MaxUUIDEntries: 1000
Login:
- # These settings are provided by your OAuth2 provider (eg
- # Google) used to perform upstream authentication.
- ProviderAppID: ""
- ProviderAppSecret: ""
-
- # (Experimental) Authenticate with Google, bypassing the
- # SSO-provider gateway service. Use the Google Cloud console to
- # enable the People API (APIs and Services > Enable APIs and
- # services > Google People API > Enable), generate a Client ID
- # and secret (APIs and Services > Credentials > Create
- # credentials > OAuth client ID > Web application) and add your
- # controller's /login URL (e.g.,
- # "https://zzzzz.example.com/login") as an authorized redirect
- # URL.
- #
- # Incompatible with ForceLegacyAPI14. ProviderAppID must be
- # blank.
- GoogleClientID: ""
- GoogleClientSecret: ""
-
- # Allow users to log in to existing accounts using any verified
- # email address listed by their Google account. If true, the
- # Google People API must be enabled in order for Google login to
- # work. If false, only the primary email address will be used.
- GoogleAlternateEmailAddresses: true
-
- # (Experimental) Use PAM to authenticate logins, using the
- # specified PAM service name.
- #
- # Cannot be used in combination with OAuth2 (ProviderAppID) or
- # Google (GoogleClientID). Cannot be used on a cluster acting as
- # a LoginCluster.
- PAM: false
- PAMService: arvados
-
- # Domain name (e.g., "example.com") to use to construct the
- # user's email address if PAM authentication returns a username
- # with no "@". If empty, use the PAM username as the user's
- # email address, whether or not it contains "@".
- #
- # Note that the email address is used as the primary key for
- # user records when logging in. Therefore, if you change
- # PAMDefaultEmailDomain after the initial installation, you
- # should also update existing user records to reflect the new
- # domain. Otherwise, next time those users log in, they will be
- # given new accounts instead of accessing their existing
- # accounts.
- PAMDefaultEmailDomain: ""
+ # One of the following mechanisms (SSO, Google, PAM, LDAP, or
+ # LoginCluster) should be enabled; see
+ # https://doc.arvados.org/install/setup-login.html
+
+ Google:
+ # Authenticate with Google.
+ Enable: false
+
+ # Use the Google Cloud console to enable the People API (APIs
+ # and Services > Enable APIs and services > Google People API
+ # > Enable), generate a Client ID and secret (APIs and
+ # Services > Credentials > Create credentials > OAuth client
+ # ID > Web application) and add your controller's /login URL
+ # (e.g., "https://zzzzz.example.com/login") as an authorized
+ # redirect URL.
+ #
+ # Incompatible with ForceLegacyAPI14. ProviderAppID must be
+ # blank.
+ ClientID: ""
+ ClientSecret: ""
+
+ # Allow users to log in to existing accounts using any verified
+ # email address listed by their Google account. If true, the
+ # Google People API must be enabled in order for Google login to
+ # work. If false, only the primary email address will be used.
+ AlternateEmailAddresses: true
+
+ PAM:
+ # (Experimental) Use PAM to authenticate users.
+ Enable: false
+
+ # PAM service name. PAM will apply the policy in the
+ # corresponding config file (e.g., /etc/pam.d/arvados) or, if
+ # there is none, the default "other" config.
+ Service: arvados
+
+ # Domain name (e.g., "example.com") to use to construct the
+ # user's email address if PAM authentication returns a
+ # username with no "@". If empty, use the PAM username as the
+ # user's email address, whether or not it contains "@".
+ #
+ # Note that the email address is used as the primary key for
+ # user records when logging in. Therefore, if you change
+ # PAMDefaultEmailDomain after the initial installation, you
+ # should also update existing user records to reflect the new
+ # domain. Otherwise, next time those users log in, they will
+ # be given new accounts instead of accessing their existing
+ # accounts.
+ DefaultEmailDomain: ""
+
+ LDAP:
+ # Use an LDAP service to authenticate users.
+ Enable: false
+
+ # Server URL, like "ldap://ldapserver.example.com:389" or
+ # "ldaps://ldapserver.example.com:636".
