Page MenuHomeDevCentral

Deploy Auth Grove to login.nasqueron.org
Open, NormalPublic

Description

Will be the fount of authentication, to log in to other applications with one account.

Event Timeline

dereckson raised the priority of this task from to Normal.
dereckson updated the task description. (Show Details)
dereckson added a project: Auth Grove.
dereckson added a subscriber: dereckson.

Application name set to Auth Grove.

ASCII art logo possibilities could be found at P52.

dereckson renamed this task from Offer a login.nasqueron.org authentication service to Deploy Auth Grove to login.nasqueron.org.Apr 26 2015, 19:49
dereckson moved this task from Backlog to Epics & trackers on the Auth Grove board.

Docker image
I'm preparing rDGROVE with D375.

DNS

login.nasqueron.org. 86400 IN CNAME www3.nasqueron.org.

MySQL

Dwellers
$ mysql-acquisitariat-client 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 25258597
Server version: 5.7.11 MySQL Community Server (GPL)

Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> CREATE DATABASE login;
Query OK, 1 row affected (0.09 sec)

mysql> GRANT ALL PRIVILEGES ON login.* TO 'login'@'%' IDENTIFIED BY '…';                                                                        
Query OK, 0 rows affected, 1 warning (0.25 sec)

Password stored in K67.

1#!/bin/sh
2
3# -------------------------------------------------------------
4# Auth Grove
5# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6# Author: Sébastien Santoro aka Dereckson
7# Project: Nasqueron
8# Created: 2016-05-21
9# Description: SSO for Nasqueron services.
10# Image: nasqueron/auth-grove
11# Services used: MySQL server (acquisitariat)
12# Docker volume (/data/notifications/storage)
13# -------------------------------------------------------------
14
15# -------------------------------------------------------------
16# Container parameters
17# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
18
19INSTANCE_NAME=login
20PORT=25080
21MYSQL_INSTANCE=acquisitariat
22STORAGE=/data/login/storage
23CANONICAL_URL=http://login.nasqueron.org
24
25# -------------------------------------------------------------
26# Database parameters
27#
28# Get credentials from zr
29# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
30
31MYSQL_HOST=mysql
32MYSQL_USER=`ssh -4 -i /root/.ssh/id_zr zr@ysul.nasqueron.org getcredentials 67 username`
33MYSQL_PASS=`ssh -4 -i /root/.ssh/id_zr zr@ysul.nasqueron.org getcredentials 67`
34MYSQL_DB=$INSTANCE_NAME
35
36# -------------------------------------------------------------
37# Run the container
38# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
39
40# Checks container isn't running
41docker-container-status $INSTANCE_NAME > /dev/null
42if [ "$?" -lt 2 ]; then
43 echo "Container is already running."
44 echo "To force relaunch, try docker stop $INSTANCE_NAME ; docker rm $INSTANCE_NAME ; $0"
45 exit 1
46fi
47
48mkdir -p $STORAGE
49chcon -Rt svirt_sandbox_file_t $STORAGE
50chown 431:433 $STORAGE
51docker run -t -d \
52 --link $MYSQL_INSTANCE:$MYSQL_HOST \
53 -p $PORT:80 \
54 -e DB_HOST=$MYSQL_HOST \
55 -e DB_DATABASE=$MYSQL_DB \
56 -e DB_USERNAME=$MYSQL_USER \
57 -e DB_PASSWORD=$MYSQL_PASS \
58 -e CANONICAL_URL="$CANONICAL_URL" \
59 --name $INSTANCE_NAME nasqueron/auth-grove
60
61echo "Deployment done at `date`."
62exit 0

Current status

Container is deployed, a procedure to spin a new container or upgrade the code inside the current container is documented at http://agora.nasqueron.org/Operations_grimoire/Login.

Still to do

There is a minimal level of features still to implement to use it for Nasqueron.

Then, we'll need to link services to it.

dereckson removed dereckson as the assignee of this task.Mar 8 2018, 21:07

Development moratoire

Per T1771, we're currently considering implementing Keycloak as a reference identity management and SSO login product.

This product exposes a LDAP, OIDC (OpenID Connect) and SAML capabilities to authenticate users and applications. It seems to solve our main problems.

From there, it's not clear what we do with Auth Grove:

  • Scenario A. We drop it, and as users we directly interact with Keycloak. Development is discontinued.
  • Scenario B. Auth Grove is morphed into a front-end to use Keycloak: we expose current information, and interact with Keycloak API (through a generic set of classes to allow to switch to another solution) to set credentials and metadata.
  • Scenario C. We use both Keycloak AND Auth Grove. We don't make integrate with Keycloak at all, to stay independent and not vendor-locked.

While T1771 evaluation is ongoing, a moratoire covers any development activities related to Auth Grove, with the obvious exception of security issues.
This moratoire cover fully or partly this task.