X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/b5b88cdaefb4f35b877c3279d6556fae7d62afcf..88b4f320eb101cdac88d2b7ee15135dd67703d20:/doc/install/install-sso.html.textile.liquid
diff --git a/doc/install/install-sso.html.textile.liquid b/doc/install/install-sso.html.textile.liquid
index 7a89fc1b8d..75da2ca1e8 100644
--- a/doc/install/install-sso.html.textile.liquid
+++ b/doc/install/install-sso.html.textile.liquid
@@ -6,109 +6,145 @@ title: Install Single Sign On (SSO) server
h2(#dependencies). Install dependencies
-h3(#install_git_curl). Install git and curl
-
-{% include 'install_git_curl' %}
-
h3(#install_ruby_and_bundler). Install Ruby and Bundler
{% include 'install_ruby_and_bundler' %}
-h3(#install_postgres). Install PostgreSQL
+h3(#install_web_server). Set up a Web server
-{% include 'install_postgres' %}
+For best performance, we recommend you use Nginx as your Web server frontend with a Passenger backend to serve the SSO server. The Passenger team provides "Nginx + Passenger installation instructions":https://www.phusionpassenger.com/library/walkthroughs/deploy/ruby/ownserver/nginx/oss/install_passenger_main.html.
-h2(#install). Install SSO server
+Follow the instructions until you see the section that says you are ready to deploy your Ruby application on the production server.
-h3. Get SSO server code and run bundle
+h2(#install). Install the SSO server
+
+On a Debian-based system, install the following package:
~$ cd $HOME # (or wherever you want to install)
-~$ git clone https://github.com/curoverse/sso-devise-omniauth-provider.git
-~$ cd sso-devise-omniauth-provider
-~/sso-devise-omniauth-provider$ bundle install --without=development
-
~$ sudo apt-get arvados-sso-server
+
+
+
+On a Red Hat-based system, install the following package:
+
+~$ sudo yum install arvados-sso-server
+
+~/sso-devise-omniauth-provider$ cp -i config/application.yml.example config/application.yml
-
/etc/arvados/sso/application.yml
+/etc/arvados/sso/database.yml
+/etc/arvados/sso/production.rb
+
+
+
+The SSO server runs from the @/var/www/arvados-sso/current/@ directory. The files @/var/www/arvados-sso/current/config/application.yml@, @/var/www/arvados-sso/current/config/database.yml@ and @/var/www/arvados-sso/current/config/environments/production.rb@ are symlinked to the configuration files in @/etc/arvados/sso/@.
The SSO server reads the @config/application.yml@ file, as well as the @config/application.defaults.yml@ file. Values in @config/application.yml@ take precedence over the defaults that are defined in @config/application.defaults.yml@. The @config/application.yml.example@ file is not read by the SSO server and is provided for installation convenience only.
-Consult @config/application.default.yml@ for a full list of configuration options. Local configuration goes in @config/application.yml@, do not edit @config/application.default.yml@.
+Consult @config/application.default.yml@ for a full list of configuration options. Local configuration goes in @/etc/arvados/sso/application.yml@, do not edit @config/application.default.yml@.
h3(#uuid_prefix). uuid_prefix
Generate a uuid prefix for the single sign on service. This prefix is used to identify user records as originating from this site. It must be exactly 5 lowercase ASCII letters and/or digits. You may use the following snippet to generate a uuid prefix:
~/sso-devise-omniauth-provider$ ruby -e 'puts "#{rand(2**64).to_s(36)[0,5]}"'
+~$ ruby -e 'puts "#{rand(2**64).to_s(36)[0,5]}"'
abcde
~/sso-devise-omniauth-provider$ ruby -e 'puts rand(2**400).to_s(36)'
+~$ ruby -e 'puts rand(2**400).to_s(36)'
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
~/sso-devise-omniauth-provider$ ruby -e 'puts rand(2**128).to_s(36)'
+~$ ruby -e 'puts rand(2**128).to_s(36)'
abcdefghijklmnopqrstuvwxyz012345689
~$ edit /etc/arvados/sso/database.yml
+
~/sso-devise-omniauth-provider$ sudo -u postgres createuser --createdb --encrypted -R -S --pwprompt arvados_sso
+~$ sudo -u postgres createuser --createdb --encrypted -R -S --pwprompt arvados_sso
Enter password for new role: paste-database-password-you-generated
Enter it again: paste-database-password-you-generated
~/sso-devise-omniauth-provider$ cp -i config/database.yml.example config/database.yml
-~/sso-devise-omniauth-provider$ edit config/database.yml
+~$ sudo -u postgres createuser --encrypted -R -S --pwprompt arvados_sso
+Enter password for new role: paste-database-password-you-generated
+Enter it again: paste-database-password-you-generated
+~$ sudo -u postgres createdb arvados_sso_production -E UTF8 -O arvados_sso -T template0
~/sso-devise-omniauth-provider$ RAILS_ENV=production bundle exec rake db:setup
-
~$ sudo sed -i -e "s/127.0.0.1\/32 ident/127.0.0.1\/32 md5/" /var/lib/pgsql/data/pg_hba.conf
+~$ sudo sed -i -e "s/::1\/128 ident/::1\/128 md5/" /var/lib/pgsql/data/pg_hba.conf
+~$ sudo service postgresql restart
+
+
+{% include 'notebox_end' %}
-Alternatively, if the database user you intend to use for the SSO server is not allowed to create new databases, you can create the database first and then populate it with rake. Be sure to adjust the database name if you are using the @development@ environment. This sequence of commands is functionally equivalent to the rake db:setup command above:
+h2(#reconfigure_package). Reconfigure the package
+
+Now that the @/etc/arvados/sso/application.yml@ and @/etc/arvados/sso/database.yml@ files have been updated, we need to reconfigure our installed package. Doing so will create and/or initialize the database and precompile the assets.