+ URL: "ldap://ldap:389"
+
+ # Use StartTLS upon connecting to the server.
+ StartTLS: true
+
+ # Skip TLS certificate name verification.
+ InsecureTLS: false
+
+ # Strip the @domain part if a user supplies an email-style
+ # username with this domain. If "*", strip any user-provided
+ # domain. If "", never strip the domain part. Example:
+ # "example.com"
+ StripDomain: ""
+
+ # If, after applying StripDomain, the username contains no "@"
+ # character, append this domain to form an email-style
+ # username. Example: "example.com"
+ AppendDomain: ""
+
+ # The LDAP attribute to filter on when looking up a username
+ # (after applying StripDomain and AppendDomain).
+ SearchAttribute: uid
+
+ # Bind with this username (DN or UPN) and password when
+ # looking up the user record.
+ #
+ # Example user: "cn=admin,dc=example,dc=com"
+ SearchBindUser: ""
+ SearchBindPassword: ""
+
+ # Directory base for username lookup. Example:
+ # "ou=Users,dc=example,dc=com"
+ SearchBase: ""
+
+ # Additional filters for username lookup. Special characters
+ # in assertion values must be escaped (see RFC4515). Example:
+ # "(objectClass=person)"
+ SearchFilters: ""
+
+ # LDAP attribute to use as the user's email address.
+ #
+ # Important: This must not be an attribute whose value can be
+ # edited in the directory by the users themselves. Otherwise,
+ # users can take over other users' Arvados accounts trivially
+ # (email address is the primary key for Arvados accounts.)
+ EmailAttribute: mail
+
+ # LDAP attribute to use as the preferred Arvados username. If
+ # no value is found (or this config is empty) the username
+ # originally supplied by the user will be used.
+ UsernameAttribute: uid
+
+ SSO:
+ # Authenticate with a separate SSO server. (Deprecated)
+ Enable: false
+
+ # ProviderAppID and ProviderAppSecret are generated during SSO
+ # setup; see
+ # https://doc.arvados.org/v2.0/install/install-sso.html#update-config
+ ProviderAppID: ""
+ ProviderAppSecret: ""
# The cluster ID to delegate the user database. When set,
# logins on this cluster will be redirected to the login cluster
RunningJobLogRecordsToFetch: 2000
# In systems with many shared projects, loading of dashboard and topnav
- # cab be slow due to collections indexing; use the following parameters
+ # can be slow due to collections indexing; use the following parameters
# to suppress these properties
ShowRecentCollectionsOnDashboard: true
ShowUserNotifications: true
type deprCluster struct {
RequestLimits deprRequestLimits
NodeProfiles map[string]nodeProfile
+ Login struct {
+ GoogleClientID *string
+ GoogleClientSecret *string
+ GoogleAlternateEmailAddresses *bool
+ ProviderAppID *string
+ ProviderAppSecret *string
+ }
}
type deprecatedConfig struct {
if dst, n := &cluster.API.MaxRequestAmplification, dcluster.RequestLimits.MultiClusterRequestConcurrency; n != nil && *n != *dst {
*dst = *n
}
+
+ // Google* moved to Google.*
+ if dst, n := &cluster.Login.Google.ClientID, dcluster.Login.GoogleClientID; n != nil && *n != *dst {
+ *dst = *n
+ if *n != "" {
+ // In old config, non-empty ClientID meant enable
+ cluster.Login.Google.Enable = true
+ }
+ }
+ if dst, n := &cluster.Login.Google.ClientSecret, dcluster.Login.GoogleClientSecret; n != nil && *n != *dst {
+ *dst = *n
+ }
