X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/8e74a5f22b14f26d33c89dadf42600d417094009..689f463bbd231fba8e32b6d46a963d0dacf0e509:/doc/install/install-sso.html.textile.liquid
diff --git a/doc/install/install-sso.html.textile.liquid b/doc/install/install-sso.html.textile.liquid
index 36d2599ea0..ca620f478a 100644
--- a/doc/install/install-sso.html.textile.liquid
+++ b/doc/install/install-sso.html.textile.liquid
@@ -1,114 +1,171 @@
---
layout: default
navsection: installguide
-title: Install Single Sign On (SSO) server
+title: Install the Single Sign On (SSO) server
...
-h2(#dependencies). Install dependencies
+h2(#dependencies). Install prerequisites
-h3(#install_ruby_and_bundler). Install git and curl
-
-{% include 'install_tools' %}
+The Arvados package repository includes an SSO server package that can help automate much of the deployment.
h3(#install_ruby_and_bundler). Install Ruby and Bundler
{% include 'install_ruby_and_bundler' %}
-h3(#install_postgres). Install PostgreSQL
+h3(#install_web_server). Set up a Web server
+
+For best performance, we recommend you use Nginx as your Web server frontend with a Passenger backend to serve the SSO server. The Passenger team provides "Nginx + Passenger installation instructions":https://www.phusionpassenger.com/library/walkthroughs/deploy/ruby/ownserver/nginx/oss/install_passenger_main.html.
-{% include 'install_postgres' %}
+Follow the instructions until you see the section that says you are ready to deploy your Ruby application on the production server.
-h2(#install). Install SSO server
+h2(#install). Install the SSO server
-h3. Get SSO server code and run bundle
+On a Debian-based system, install the following package:
~$ cd $HOME # (or wherever you want to install)
-~$ git clone https://github.com/curoverse/sso-devise-omniauth-provider.git
-~$ cd sso-devise-omniauth-provider
-~/sso-devise-omniauth-provider$ bundle install --without=development
-
~$ sudo apt-get install arvados-sso-server
+
+
-h2. Configure the SSO server
+On a Red Hat-based system, install the following package:
-First, copy the example configuration file:
+~$ sudo yum install arvados-sso-server
+
+~/sso-devise-omniauth-provider$ cp -i config/application.yml.example config/application.yml
-
/etc/arvados/sso/application.yml
+/etc/arvados/sso/database.yml
+/etc/arvados/sso/production.rb
+
+
+
+The SSO server runs from the @/var/www/arvados-sso/current/@ directory. The files @/var/www/arvados-sso/current/config/application.yml@, @/var/www/arvados-sso/current/config/database.yml@ and @/var/www/arvados-sso/current/config/environments/production.rb@ are symlinked to the configuration files in @/etc/arvados/sso/@.
-The SSO server reads the @config/application.yml@ file, as well as the @config/application.defaults.yml@ file. Values in @config/application.yml@ take precedence over the defaults that are defined in @config/application.defaults.yml@. The @config/application.yml.example@ file is not read by the SSO server and is provided for installation convenience, only.
+The SSO server reads the @config/application.yml@ file, as well as the @config/application.defaults.yml@ file. Values in @config/application.yml@ take precedence over the defaults that are defined in @config/application.defaults.yml@. The @config/application.yml.example@ file is not read by the SSO server and is provided for installation convenience only.
-Consult @config/application.default.yml@ for a full list of configuration options. Local configuration goes in @config/application.yml@, do not edit @config/application.default.yml@.
+Consult @config/application.default.yml@ for a full list of configuration options. Local configuration goes in @/etc/arvados/sso/application.yml@, do not edit @config/application.default.yml@.
