https://dev.arvados.org/https://dev.arvados.org/favicon.ico?15576888422020-03-04T17:11:56ZArvadosArvados - Feature #16212: Can choose PAM as an authentication backendhttps://dev.arvados.org/issues/16212?journal_id=828422020-03-04T17:11:56ZPeter Amstutzpeter.amstutz@curii.com
<ul><li><strong>Description</strong> updated (<a title="View differences" href="/journals/82842/diff?detail_id=79580">diff</a>)</li></ul> Arvados - Feature #16212: Can choose PAM as an authentication backendhttps://dev.arvados.org/issues/16212?journal_id=828502020-03-04T17:26:04ZPeter Amstutzpeter.amstutz@curii.com
<ul><li><strong>Blocks</strong> <i><a class="issue tracker-2 status-3 priority-4 priority-default closed parent" href="/issues/15881">Feature #15881</a>: [controller] LDAP login support</i> added</li></ul> Arvados - Feature #16212: Can choose PAM as an authentication backendhttps://dev.arvados.org/issues/16212?journal_id=828532020-03-04T17:26:52ZPeter Amstutzpeter.amstutz@curii.com
<ul><li><strong>Related to</strong> <i><a class="issue tracker-6 status-3 priority-4 priority-default closed behind-schedule" href="/issues/15322">Idea #15322</a>: Replace and delete sso-provider</i> added</li></ul> Arvados - Feature #16212: Can choose PAM as an authentication backendhttps://dev.arvados.org/issues/16212?journal_id=828712020-03-05T17:42:11ZPeter Amstutzpeter.amstutz@curii.com
<ul><li><strong>Description</strong> updated (<a title="View differences" href="/journals/82871/diff?detail_id=79609">diff</a>)</li></ul> Arvados - Feature #16212: Can choose PAM as an authentication backendhttps://dev.arvados.org/issues/16212?journal_id=828722020-03-05T17:48:39ZPeter Amstutzpeter.amstutz@curii.com
<ul></ul><p>Interesting PAM modules (debian packages)</p>
<p>libpam-krb5 - PAM module for MIT Kerberos<br />libpam-ldapd - PAM module for using LDAP as an authentication service<br />libpam-mklocaluser - Configure PAM to create a local user if it do not exist already (for dev / demo)</p> Arvados - Feature #16212: Can choose PAM as an authentication backendhttps://dev.arvados.org/issues/16212?journal_id=829972020-03-11T15:16:10ZTom Cleggtom@curii.com
<ul><li><strong>Assigned To</strong> set to <i>Tom Clegg</i></li></ul> Arvados - Feature #16212: Can choose PAM as an authentication backendhttps://dev.arvados.org/issues/16212?journal_id=830482020-03-12T04:21:10ZTom Cleggtom@curii.com
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>In Progress</i></li></ul> Arvados - Feature #16212: Can choose PAM as an authentication backendhttps://dev.arvados.org/issues/16212?journal_id=830792020-03-12T22:20:41ZTom Cleggtom@curii.com
<ul></ul><p>Server side:</p>
<p>16212-pam-login @ <a class="changeset" title="16212: Support username/password authentication via PAM. Arvados-DCO-1.1-Signed-off-by: Tom Cleg..." href="https://dev.arvados.org/projects/arvados/repository/arvados/revisions/d739042d5aedd9a2cef19deb591cccc57d639353">d739042d5aedd9a2cef19deb591cccc57d639353</a> -- <a class="external" href="https://ci.arvados.org/view/Developer/job/developer-run-tests/1773/"<a href="https://ci.arvados.org/view/Developer/job/developer-run-tests/1773/">developer-run-tests: #1773 <img src="https://ci.arvados.org/buildStatus/icon?job=developer-run-tests&build=1773" alt="" /></a></a> (tests fail because jenkins worker image doesn't have libpam-dev)</p>
Workbench side isn't implemented yet, but it should work like this when Login.PAM is true in the server's exported config:
<ul>
<li>Prompt user for username and password</li>
<li>POST <code>https://{apihost}/login</code>, with username=x, password=y, and _method=GET in the request body (or "X-Http-Method-Override: GET" header instead of _method=GET)</li>
<li>Get API token from "token" field from the response body</li>
<li>If the "token" value is empty/missing, show the string in the "message" field, and allow the user to retry</li>
</ul> Arvados - Feature #16212: Can choose PAM as an authentication backendhttps://dev.arvados.org/issues/16212?journal_id=831942020-03-24T17:38:00ZTom Cleggtom@curii.com
