X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/a32c4f9997a0c8941b62668c5e59941985359c05..feb290061b91fa059aefd251ed3c3532b32620ea:/doc/install/install-sso.html.textile.liquid diff --git a/doc/install/install-sso.html.textile.liquid b/doc/install/install-sso.html.textile.liquid index f272d857a7..4d91b18c00 100644 --- a/doc/install/install-sso.html.textile.liquid +++ b/doc/install/install-sso.html.textile.liquid @@ -1,77 +1,237 @@ --- layout: default navsection: installguide -title: Install Single Sign On (SSO) server +title: Install the Single Sign On (SSO) server ... +{% comment %} +Copyright (C) The Arvados Authors. All rights reserved. + +SPDX-License-Identifier: CC-BY-SA-3.0 +{% endcomment %} + +{% include 'notebox_begin_warning' %} +Skip this section if you are using Google login via @arvados-controller@. +{% include 'notebox_end' %} + +# "Install dependencies":#dependencies +# "Set up database":#database-setup +# "Update config.yml":#update-config +# "Configure the SSO server":#create-application-yml +# "Update Nginx configuration":#update-nginx +# "Install arvados-sso-server":#install-packages +# "Create arvados-server client record":#client +# "Restart the API server and controller":#restart-api h2(#dependencies). Install dependencies -Make sure you have "Ruby and Bundler":install-manual-prerequisites-ruby.html installed. +# "Install PostgreSQL":install-postgresql.html +# "Install Ruby and Bundler":ruby.html Important! The Single Sign On server only supports Ruby 2.3, to avoid version conflicts we recommend installing it on a different server from the API server. When installing Ruby, ensure that you get the right version by installing the "ruby2.3" package, or by using RVM with @--ruby=2.3@ +# "Install nginx":nginx.html +# "Install Phusion Passenger":https://www.phusionpassenger.com/library/walkthroughs/deploy/ruby/ownserver/nginx/oss/install_passenger_main.html + +h2(#database-setup). Set up the database + +{% assign service_role = "arvados_sso" %} +{% assign service_database = "arvados_sso_production" %} +{% assign use_contrib = false %} +{% include 'install_postgres_database' %} + +Now create @/etc/arvados/sso/database.yml@ -h2(#install). Install SSO server +
+production: + adapter: postgresql + encoding: utf8 + database: arvados_sso_production + username: arvados_sso + password: $password + host: localhost + template: template0 +-h3. Get SSO server code and create database +h2(#update-config). Update config.yml + +
+ Services: + SSO: + ExternalURL: auth.ClusterID.example.com + Login: + ProviderAppID: "arvados-server" + ProviderAppSecret: $app_secret ++ +Generate @ProviderAppSecret@:
~$ cd $HOME # (or wherever you want to install)
-~$ git clone https://github.com/curoverse/sso-devise-omniauth-provider.git
-~$ cd sso-devise-omniauth-provider
-~/sso-devise-omniauth-provider$ bundle install
-~/sso-devise-omniauth-provider$ RAILS_ENV=production bundle exec rake db:create
-~/sso-devise-omniauth-provider$ RAILS_ENV=production bundle exec rake db:migrate
-
-~$ ruby -e 'puts rand(2**400).to_s(36)'
+zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
+
+
+h2(#create-application-yml). Configure the SSO server
-h3. Configure Rails secret
+The SSO server runs from the @/var/www/arvados-sso/current/@ directory. The files @/var/www/arvados-sso/current/config/application.yml@ and @/var/www/arvados-sso/current/config/database.yml@ will be symlinked to the configuration files in @/etc/arvados/sso/@.
-Create a secret:
+The SSO server reads the @config/application.yml@ file, as well as the @config/application.defaults.yml@ file. Values in @config/application.yml@ take precedence over the defaults that are defined in @config/application.defaults.yml@. The @config/application.yml.example@ file is not read by the SSO server and is provided for installation convenience only.
+
+Consult @config/application.default.yml@ for a full list of configuration options. Local configuration goes in @/etc/arvados/sso/application.yml@, do not edit @config/application.default.yml@.