+ if dst, n := &cluster.Login.Google.AlternateEmailAddresses, dcluster.Login.GoogleAlternateEmailAddresses; n != nil && *n != *dst {
+ *dst = *n
+ }
+
+ // Provider* moved to SSO.Provider*
+ if dst, n := &cluster.Login.SSO.ProviderAppID, dcluster.Login.ProviderAppID; n != nil && *n != *dst {
+ *dst = *n
+ if *n != "" {
+ // In old config, non-empty ID meant enable
+ cluster.Login.SSO.Enable = true
+ }
+ }
+ if dst, n := &cluster.Login.SSO.ProviderAppSecret, dcluster.Login.ProviderAppSecret; n != nil && *n != *dst {
+ *dst = *n
+ }
+
cfg.Clusters[id] = cluster
}
return nil
if strings.HasPrefix(host, ":") {
host = hostname + host
}
- svc.InternalURLs[arvados.URL{Scheme: scheme, Host: host}] = arvados.ServiceInstance{}
+ svc.InternalURLs[arvados.URL{Scheme: scheme, Host: host, Path: "/"}] = arvados.ServiceInstance{}
}
func (ldr *Loader) loadOldConfigHelper(component, path string, target interface{}) error {
}
if client.APIHost != "" {
cluster.Services.Controller.ExternalURL.Host = client.APIHost
+ cluster.Services.Controller.ExternalURL.Path = "/"
}
if client.Scheme != "" {
cluster.Services.Controller.ExternalURL.Scheme = client.Scheme
cluster.PostgreSQL.ConnectionPool = *oc.PostgresPool
}
if oc.Listen != nil {
- cluster.Services.Websocket.InternalURLs[arvados.URL{Host: *oc.Listen}] = arvados.ServiceInstance{}
+ cluster.Services.Websocket.InternalURLs[arvados.URL{Host: *oc.Listen, Path: "/"}] = arvados.ServiceInstance{}
}
if oc.LogLevel != nil {
cluster.SystemLogs.LogLevel = *oc.LogLevel
loadOldClientConfig(cluster, oc.Client)
if oc.Listen != nil {
- cluster.Services.Keepproxy.InternalURLs[arvados.URL{Host: *oc.Listen}] = arvados.ServiceInstance{}
+ cluster.Services.Keepproxy.InternalURLs[arvados.URL{Host: *oc.Listen, Path: "/"}] = arvados.ServiceInstance{}
}
if oc.DefaultReplicas != nil {
cluster.Collections.DefaultReplication = *oc.DefaultReplicas
loadOldClientConfig(cluster, oc.Client)
if oc.Listen != nil {
- cluster.Services.WebDAV.InternalURLs[arvados.URL{Host: *oc.Listen}] = arvados.ServiceInstance{}
- cluster.Services.WebDAVDownload.InternalURLs[arvados.URL{Host: *oc.Listen}] = arvados.ServiceInstance{}
+ cluster.Services.WebDAV.InternalURLs[arvados.URL{Host: *oc.Listen, Path: "/"}] = arvados.ServiceInstance{}
+ cluster.Services.WebDAVDownload.InternalURLs[arvados.URL{Host: *oc.Listen, Path: "/"}] = arvados.ServiceInstance{}
}
if oc.AttachmentOnlyHost != nil {
- cluster.Services.WebDAVDownload.ExternalURL = arvados.URL{Host: *oc.AttachmentOnlyHost}
+ cluster.Services.WebDAVDownload.ExternalURL = arvados.URL{Host: *oc.AttachmentOnlyHost, Path: "/"}
}
if oc.ManagementToken != nil {
cluster.ManagementToken = *oc.ManagementToken
`)
}
+ func (s *LoadSuite) TestDeprecatedLoginBackend(c *check.C) {
+ checkEquivalent(c, `
+ Clusters:
+ z1111:
+ Login:
+ GoogleClientID: aaaa
+ GoogleClientSecret: bbbb
+ GoogleAlternateEmailAddresses: true
+ `, `
+ Clusters:
+ z1111:
+ Login:
+ Google:
+ Enable: true
+ ClientID: aaaa
+ ClientSecret: bbbb
+ AlternateEmailAddresses: true
+ `)
+ checkEquivalent(c, `
+ Clusters:
+ z1111:
+ Login:
+ ProviderAppID: aaaa
+ ProviderAppSecret: bbbb
+ `, `
+ Clusters:
+ z1111:
+ Login:
+ SSO:
+ Enable: true
+ ProviderAppID: aaaa
+ ProviderAppSecret: bbbb
+ `)
+ }
+
func (s *LoadSuite) TestLegacyKeepWebConfig(c *check.C) {
