X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/607c3ded2ab3ad0c04ef2e3520ce1b507774dedb..feb290061b91fa059aefd251ed3c3532b32620ea:/doc/install/install-sso.html.textile.liquid diff --git a/doc/install/install-sso.html.textile.liquid b/doc/install/install-sso.html.textile.liquid index 1d433aedac..4d91b18c00 100644 --- a/doc/install/install-sso.html.textile.liquid +++ b/doc/install/install-sso.html.textile.liquid @@ -1,73 +1,106 @@ --- layout: default navsection: installguide -title: Install Single Sign On (SSO) server +title: Install the Single Sign On (SSO) server ... +{% comment %} +Copyright (C) The Arvados Authors. All rights reserved. -h2(#dependencies). Install dependencies +SPDX-License-Identifier: CC-BY-SA-3.0 +{% endcomment %} -h3(#install_ruby_and_bundler). Install git and curl +{% include 'notebox_begin_warning' %} +Skip this section if you are using Google login via @arvados-controller@. +{% include 'notebox_end' %} -{% include 'install_tools' %} +# "Install dependencies":#dependencies +# "Set up database":#database-setup +# "Update config.yml":#update-config +# "Configure the SSO server":#create-application-yml +# "Update Nginx configuration":#update-nginx +# "Install arvados-sso-server":#install-packages +# "Create arvados-server client record":#client +# "Restart the API server and controller":#restart-api -h3(#install_ruby_and_bundler). Install Ruby and Bundler +h2(#dependencies). Install dependencies -{% include 'install_ruby_and_bundler' %} +# "Install PostgreSQL":install-postgresql.html +# "Install Ruby and Bundler":ruby.html Important! The Single Sign On server only supports Ruby 2.3, to avoid version conflicts we recommend installing it on a different server from the API server. When installing Ruby, ensure that you get the right version by installing the "ruby2.3" package, or by using RVM with @--ruby=2.3@ +# "Install nginx":nginx.html +# "Install Phusion Passenger":https://www.phusionpassenger.com/library/walkthroughs/deploy/ruby/ownserver/nginx/oss/install_passenger_main.html -h3(#install_postgres). Install PostgreSQL +h2(#database-setup). Set up the database -{% include 'install_postgres' %} +{% assign service_role = "arvados_sso" %} +{% assign service_database = "arvados_sso_production" %} +{% assign use_contrib = false %} +{% include 'install_postgres_database' %} -h2(#install). Install SSO server +Now create @/etc/arvados/sso/database.yml@ -h3. Get SSO server code and run bundle +
+production: + adapter: postgresql + encoding: utf8 + database: arvados_sso_production + username: arvados_sso + password: $password + host: localhost + template: template0 +-
~$ cd $HOME # (or wherever you want to install)
-~$ git clone https://github.com/curoverse/sso-devise-omniauth-provider.git
-~$ cd sso-devise-omniauth-provider
-~/sso-devise-omniauth-provider$ bundle install --without=development
-
+ Services: + SSO: + ExternalURL: auth.ClusterID.example.com + Login: + ProviderAppID: "arvados-server" + ProviderAppSecret: $app_secret +-First, copy the example configuration file: +Generate @ProviderAppSecret@:
~/sso-devise-omniauth-provider$ cp -i config/application.yml.example config/application.yml
+~$ ruby -e 'puts rand(2**400).to_s(36)'
+zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
~/sso-devise-omniauth-provider$ ruby -e 'puts "#{rand(2**64).to_s(36)[0,5]}"'
-abcde
-
+production: + uuid_prefix: xxxxx + secret_token: zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz ++ +h3(#uuid_prefix). uuid_prefix + +Most of the time, you want this to be the same as your @ClusterID@. If not, generate a new one from the command line listed previously. h3(#secret_token). secret_token Generate a new secret token for signing cookies:
~/sso-devise-omniauth-provider$ ruby -e 'puts rand(2**400).to_s(36)'
+~$ ruby -e 'puts rand(2**400).to_s(36)'
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
~/sso-devise-omniauth-provider$ RAILS_ENV=production bundle exec rails console
-:001 > user = User.new(:email => "test@example.com")
+:001 > user = User.new(:email => "test@example.com")
:002 > user.password = "passw0rd"
:003 > user.save!
:004 > quit
# Google API tokens required for OAuth2 login.
google_oauth2_client_id: "---YOUR---CLIENT---ID---HERE--"-
google_oauth2_client_secret: "---YOUR---CLIENT---SECRET---HERE--"-
~/sso-devise-omniauth-provider$ ruby -e 'puts rand(2**128).to_s(36)'
-abcdefghijklmnopqrstuvwxyz012345689
-
server {
+ listen auth.ClusterID.example.com:443 ssl;
+ server_name auth.ClusterID.example.com;
-Create a new database user with permission to create its own databases.