<ul></ul><p>16212-pam-login @ <a class="changeset" title="16212: Add pam_ldap test. Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom@tomclegg.ca>" href="https://dev.arvados.org/projects/arvados/repository/arvados/revisions/4e0eb166fd808b32c10cccc2b4014a02edcf29a6">4e0eb166fd808b32c10cccc2b4014a02edcf29a6</a> adds a test that authenticates to an OpenLDAP server through PAM.</p>
<p>It's disabled by default because it's a bit heavy and requires docker. You can run it from run-tests.sh interactive mode with "test lib/controller/localdb -tags docker -check.f=LDAP".</p> Arvados - Feature #16212: Can choose PAM as an authentication backendhttps://dev.arvados.org/issues/16212?journal_id=831992020-03-24T20:28:22ZPeter Amstutzpeter.amstutz@curii.com
<ul></ul><p>The LDAP test is being uncooperative:</p>
<pre>
Adding example user entry user=foo pass=secret (retrying until server comes up)
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
failed to add user entry
ldap-25941
----------------------------------------------------------------------
FAIL: login_pam_docker_test.go:17: PamSuite.TestLoginLDAPViaPAM
login_pam_docker_test.go:22:
c.Check(err, check.IsNil)
... value *exec.ExitError = &exec.ExitError{ProcessState:(*os.ProcessState)(0xc000316000), Stderr:[]uint8(nil)} ("exit status 1")
OOPS: 0 passed, 1 FAILED
--- FAIL: Test (179.04s)
FAIL
</pre> Arvados - Feature #16212: Can choose PAM as an authentication backendhttps://dev.arvados.org/issues/16212?journal_id=832052020-03-24T23:37:28ZPeter Amstutzpeter.amstutz@curii.com
<ul></ul><p>I'm trying to authenticate manually:</p>
<pre>
$ curl -XPOST -F username=foo -F password=bar -k https://172.17.0.2:8000/login?_method=GET
{"message":"Authentication failure"}
</pre>
<p>2020-03-24_23:27:59.01338 {"PID":6052,"RequestID":"req-19dm6gasl4kkmgtt4bcy","level":"info","msg":"request","remoteAddr":"127.0.0.1:36490",<br />"reqBytes":246,"reqForwardedFor":"172.17.0.1","reqHost":"172.17.0.2:8000","reqMethod":"POST",<br />"reqPath":"login","reqQuery":"_method=GET","time":"2020-03-24T23:27:59.013280588Z"}</p>
<p>2020-03-24_23:28:01.34490 {"PID":6052,"RequestID":"req-19dm6gasl4kkmgtt4bcy","level":"info","msg":"response","remoteAddr":"127.0.0.1:36490",<br />"reqBytes":246,"reqForwardedFor":"172.17.0.1","reqHost":"172.17.0.2:8000","reqMethod":"POST",<br />"reqPath":"login","reqQuery":"_method=GET","respBytes":37,"respStatus":"OK","respStatusCode":200,<br />"time":"2020-03-24T23:28:01.344837921Z","timeToStatus":2.331543,"timeTotal":2.331551,"timeWriteBody":0.000007}</p>
<ul>
<li>Nothing logged indicating why it is rejected</li>
<li>Return code is 200, should be an error like 401 or 403</li>
</ul> Arvados - Feature #16212: Can choose PAM as an authentication backendhttps://dev.arvados.org/issues/16212?journal_id=832072020-03-25T13:42:22ZPeter Amstutzpeter.amstutz@curii.com
<ul><li><strong>Target version</strong> changed from <i>2020-03-25 Sprint</i> to <i>2020-04-08 Sprint</i></li></ul> Arvados - Feature #16212: Can choose PAM as an authentication backendhttps://dev.arvados.org/issues/16212?journal_id=832412020-03-25T14:09:53ZPeter Amstutzpeter.amstutz@curii.com
<ul><li><strong>Target version</strong> changed from <i>2020-04-08 Sprint</i> to <i>2020-03-25 Sprint</i></li></ul><p>Also <code>_method=GET</code> doesn't seem to work if it appears in the body of the request, only the query, so <a href="#note-8">#note-8</a> probably won't work</p>
<pre>
$ curl -XPOST -F username=foo -F password=bar -F _method=GET -k https://172.17.0.2:8000/login
{"errors":["API endpoint not found"]}
</pre>
<p>Using the override in the header seems to work (I still get Authentication failure though, with no information how to debug):</p>
<pre>
$ curl -XPOST -F username=foo -F password=bar -H "X-Http-Method-Override: GET" -k https://172.17.0.2:8000/login
{"message":"Authentication failure"}
</pre> Arvados - Feature #16212: Can choose PAM as an authentication backendhttps://dev.arvados.org/issues/16212?journal_id=832422020-03-25T14:12:26ZPeter Amstutzpeter.amstutz@curii.com
<ul></ul><p>This branch also needs an install documentation update about how to use PAM.</p> Arvados - Feature #16212: Can choose PAM as an authentication backendhttps://dev.arvados.org/issues/16212?journal_id=832432020-03-25T14:34:44ZPeter Amstutzpeter.amstutz@curii.com
