X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/f3f86fcf67775df91937392dd74a527dcbcf1886..feb290061b91fa059aefd251ed3c3532b32620ea:/doc/install/install-sso.html.textile.liquid
diff --git a/doc/install/install-sso.html.textile.liquid b/doc/install/install-sso.html.textile.liquid
index 56c7a4b337..4d91b18c00 100644
--- a/doc/install/install-sso.html.textile.liquid
+++ b/doc/install/install-sso.html.textile.liquid
@@ -3,64 +3,89 @@ layout: default
navsection: installguide
title: Install the Single Sign On (SSO) server
...
+{% comment %}
+Copyright (C) The Arvados Authors. All rights reserved.
-h2(#dependencies). Install prerequisites
+SPDX-License-Identifier: CC-BY-SA-3.0
+{% endcomment %}
-The Arvados package repository includes an SSO server package that can help automate much of the deployment.
-
-h3(#install_ruby_and_bundler). Install Ruby and Bundler
-
-{% include 'install_ruby_and_bundler' %}
+{% include 'notebox_begin_warning' %}
+Skip this section if you are using Google login via @arvados-controller@.
+{% include 'notebox_end' %}
-h3(#install_web_server). Set up a Web server
+# "Install dependencies":#dependencies
+# "Set up database":#database-setup
+# "Update config.yml":#update-config
+# "Configure the SSO server":#create-application-yml
+# "Update Nginx configuration":#update-nginx
+# "Install arvados-sso-server":#install-packages
+# "Create arvados-server client record":#client
+# "Restart the API server and controller":#restart-api
-For best performance, we recommend you use Nginx as your Web server frontend with a Passenger backend to serve the SSO server. The Passenger team provides "Nginx + Passenger installation instructions":https://www.phusionpassenger.com/library/walkthroughs/deploy/ruby/ownserver/nginx/oss/install_passenger_main.html.
+h2(#dependencies). Install dependencies
-Follow the instructions until you see the section that says you are ready to deploy your Ruby application on the production server.
+# "Install PostgreSQL":install-postgresql.html
+# "Install Ruby and Bundler":ruby.html Important! The Single Sign On server only supports Ruby 2.3, to avoid version conflicts we recommend installing it on a different server from the API server. When installing Ruby, ensure that you get the right version by installing the "ruby2.3" package, or by using RVM with @--ruby=2.3@
+# "Install nginx":nginx.html
+# "Install Phusion Passenger":https://www.phusionpassenger.com/library/walkthroughs/deploy/ruby/ownserver/nginx/oss/install_passenger_main.html
-h2(#install). Install the SSO server
+h2(#database-setup). Set up the database
-On a Debian-based system, install the following package:
+{% assign service_role = "arvados_sso" %}
+{% assign service_database = "arvados_sso_production" %}
+{% assign use_contrib = false %}
+{% include 'install_postgres_database' %}
-
-~$ sudo apt-get install arvados-sso-server
-
+production: + adapter: postgresql + encoding: utf8 + database: arvados_sso_production + username: arvados_sso + password: $password + host: localhost + template: template0 +-
~$ sudo yum install arvados-sso-server
-
-+ Services: + SSO: + ExternalURL: auth.ClusterID.example.com + Login: + ProviderAppID: "arvados-server" + ProviderAppSecret: $app_secret +-The package has installed three configuration files in @/etc/arvados/sso@: +Generate @ProviderAppSecret@:
/etc/arvados/sso/application.yml
-/etc/arvados/sso/database.yml
-/etc/arvados/sso/production.rb
-
-~$ ruby -e 'puts rand(2**400).to_s(36)'
+zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
+
-The SSO server runs from the @/var/www/arvados-sso/current/@ directory. The files @/var/www/arvados-sso/current/config/application.yml@, @/var/www/arvados-sso/current/config/database.yml@ and @/var/www/arvados-sso/current/config/environments/production.rb@ are symlinked to the configuration files in @/etc/arvados/sso/@.
+h2(#create-application-yml). Configure the SSO server
+
+The SSO server runs from the @/var/www/arvados-sso/current/@ directory. The files @/var/www/arvados-sso/current/config/application.yml@ and @/var/www/arvados-sso/current/config/database.yml@ will be symlinked to the configuration files in @/etc/arvados/sso/@.
The SSO server reads the @config/application.yml@ file, as well as the @config/application.defaults.yml@ file. Values in @config/application.yml@ take precedence over the defaults that are defined in @config/application.defaults.yml@. The @config/application.yml.example@ file is not read by the SSO server and is provided for installation convenience only.
Consult @config/application.default.yml@ for a full list of configuration options. Local configuration goes in @/etc/arvados/sso/application.yml@, do not edit @config/application.default.yml@.