content := []byte(`
{
cluster, err := testLoadLegacyConfig(content, "-legacy-keepweb-config", c)
c.Check(err, check.IsNil)
- c.Check(cluster.Services.Controller.ExternalURL, check.Equals, arvados.URL{Scheme: "https", Host: "example.com"})
+ c.Check(cluster.Services.Controller.ExternalURL, check.Equals, arvados.URL{Scheme: "https", Host: "example.com", Path: "/"})
c.Check(cluster.SystemRootToken, check.Equals, "abcdefg")
c.Check(cluster.Collections.WebDAVCache.TTL, check.Equals, arvados.Duration(60*time.Second))
c.Check(cluster.Collections.WebDAVCache.MaxPermissionEntries, check.Equals, 100)
c.Check(cluster.Collections.WebDAVCache.MaxUUIDEntries, check.Equals, 100)
- c.Check(cluster.Services.WebDAVDownload.ExternalURL, check.Equals, arvados.URL{Host: "download.example.com"})
+ c.Check(cluster.Services.WebDAVDownload.ExternalURL, check.Equals, arvados.URL{Host: "download.example.com", Path: "/"})
c.Check(cluster.Services.WebDAVDownload.InternalURLs[arvados.URL{Host: ":80"}], check.NotNil)
c.Check(cluster.Services.WebDAV.InternalURLs[arvados.URL{Host: ":80"}], check.NotNil)
c.Check(err, check.IsNil)
c.Check(cluster, check.NotNil)
- c.Check(cluster.Services.Controller.ExternalURL, check.Equals, arvados.URL{Scheme: "https", Host: "example.com"})
+ c.Check(cluster.Services.Controller.ExternalURL, check.Equals, arvados.URL{Scheme: "https", Host: "example.com", Path: "/"})
c.Check(cluster.SystemRootToken, check.Equals, "abcdefg")
c.Check(cluster.ManagementToken, check.Equals, "xyzzy")
c.Check(cluster.Services.Keepproxy.InternalURLs[arvados.URL{Host: ":80"}], check.Equals, arvados.ServiceInstance{})
c.Check(err, check.IsNil)
c.Check(cluster, check.NotNil)
- c.Check(cluster.Services.Controller.ExternalURL, check.Equals, arvados.URL{Scheme: "https", Host: "example.com"})
+ c.Check(cluster.Services.Controller.ExternalURL, check.Equals, arvados.URL{Scheme: "https", Host: "example.com", Path: "/"})
c.Check(cluster.SystemRootToken, check.Equals, "abcdefg")
c.Check(cluster.ManagementToken, check.Equals, "xyzzy")
c.Check(cluster.Git.GitCommand, check.Equals, "/test/git")
MaxUUIDEntries: 1000
Login:
- # These settings are provided by your OAuth2 provider (eg
- # Google) used to perform upstream authentication.
- ProviderAppID: ""
- ProviderAppSecret: ""
-
- # (Experimental) Authenticate with Google, bypassing the
- # SSO-provider gateway service. Use the Google Cloud console to
- # enable the People API (APIs and Services > Enable APIs and
- # services > Google People API > Enable), generate a Client ID
- # and secret (APIs and Services > Credentials > Create
- # credentials > OAuth client ID > Web application) and add your
- # controller's /login URL (e.g.,
- # "https://zzzzz.example.com/login") as an authorized redirect
- # URL.
- #
- # Incompatible with ForceLegacyAPI14. ProviderAppID must be
- # blank.
- GoogleClientID: ""
- GoogleClientSecret: ""
-
- # Allow users to log in to existing accounts using any verified
- # email address listed by their Google account. If true, the
- # Google People API must be enabled in order for Google login to
- # work. If false, only the primary email address will be used.
- GoogleAlternateEmailAddresses: true
-
- # (Experimental) Use PAM to authenticate logins, using the
- # specified PAM service name.