h3(#uuid_prefix). uuid_prefix
-Generate a uuid prefix for the single sign on service. This prefix is used to identify user records as originating from this site. It must be exactly 5 alphanumeric characters (lowercase ASCII letters and digits). You may use the following snippet to generate a uuid prefix:
+Generate a uuid prefix for the single sign on service. This prefix is used to identify user records as originating from this site. It must be exactly 5 lowercase ASCII letters and/or digits. You may use the following snippet to generate a uuid prefix:
~/sso-devise-omniauth-provider$ ruby -e 'puts "#{rand(2**64).to_s(36)[0,5]}"'
+~$ ruby -e 'puts "#{rand(2**64).to_s(36)[0,5]}"'
abcde
~/sso-devise-omniauth-provider$ ruby -e 'puts rand(2**400).to_s(36)'
+~$ ruby -e 'puts rand(2**400).to_s(36)'
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
~$ sudo service postgresql start
+
+~$ sudo service postgresql initdb
+~$ sudo service postgresql start
+
+~$ sudo sed -i -e "s/127.0.0.1\/32 ident/127.0.0.1\/32 md5/" /var/lib/pgsql/data/pg_hba.conf
+~$ sudo sed -i -e "s/::1\/128 ident/::1\/128 md5/" /var/lib/pgsql/data/pg_hba.conf
+~$ sudo service postgresql restart
+
+~/sso-devise-omniauth-provider$ ruby -e 'puts rand(2**128).to_s(36)'
+~$ ruby -e 'puts rand(2**128).to_s(36)'
abcdefghijklmnopqrstuvwxyz012345689
~$ editor /etc/arvados/sso/database.yml
+
~/sso-devise-omniauth-provider$ sudo -u postgres createuser --createdb --encrypted -R -S --pwprompt arvados_sso
+~$ sudo -u postgres createuser --createdb --encrypted -R -S --pwprompt arvados_sso
Enter password for new role: paste-database-password-you-generated
Enter it again: paste-database-password-you-generated
~/sso-devise-omniauth-provider$ cp -i config/database.yml.example config/database.yml
-~/sso-devise-omniauth-provider$ edit config/database.yml
+~$ sudo -u postgres createuser --encrypted -R -S --pwprompt arvados_sso
+Enter password for new role: paste-database-password-you-generated
+Enter it again: paste-database-password-you-generated
+~$ sudo -u postgres createdb arvados_sso_production -E UTF8 -O arvados_sso -T template0
~/sso-devise-omniauth-provider$ RAILS_ENV=production bundle exec rake db:setup
-
~$ sudo dpkg-reconfigure arvados-sso-server
+
+
-Alternatively, if the database user you intend to use for the SSO server is not allowed to create new databases, you can create the database first and then populate it with rake. Be sure to adjust the database name if you are using the @development@ environment. This sequence of commands is functionally equivalent to the rake db:setup command above:
+On a Red Hat-based system, we need to reinstall the package instead:
~/sso-devise-omniauth-provider$ sudo -u postgres createdb arvados_sso_production -E UTF8 -O arvados_sso -T template0
-~/sso-devise-omniauth-provider$ RAILS_ENV=production bundle exec rake db:schema:load
-~/sso-devise-omniauth-provider$ RAILS_ENV=production bundle exec rake db:seed
-
~$ sudo yum reinstall arvados-sso-server
+
+
h2(#client). Create arvados-server client
-Use @rails console@ to create a @Client@ record that will be used by the Arvados API server. The values of @app_id@ and @app_secret@ correspond to the @APP_ID@ and @APP_SECRET@ that must be set in in "Setting up Omniauth in the API server.":install-api-server.html#omniauth
+Use @rails console@ to create a @Client@ record that will be used by the Arvados API server. The values of @app_id@ and @app_secret@ correspond to the values for @sso_app_id@ and @sso_app_secret@ in the "API server's SSO settings.":install-api-server.html#omniauth
~/sso-devise-omniauth-provider$ ruby -e 'puts rand(2**400).to_s(36)'
+~$ ruby -e 'puts rand(2**400).to_s(36)'
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-~/sso-devise-omniauth-provider$ RAILS_ENV=production bundle exec rails console
+~$ cd /var/www/arvados-sso/current
+/var/www/arvados-sso/current$ RAILS_ENV=production bundle exec rails console
:001 > c = Client.new
:002 > c.name = "joshid"
:003 > c.app_id = "arvados-server"
@@ -118,15 +175,56 @@ xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
~/sso-devise-omniauth-provider$ RAILS_ENV=production bundle exec rake assets:precompile
+server {
+ listen 127.0.0.1:8900;
+ server_name localhost-sso;
+
+ root /var/www/arvados-sso/current/public;
+ index index.html;
+
+ passenger_enabled on;
+ # If you're not using RVM, comment out the line below.