-h3(#uuid_prefix). uuid_prefix
+Create @/etc/arvados/sso/application.yml@ and add these keys:
-Generate a uuid prefix for the single sign on service. This prefix is used to identify user records as originating from this site. It must be exactly 5 lowercase ASCII letters and/or digits. You may use the following snippet to generate a uuid prefix:
++production: + uuid_prefix: xxxxx + secret_token: zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz +-
~$ ruby -e 'puts "#{rand(2**64).to_s(36)[0,5]}"'
-abcde
-
~$ sudo service postgresql start
-
-~$ sudo service postgresql initdb
-~$ sudo service postgresql start
-
-~$ sudo sed -i -e "s/127.0.0.1\/32 ident/127.0.0.1\/32 md5/" /var/lib/pgsql/data/pg_hba.conf
-~$ sudo sed -i -e "s/::1\/128 ident/::1\/128 md5/" /var/lib/pgsql/data/pg_hba.conf
-~$ sudo service postgresql restart
-
-~$ ruby -e 'puts rand(2**128).to_s(36)'
-abcdefghijklmnopqrstuvwxyz012345689
-
~$ editor /etc/arvados/sso/database.yml
-
~$ sudo -u postgres createuser --createdb --encrypted -R -S --pwprompt arvados_sso
-Enter password for new role: paste-database-password-you-generated
-Enter it again: paste-database-password-you-generated
-
~$ sudo -u postgres createuser --encrypted -R -S --pwprompt arvados_sso
-Enter password for new role: paste-database-password-you-generated
-Enter it again: paste-database-password-you-generated
-~$ sudo -u postgres createdb arvados_sso_production -E UTF8 -O arvados_sso -T template0
-
~$ sudo dpkg-reconfigure arvados-sso-server
-
-~$ sudo yum reinstall arvados-sso-server
-
-~$ ruby -e 'puts rand(2**400).to_s(36)'
-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-~$ RAILS_ENV=production bundle exec rails console
-:001 > c = Client.new
-:002 > c.name = "joshid"
-:003 > c.app_id = "arvados-server"
-:004 > c.app_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
-:005 > c.save!
-:006 > quit
-
-server {
- listen 127.0.0.1:8900;
- server_name localhost-sso;
-
- root /var/www/arvados-sso/current/public;
- index index.html;
-
- passenger_enabled on;
- # If you're not using RVM, comment out the line below.
- passenger_ruby /usr/local/rvm/wrappers/default/ruby;
-}
-
-upstream sso {
- server 127.0.0.1:8900 fail_timeout=10s;
-}
-
-proxy_http_version 1.1;
-
-server {
- listen [your public IP address]:443 ssl;
- server_name auth.your.domain;
-
- ssl on;
- ssl_certificate /YOUR/PATH/TO/cert.pem;
- ssl_certificate_key /YOUR/PATH/TO/cert.key;
-
- index index.html;
-
- location / {
- proxy_pass http://sso;
- proxy_redirect off;
- proxy_connect_timeout 90s;
- proxy_read_timeout 300s;
-
- proxy_set_header X-Forwarded-Proto https;
- proxy_set_header Host $http_host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- }
-}
-
-~$ RAILS_ENV=production bundle exec rails console
-:001 > user = User.new(:email => "test@example.com")
+:001 > user = User.new(:email => "test@example.com")
:002 > user.password = "passw0rd"
:003 > user.save!
:004 > quit
# Google API tokens required for OAuth2 login.
google_oauth2_client_id: "---YOUR---CLIENT---ID---HERE--"-
google_oauth2_client_secret: "---YOUR---CLIENT---SECRET---HERE--"-
server {
+ listen auth.ClusterID.example.com:443 ssl;
+ server_name auth.ClusterID.example.com;
+
+ ssl on;
+ ssl_certificate /YOUR/PATH/TO/cert.pem;
+ ssl_certificate_key /YOUR/PATH/TO/cert.key;
+
+ root /var/www/arvados-sso/current/public;
+ index index.html;
+
+ passenger_enabled on;
+
+ # If you are using RVM, uncomment the line below.
+ # If you're using system ruby, leave it commented out.
+ #passenger_ruby /usr/local/rvm/wrappers/default/ruby;
+}
+
+# yum install arvados-sso-server
+
+# apt-get --no-install-recommends arvados-sso-server
+
+:001 > c = Client.new
+:002 > c.name = "joshid"
+:003 > c.app_id = "arvados-server"
+:004 > c.app_secret = "the value of Login.ProviderAppSecret"
+:005 > c.save!
+:006 > quit
+
+# systemctl restart nginx arvados-controller
+
+