+ ssl on;
+ ssl_certificate /YOUR/PATH/TO/cert.pem;
+ ssl_certificate_key /YOUR/PATH/TO/cert.key;
-
-~/sso-devise-omniauth-provider$ sudo -u postgres createuser --createdb --encrypted -R -S --pwprompt arvados_sso
-Enter password for new role: paste-database-password-you-generated
-Enter it again: paste-database-password-you-generated
-
+ root /var/www/arvados-sso/current/public;
+ index index.html;
-Configure SSO server to connect to your database by creating and updating @config/database.yml@. Replace the @xxxxxxxx@ database password placeholders with the new password you generated above.
+ passenger_enabled on;
-
-~/sso-devise-omniauth-provider$ cp -i config/database.yml.sample config/database.yml
-~/sso-devise-omniauth-provider$ edit config/database.yml
-
+ # If you are using RVM, uncomment the line below.
+ # If you're using system ruby, leave it commented out.
+ #passenger_ruby /usr/local/rvm/wrappers/default/ruby;
+}
+
+
+
+h2(#install-packages). Install arvados-sso-server package
-Create and initialize the database. If you are planning a production system, choose the @production@ rails environment, otherwise use @development@.
+h3. Centos 7
~/sso-devise-omniauth-provider$ RAILS_ENV=production bundle exec rake db:setup
-
# yum install arvados-sso-server
+
+
-Alternatively, if the database user you intend to use for the SSO server is not allowed to create new databases, you can create the database first and then populate it with rake. Be sure to adjust the database name if you are using the @development@ environment. This sequence of commands is functionally equivalent to the rake db:setup command above:
+h3. Debian and Ubuntu
~/sso-devise-omniauth-provider$ su postgres createdb arvados_sso_production -E UTF8 -O arvados_sso
-~/sso-devise-omniauth-provider$ RAILS_ENV=production bundle exec rake db:schema:load
-~/sso-devise-omniauth-provider$ RAILS_ENV=production bundle exec rake db:seed
-
# apt-get --no-install-recommends arvados-sso-server
+
+
-h2(#client). Create arvados-server client
+h2(#client). Create arvados-server client record
-Use @rails console@ to create a @Client@ record that will be used by the Arvados API server. The values of @app_id@ and @app_secret@ correspond to the @APP_ID@ and @APP_SECRET@ that must be set in in "Setting up Omniauth in the API server.":install-api-server.html#omniauth
+{% assign railshost = "" %}
+{% assign railsdir = "/var/www/arvados-sso/current" %}
+Use @rails console@ to create a @Client@ record that will be used by the Arvados API server. {% include 'install_rails_command' %}
+
+Enter the following commands at the console. The values that appear after you assign @app_id@ and @app_secret@ will be copied to @Login.ProviderAppID@ and @Login.ProviderAppSecret@ in @config.yml@.
~/sso-devise-omniauth-provider$ ruby -e 'puts rand(2**400).to_s(36)'
-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-~/sso-devise-omniauth-provider$ RAILS_ENV=production bundle exec rails console
-:001 > c = Client.new
+:001 > c = Client.new
:002 > c.name = "joshid"
:003 > c.app_id = "arvados-server"
-:004 > c.app_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+:004 > c.app_secret = "the value of Login.ProviderAppSecret"
:005 > c.save!
:006 > quit
~/sso-devise-omniauth-provider$ RAILS_ENV=production bundle exec rake assets:precompile
+# systemctl restart nginx arvados-controller
~/sso-devise-omniauth-provider$ RAILS_ENV=production passenger start
-=============== Phusion Passenger Standalone web server started ===============
-...
-
-
-Note, if you get the following warning "you may safely ignore it:":https://stackoverflow.com/questions/10374871/no-secret-option-provided-to-racksessioncookie-warning
-
--Connecting to database specified by database.yml -App 4574 stderr: SECURITY WARNING: No secret option provided to Rack::Session::Cookie. -App 4574 stderr: This poses a security threat. It is strongly recommended that you -App 4574 stderr: provide a secret to prevent exploits that may be possible from crafted -App 4574 stderr: cookies. This will not be supported in future versions of Rack, and -App 4574 stderr: future versions will even invalidate your existing user cookies. -App 4574 stderr: -App 4574 stderr: Called from: /var/lib/gems/2.1.0/gems/actionpack-3.2.8/lib/action_dispatch/middleware/session/abstract_store.rb:28:in `initialize'. -App 4592 stdout: -