- #
- # Cannot be used in combination with OAuth2 (ProviderAppID) or
- # Google (GoogleClientID). Cannot be used on a cluster acting as
- # a LoginCluster.
- PAM: false
- PAMService: arvados
-
- # Domain name (e.g., "example.com") to use to construct the
- # user's email address if PAM authentication returns a username
- # with no "@". If empty, use the PAM username as the user's
- # email address, whether or not it contains "@".
- #
- # Note that the email address is used as the primary key for
- # user records when logging in. Therefore, if you change
- # PAMDefaultEmailDomain after the initial installation, you
- # should also update existing user records to reflect the new
- # domain. Otherwise, next time those users log in, they will be
- # given new accounts instead of accessing their existing
- # accounts.
- PAMDefaultEmailDomain: ""
+ # One of the following mechanisms (SSO, Google, PAM, LDAP, or
+ # LoginCluster) should be enabled; see
+ # https://doc.arvados.org/install/setup-login.html
+
+ Google:
+ # Authenticate with Google.
+ Enable: false
+
+ # Use the Google Cloud console to enable the People API (APIs
+ # and Services > Enable APIs and services > Google People API
+ # > Enable), generate a Client ID and secret (APIs and
+ # Services > Credentials > Create credentials > OAuth client
+ # ID > Web application) and add your controller's /login URL
+ # (e.g., "https://zzzzz.example.com/login") as an authorized
+ # redirect URL.
+ #
+ # Incompatible with ForceLegacyAPI14. ProviderAppID must be
+ # blank.
+ ClientID: ""
+ ClientSecret: ""
+
+ # Allow users to log in to existing accounts using any verified
+ # email address listed by their Google account. If true, the
+ # Google People API must be enabled in order for Google login to
+ # work. If false, only the primary email address will be used.
+ AlternateEmailAddresses: true
+
+ PAM:
+ # (Experimental) Use PAM to authenticate users.
+ Enable: false
+
+ # PAM service name. PAM will apply the policy in the
+ # corresponding config file (e.g., /etc/pam.d/arvados) or, if
+ # there is none, the default "other" config.
+ Service: arvados
+
+ # Domain name (e.g., "example.com") to use to construct the
+ # user's email address if PAM authentication returns a
+ # username with no "@". If empty, use the PAM username as the
+ # user's email address, whether or not it contains "@".
+ #
+ # Note that the email address is used as the primary key for
+ # user records when logging in. Therefore, if you change
+ # PAMDefaultEmailDomain after the initial installation, you
+ # should also update existing user records to reflect the new
+ # domain. Otherwise, next time those users log in, they will
+ # be given new accounts instead of accessing their existing
+ # accounts.
+ DefaultEmailDomain: ""
+
+ LDAP:
+ # Use an LDAP service to authenticate users.
+ Enable: false
+
+ # Server URL, like "ldap://ldapserver.example.com:389" or
+ # "ldaps://ldapserver.example.com:636".
+ URL: "ldap://ldap:389"
+
+ # Use StartTLS upon connecting to the server.
+ StartTLS: true
+
+ # Skip TLS certificate name verification.
+ InsecureTLS: false
+
+ # Strip the @domain part if a user supplies an email-style
+ # username with this domain. If "*", strip any user-provided
+ # domain. If "", never strip the domain part. Example:
+ # "example.com"
+ StripDomain: ""
+
+ # If, after applying StripDomain, the username contains no "@"
+ # character, append this domain to form an email-style
+ # username. Example: "example.com"
+ AppendDomain: ""
+
+ # The LDAP attribute to filter on when looking up a username
+ # (after applying StripDomain and AppendDomain).
+ SearchAttribute: uid
+
+ # Bind with this username (DN or UPN) and password when
+ # looking up the user record.
+ #
+ # Example user: "cn=admin,dc=example,dc=com"
+ SearchBindUser: ""
+ SearchBindPassword: ""
+
+ # Directory base for username lookup. Example:
+ # "ou=Users,dc=example,dc=com"
+ SearchBase: ""
+
+ # Additional filters for username lookup. Special characters
+ # in assertion values must be escaped (see RFC4515). Example:
+ # "(objectClass=person)"
+ SearchFilters: ""
+
+ # LDAP attribute to use as the user's email address.