+
+On a Debian-based system:
~/sso-devise-omniauth-provider$ sudo -u postgres createdb arvados_sso_production -E UTF8 -O arvados_sso -T template0
-~/sso-devise-omniauth-provider$ RAILS_ENV=production bundle exec rake db:schema:load
-~/sso-devise-omniauth-provider$ RAILS_ENV=production bundle exec rake db:seed
-
~$ sudo dpkg-reconfigure arvados-sso-server
+
+
+
+On a Red Hat-based system, we need to reinstall the package instead:
+
+~$ sudo yum reinstall arvados-sso-server
+
+~/sso-devise-omniauth-provider$ ruby -e 'puts rand(2**400).to_s(36)'
+~$ ruby -e 'puts rand(2**400).to_s(36)'
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-~/sso-devise-omniauth-provider$ RAILS_ENV=production bundle exec rails console
+~$ RAILS_ENV=production bundle exec rails console
:001 > c = Client.new
:002 > c.name = "joshid"
:003 > c.app_id = "arvados-server"
@@ -118,15 +154,56 @@ xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
~/sso-devise-omniauth-provider$ RAILS_ENV=production bundle exec rake assets:precompile
+server {
+ listen 127.0.0.1:8900;
+ server_name localhost-sso;
+
+ root /var/www/arvados-sso/current/public;
+ index index.html;
+
+ passenger_enabled on;
+ # If you're not using RVM, comment out the line below.
+ passenger_ruby /usr/local/rvm/wrappers/default/ruby;
+}
+
+upstream sso {
+ server 127.0.0.1:8900 fail_timeout=10s;
+}
+
+proxy_http_version 1.1;
+
+server {
+ listen [your public IP address]:443 ssl;
+ server_name auth.your.domain;
+
+ ssl on;
+ ssl_certificate /YOUR/PATH/TO/cert.pem;
+ ssl_certificate_key /YOUR/PATH/TO/cert.key;
+
+ index index.html;
+
+ location / {
+ proxy_pass http://sso;
+ proxy_redirect off;
+ proxy_connect_timeout 90s;
+ proxy_read_timeout 300s;
+
+ proxy_set_header X-Forwarded-Proto https;
+ proxy_set_header Host $http_host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ }
+}
~/sso-devise-omniauth-provider$ RAILS_ENV=production bundle exec rails console
+~$ RAILS_ENV=production bundle exec rails console
:001 > user = User.new(:email => "test@example.com")
:002 > user.password = "passw0rd"
:003 > user.save!
@@ -210,74 +287,4 @@ In order to use Google+ authentication, you must use the "---YOUR---CLIENT---ID---HERE--"-
google_oauth2_client_secret: "---YOUR---CLIENT---SECRET---HERE--"-
Edit the http section of your Nginx configuration to run the Passenger server, and act as a front-end for it. You might add a block like the following, adding SSL and logging parameters to taste:
- -server {
- listen 127.0.0.1:8900;
- server_name localhost-sso;
-
- root /YOUR/PATH/TO/sso-devise-omniauth-provider/public;
- index index.html index.htm index.php;
-
- passenger_enabled on;
- # If you're using RVM, uncomment the line below.
- #passenger_ruby /usr/local/rvm/wrappers/default/ruby;
-}
-
-upstream sso {
- server 127.0.0.1:8900 fail_timeout=10s;
-}
-
-proxy_http_version 1.1;
-
-server {
- listen [your public IP address]:443 ssl;
- server_name auth.your.domain;
-
- ssl on;
-
- index index.html index.htm index.php;
-
- location / {
- proxy_pass http://sso;
- proxy_redirect off;
- proxy_connect_timeout 90s;
- proxy_read_timeout 300s;
-
- proxy_set_header X-Forwarded-Proto https;
- proxy_set_header Host $http_host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- }
-}
-
--SECURITY WARNING: No secret option provided to Rack::Session::Cookie. -This poses a security threat. It is strongly recommended that you -provide a secret to prevent exploits that may be possible from crafted -cookies. This will not be supported in future versions of Rack, and -future versions will even invalidate your existing user cookies. - -Called from: /var/lib/gems/2.1.0/gems/actionpack-3.2.8/lib/action_dispatch/middleware/session/abstract_store.rb:28:in `initialize'. -- -{% include 'notebox_end' %}