+ passenger_ruby /usr/local/rvm/wrappers/default/ruby;
+}
+
+upstream sso {
+ server 127.0.0.1:8900 fail_timeout=10s;
+}
+
+proxy_http_version 1.1;
+
+server {
+ listen [your public IP address]:443 ssl;
+ server_name auth.your.domain;
+
+ ssl on;
+ ssl_certificate /YOUR/PATH/TO/cert.pem;
+ ssl_certificate_key /YOUR/PATH/TO/cert.key;
+
+ index index.html;
+
+ location / {
+ proxy_pass http://sso;
+ proxy_redirect off;
+ proxy_connect_timeout 90s;
+ proxy_read_timeout 300s;
+
+ proxy_set_header X-Forwarded-Proto https;
+ proxy_set_header Host $http_host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ }
+}
~/sso-devise-omniauth-provider$ RAILS_ENV=production bundle exec rails console
+~$ RAILS_ENV=production bundle exec rails console
:001 > user = User.new(:email => "test@example.com")
:002 > user.password = "passw0rd"
:003 > user.save!
@@ -191,48 +289,23 @@ h3(#google). Google+ authentication
In order to use Google+ authentication, you must use the Google Developers Console to create a set of client credentials.
-# Go to the Google Developers Console and select or create a project; this will take you to the project page
-# On the sidebar, click on *APIs & auth* then select *APIs*
-## Search for "Contacts API" and click on "Enable API"
-## Search for "Google+ API" and click on "Enable API"
-# On the sidebar, click on *Credentials*; under *OAuth* click on "Create new Client ID" to bring up the "Create Client ID" dialog box
-# Under "Application type" select "Web application"
-# If the authorization origins are not displayed, clicking on "Create Client ID" will take you to *Consent screen* settings.
-## On consent screen settings, enter the appropriate details and click on "Save"
-## This will return you to the "Create Client ID" dialog box.
+# Go to the Google Developers Console and select or create a project; this will take you to the project page.
+# On the sidebar, click on *APIs & auth* then select *APIs*.
+## Search for *Contacts API* and click on *Enable API*.
+## Search for *Google+ API* and click on *Enable API*.
+# On the sidebar, click on *Credentials*; under *OAuth* click on *Create new Client ID* to bring up the *Create Client ID* dialog box.
+# Under *Application type* select *Web application*.
+# If the authorization origins are not displayed, clicking on *Create Client ID* will take you to *Consent screen* settings.
+## On consent screen settings, enter the appropriate details and click on *Save*.
+## This will return you to the *Create Client ID* dialog box.
# You must set the authorization origins. Edit @sso.your-site.com@ to the appropriate hostname that you will use to access the SSO service:
## JavaScript origin should be @https://sso.your-site.com/@
## Redirect URI should be @https://sso.your-site.com/users/auth/google_oauth2/callback@
-# Copy the values of "Client ID" and "Client secret" from the Google Developers Console into the Google section of @config/application.yml@, like this:
+# Copy the values of *Client ID* and *Client secret* from the Google Developers Console into the Google section of @config/application.yml@, like this:
# Google API tokens required for OAuth2 login.
google_oauth2_client_id: "---YOUR---CLIENT---ID---HERE--"-
google_oauth2_client_secret: "---YOUR---CLIENT---SECRET---HERE--"-
-h2(#start). Start the SSO server
-
-h3. Run a standalone passenger server
-
-
-~/sso-devise-omniauth-provider$ RAILS_ENV=production passenger start
-=============== Phusion Passenger Standalone web server started ===============
-...
-
-
-
-You can now test your installation by going to the page reported by passenger as "Accessible via: ..."
-Note, if you get the following warning "you may safely ignore it:":https://stackoverflow.com/questions/10374871/no-secret-option-provided-to-racksessioncookie-warning
-
-
-Connecting to database specified by database.yml
-App 4574 stderr: SECURITY WARNING: No secret option provided to Rack::Session::Cookie.
-App 4574 stderr: This poses a security threat. It is strongly recommended that you
-App 4574 stderr: provide a secret to prevent exploits that may be possible from crafted
-App 4574 stderr: cookies. This will not be supported in future versions of Rack, and
-App 4574 stderr: future versions will even invalidate your existing user cookies.
-App 4574 stderr:
-App 4574 stderr: Called from: /var/lib/gems/2.1.0/gems/actionpack-3.2.8/lib/action_dispatch/middleware/session/abstract_store.rb:28:in `initialize'.
-App 4592 stdout:
-