+
+Create @/etc/arvados/sso/application.yml@ and add these keys:
+
++production: + uuid_prefix: xxxxx + secret_token: zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz ++ +h3(#uuid_prefix). uuid_prefix + +Most of the time, you want this to be the same as your @ClusterID@. If not, generate a new one from the command line listed previously. + +h3(#secret_token). secret_token + +Generate a new secret token for signing cookies:
~/sso-devise-omniauth-provider$ cp -i config/initializers/secret_token.rb.example config/initializers/secret_token.rb
-~/sso-devise-omniauth-provider$ rake secret
+~$ ruby -e 'puts rand(2**400).to_s(36)'
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
+
+ # If true, allow new creation of new accounts in the SSO server's internal + # user database. + allow_account_registration: false + + # If true, send an email confirmation before activating new accounts in the + # SSO server's internal user database (otherwise users are activated immediately.) + require_email_confirmation: false ++ +For more information about configuring backend support for sending email (required to send email confirmations) see "Configuring Action Mailer":http://guides.rubyonrails.org/configuring.html#configuring-action-mailer + +If @allow_account_registration@ is false, you may manually create local accounts on the SSO server from the Rails console. {% include 'install_rails_command' %} + +Enter the following commands at the console. + +
:001 > user = User.new(:email => "test@example.com")
+:002 > user.password = "passw0rd"
+:003 > user.save!
+:004 > quit
+ use_ldap: + title: Example LDAP + host: ldap.example.com + port: 636 + method: ssl + base: "ou=Users, dc=example, dc=com" + uid: uid + email_domain: example.com + #bind_dn: "some_user" + #password: "some_password" ++ +table(table). +|_. Option|_. Description| +|title |Title displayed to the user on the login page| +|host |LDAP server hostname| +|port |LDAP server port| +|method|One of "plain", "ssl", "tls"| +|base |Directory lookup base| +|uid |User id field used for directory lookup| +|email_domain|Strip off specified email domain from login and perform lookup on bare username| +|bind_dn|If required by server, username to log with in before performing directory lookup| +|password|If required by server, password to log with before performing directory lookup| + +h4(#google). Google authentication + +First, visit "Setting up Google auth.":google-auth.html + +Next, copy the values of *Client ID* and *Client secret* from the Google Developers Console into the Google section of @config/application.yml@, like this: + +
# Google API tokens required for OAuth2 login.
+ google_oauth2_client_id: "---YOUR---CLIENT---ID---HERE--"-
+ google_oauth2_client_secret: "---YOUR---CLIENT---SECRET---HERE--"-
~/sso-devise-omniauth-provider$ cp -i config/environments/production.rb.example config/environments/production.rb
+server {
+ listen auth.ClusterID.example.com:443 ssl;
+ server_name auth.ClusterID.example.com;
+
+ ssl on;
+ ssl_certificate /YOUR/PATH/TO/cert.pem;
+ ssl_certificate_key /YOUR/PATH/TO/cert.key;
+
+ root /var/www/arvados-sso/current/public;
+ index index.html;
+
+ passenger_enabled on;
+
+ # If you are using RVM, uncomment the line below.
+ # If you're using system ruby, leave it commented out.
+ #passenger_ruby /usr/local/rvm/wrappers/default/ruby;
+}
# yum install arvados-sso-server
+
+~/sso-devise-omniauth-provider$ rake secret
-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-~/sso-devise-omniauth-provider$ RAILS_ENV=production bundle exec rails console
-irb(main):001:0> c = Client.new
-irb(main):002:0> c.name = "joshid"
-irb(main):003:0> c.app_id = "arvados-server"
-irb(main):004:0> c.app_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
-irb(main):005:0> c.save!
-irb(main):006:0> quit
+# apt-get --no-install-recommends arvados-sso-server
~/arvados/services/api$ RAILS_ENV=production bundle exec rails server
+:001 > c = Client.new
+:002 > c.name = "joshid"
+:003 > c.app_id = "arvados-server"
+:004 > c.app_secret = "the value of Login.ProviderAppSecret"
+:005 > c.save!
+:006 > quit
# systemctl restart nginx arvados-controller
+
+