what configuration changes are needed on tomcat server.xml to have the connector integrate with ADFS rather than LDAP. Thanks.
Regards,
Raunak
Not a Tomcat guru but from the point of view of ADFS and SAML:
You need to use a client-side SAML stack in your application. This provides the SAML plumbing.
You then need to add a SAML RP to ADFS.
For MFA, typically you use Azure AD to provide the MFA.
(There used to be an on-premises ADFS MFA Server - that is now deprecated).
If that is not an option, there are third-party providers.
I defined a client in keycloak admin console to authorize it with client_credentials flow to call server-to-server api in my application. Everything is fine, i want to apply IP restriction for that client.
Where can i define this restriction in admin console? i didn't find such configuration in keycloak documentation.
There is no such settings out of the box, but you could try to implement custom client authenticator. So for example allowed IP Addr could be stored in client attributes, and your authenticator implementation will challenge incoming request against specified IP addr. See "Server Development" section in Keycloak documentation. Also you can refer to keycloak github repo for implementation examples and guides. Start from
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/authentication/authenticators/client/ClientIdAndSecretAuthenticator.java
Searching through the Internet, I have seen that EKS only enables IAM authentication for IAM users.
Is it possible to configure client certificate authentication manually? I mean, create Kubernetes users and roles internally and not use IAM authentication.
Kubernetes supports several authentication modules, for example:
X509 client certificates
Service account tokens
OpenID Connect tokens
Webhook token authentication
Authenticating proxy, etc.
You can find more details regarding them in the official documentation.
However, Amazon EKS uses only one specific authentication method, an implementation of a webhook token authentication to authenticate Kube API requests. This webhook service is implemented by an open source tool called AWS IAM Authenticator, which has both client and server sides.
In short, the client sends a token (which includes the AWS IAM identity—user or role—making the API call) which is verified on the server-side by the webhook service.
So the answer to your question is: if you choose to use EKS you only have one authentication option which is IAM.
I hope it helps.
I'm trying to get my spinnaker interface authenticated using this tutorial:
https://www.spinnaker.io/setup/quickstart/halyard-gke-public/
Prior to the tutorial, spinnaker was confirmed up and running on http://localhost:9000. I have tried the following on 1.3.1, 1.4.1 and 1.4.2.
After editing/applying/enabling the google security, I try the login and successfully am challenged with a google login screen. Upon completing the two-factor auth and I am redirected as expected to http://localhost:8084/login, though I receive the following error:
{
"error": "Unauthorized",
"message": "Authentication Failed: User's info does not have all required fields.",
"status": 401,
"timestamp": 1506985726074
}
Here is a log of my setup steps:
kross#halyard:~$ hal config security authn oauth2 edit --provider google \
> --client-id $CLIENT_ID \
> --client-secret $CLIENT_SECRET \
> --user-info-requirements hd=$DOMAIN
+ Get current deployment
Success
+ Get authentication settings
Success
+ Edit oauth2 authentication settings
Success
Problems in default.security:
- WARNING Your UI or API domain does not have override base URLs
set even though your Spinnaker deployment is a Distributed deployment on a
remote cloud provider. As a result, you will need to open SSH tunnels against
that deployment to access Spinnaker.
? We recommend that you instead configure an authentication
mechanism (OAuth2, SAML2, or x509) to make it easier to access Spinnaker
securely, and then register the intended Domain and IP addresses that your
publicly facing services will be using.
+ Successfully edited oauth2 method.
kross#halyard:~$ hal config security authn oauth2 enable
+ Get current deployment
Success
+ Edit oauth2 authentication settings
Success
Problems in default.security:
- WARNING Your UI or API domain does not have override base URLs
set even though your Spinnaker deployment is a Distributed deployment on a
remote cloud provider. As a result, you will need to open SSH tunnels against
that deployment to access Spinnaker.
? We recommend that you instead configure an authentication
mechanism (OAuth2, SAML2, or x509) to make it easier to access Spinnaker
securely, and then register the intended Domain and IP addresses that your
publicly facing services will be using.
+ Successfully enabled oauth2
kross#halyard:~$ hal deploy apply
+ Get current deployment
Success
+ Apply deployment
Success
+ Deploy spin-clouddriver
Success
+ Deploy spin-front50
Success
+ Deploy spin-orca
Success
+ Deploy spin-deck
Success
+ Deploy spin-echo
Success
+ Deploy spin-gate
Success
+ Deploy spin-igor
Success
+ Deploy spin-rosco
Success
Problems in default.security:
- WARNING Your UI or API domain does not have override base URLs
set even though your Spinnaker deployment is a Distributed deployment on a
remote cloud provider. As a result, you will need to open SSH tunnels against
that deployment to access Spinnaker.
? We recommend that you instead configure an authentication
mechanism (OAuth2, SAML2, or x509) to make it easier to access Spinnaker
securely, and then register the intended Domain and IP addresses that your
publicly facing services will be using.
I'm not quite sure what to do with this. It seems I am authentic, yet for some reason the required user fields are not allowed in the interaction.
I have reviewed spinnaker's authentication setup as well and repeatedly made a few changes and tested with a fresh incognito browser, yet no change.
Since the google provider is a packaged OAuth 2 provider with spinnaker, I'm confused as to what further configuration would be necessary, as I am not "bringing my own provider".
Where can I start looking next? Any references/pointers to documentation?
The problem is the --user-info-requirements hd=$DOMAIN argument. This is (generally) only needed if you're using a G Suite/Google Apps for Work account as your OAuth identity provider - it restricts login to only users in your domain. Otherwise, anyone with a valid #gmail account would be able login.
If you do use the --user-info-requirements hd=$DOMAIN and the $DOMAIN specified is invalid, you will receive this error. Be sure to use the fully qualified domain name as the value.
I have a private Docker registry sitting behind a secure instance of Apache / Ubuntu in Amazon cloud. Apache handles the corporate authentication via Shibboleth module (single-sign-on). So, using a web browser, there is no issue in searching and deleting container images in the registry after successful authentication. However, the command "docker login https://some.domain" including username, password and email from a different server just hangs and does not respond. Unfortunately, Apache, docker registry and shibboleth logs are not very helpful either even in debug mode.
I will be very keen to hear from anyone who has experience in securing a private docker registry via Apache & shibboleth where corporate enterprise IDs and SSO are required.
Shibboleth authentication via the Apache mod_shib module requires redirecting the end-user back to their home Identity Provider (IdP) where they will then be redirected back to the application's Service Provider (SP) with a valid session. This is a great pattern for fully-web-based applications, but this model can't be applied to command-line applications or applications that can't follow this model of web-based redirection.