+ #
+ # Important: This must not be an attribute whose value can be
+ # edited in the directory by the users themselves. Otherwise,
+ # users can take over other users' Arvados accounts trivially
+ # (email address is the primary key for Arvados accounts.)
+ EmailAttribute: mail
+
+ # LDAP attribute to use as the preferred Arvados username. If
+ # no value is found (or this config is empty) the username
+ # originally supplied by the user will be used.
+ UsernameAttribute: uid
+
+ SSO:
+ # Authenticate with a separate SSO server. (Deprecated)
+ Enable: false
+
+ # ProviderAppID and ProviderAppSecret are generated during SSO
+ # setup; see
+ # https://doc.arvados.org/v2.0/install/install-sso.html#update-config
+ ProviderAppID: ""
+ ProviderAppSecret: ""
# The cluster ID to delegate the user database. When set,
# logins on this cluster will be redirected to the login cluster
RunningJobLogRecordsToFetch: 2000
# In systems with many shared projects, loading of dashboard and topnav
- # cab be slow due to collections indexing; use the following parameters
+ # can be slow due to collections indexing; use the following parameters
# to suppress these properties
ShowRecentCollectionsOnDashboard: true
ShowUserNotifications: true
Repositories string
}
Login struct {
- GoogleClientID string
- GoogleClientSecret string
- GoogleAlternateEmailAddresses bool
- PAM bool
- PAMService string
- PAMDefaultEmailDomain string
- ProviderAppID string
- ProviderAppSecret string
- LoginCluster string
- RemoteTokenRefresh Duration
+ LDAP struct {
+ Enable bool
+ URL URL
+ StartTLS bool
+ InsecureTLS bool
+ StripDomain string
+ AppendDomain string
+ SearchAttribute string
+ SearchBindUser string
+ SearchBindPassword string
+ SearchBase string
+ SearchFilters string
+ EmailAttribute string
+ UsernameAttribute string
+ }
+ Google struct {
+ Enable bool
+ ClientID string
+ ClientSecret string
+ AlternateEmailAddresses bool
+ }
+ PAM struct {
+ Enable bool
+ Service string
+ DefaultEmailDomain string
+ }
+ SSO struct {
+ Enable bool
+ ProviderAppID string
+ ProviderAppSecret string
+ }
+ LoginCluster string
+ RemoteTokenRefresh Duration
}
Mail struct {
MailchimpAPIKey string
u, err := url.Parse(string(text))
if err == nil {
*su = URL(*u)
+ if su.Path == "" && su.Host != "" {
+ // http://example really means http://example/
+ su.Path = "/"
+ }
}
return err
}
if defined? CUSTOM_PROVIDER_URL
Rails.logger.warn "Copying omniauth from globals in legacy config file."
- Rails.configuration.Login["ProviderAppID"] = APP_ID
- Rails.configuration.Login["ProviderAppSecret"] = APP_SECRET
+ Rails.configuration.Login["SSO"]["ProviderAppID"] = APP_ID
+ Rails.configuration.Login["SSO"]["ProviderAppSecret"] = APP_SECRET
- Rails.configuration.Services["SSO"]["ExternalURL"] = CUSTOM_PROVIDER_URL
+ Rails.configuration.Services["SSO"]["ExternalURL"] = CUSTOM_PROVIDER_URL.sub(/\/$/, "") + "/"
else
Rails.application.config.middleware.use OmniAuth::Builder do
provider(:josh_id,
- Rails.configuration.Login["ProviderAppID"],
- Rails.configuration.Login["ProviderAppSecret"],
+ Rails.configuration.Login["SSO"]["ProviderAppID"],
+ Rails.configuration.Login["SSO"]["ProviderAppSecret"],
Rails.configuration.Services["SSO"]["ExternalURL"])
end
OmniAuth.config.on_failure = StaticController.action(:login_failure)