<ul><li><strong>Target version</strong> changed from <i>2020-03-25 Sprint</i> to <i>2020-04-08 Sprint</i></li></ul> Arvados - Feature #16212: Can choose PAM as an authentication backendhttps://dev.arvados.org/issues/16212?journal_id=832882020-03-27T14:28:39ZPeter Amstutzpeter.amstutz@curii.com
<ul></ul><p>I think this should support HTTP basic auth, because it would make it possible for Workbench 1 to support the new login strategy with little or no change.</p>
<ol>
<li>The workbench 1 login button sends you to the controller /login endpoint</li>
<li>It responds with 401 with supported method HTTP basic auth</li>
<li>The browser collects the username and password and resubmits using basic auth</li>
<li>Controller responds with a redirect back to workbench with the API token in the URL.</li>
</ol> Arvados - Feature #16212: Can choose PAM as an authentication backendhttps://dev.arvados.org/issues/16212?journal_id=832952020-03-28T19:27:03ZLucas Di Pentimalucas.dipentima@curii.com
<ul></ul><p>I've been trying to send the <code>POST</code> request from WB2 and getting CORS problems. The following made the browser accept the outgoing request, is it correct?</p>
<pre><code class="diff syntaxhl"><span class="gh">diff --git a/lib/controller/router/router.go b/lib/controller/router/router.go
index 69d707703..b2fd5e4ff 100644
</span><span class="gd">--- a/lib/controller/router/router.go
</span><span class="gi">+++ b/lib/controller/router/router.go
</span><span class="p">@@ -382,11 +382,11 @@</span> func (rtr *router) addRoute(endpoint arvados.APIEndpoint, defaultOpts func() int
func (rtr *router) ServeHTTP(w http.ResponseWriter, r *http.Request) {
switch strings.SplitN(strings.TrimLeft(r.URL.Path, "/"), "/", 2)[0] {
<span class="gd">- case "login", "logout", "auth":
</span><span class="gi">+ case "logout", "auth":
</span> default:
w.Header().Set("Access-Control-Allow-Origin", "*")
w.Header().Set("Access-Control-Allow-Methods", "GET, HEAD, PUT, POST, PATCH, DELETE")
<span class="gd">- w.Header().Set("Access-Control-Allow-Headers", "Authorization, Content-Type")
</span><span class="gi">+ w.Header().Set("Access-Control-Allow-Headers", "Authorization, Content-Type, X-Http-Method-Override")
</span> w.Header().Set("Access-Control-Max-Age", "86486400")
}
if r.Method == "OPTIONS" {
</code></pre> Arvados - Feature #16212: Can choose PAM as an authentication backendhttps://dev.arvados.org/issues/16212?journal_id=833052020-03-30T18:13:14ZLucas Di Pentimalucas.dipentima@curii.com
<ul></ul><p>Workbench 2 PAM Login feature is (almost?) ready at commit: a308a27833843d90405b927ac491fea7c853b91c - branch <code>16212-login-form</code><br />I'm getting <code>Authentication failure</code> errors even if I started a fresh <code>arvbox</code> instance with the following config override file:</p>
<pre>
Clusters:
x3sgo:
Login:
PAM: true
PAMService: arvados
ProviderAppID: ""
</pre> Arvados - Feature #16212: Can choose PAM as an authentication backendhttps://dev.arvados.org/issues/16212?journal_id=833092020-03-31T13:35:42ZLucas Di Pentimalucas.dipentima@curii.com
<ul></ul><p>Working on a missing case on WB2: The ability to display the login form when selecting remote clusters with <code>Login.PAM: true</code></p> Arvados - Feature #16212: Can choose PAM as an authentication backendhttps://dev.arvados.org/issues/16212?journal_id=833112020-03-31T17:38:18ZTom Cleggtom@curii.com
<ul></ul>I've updated this branch with a new endpoint (<code>POST /arvados/v1/users/authenticate</code>) for password authentication. This solves a few problems:
<ul>
<li>This endpoint can safely accept CORS requests (cross-origin <code>GET /login</code> reqs can't be allowed because they might be forwarded to RailsAPI, which returns a token based on the request cookies/session -- and changing CORS based on auth config would be too fragile).</li>
<li>No _method=GET hack needed</li>
<li>No dual-personality LoginOptions struct</li>
</ul>
Also fixed:
<ul>
<li>Docker test: build an arvados-controller binary to use in the container, in case there are changes since the last time "install cmd/arvados-server" ran</li>
<li>Return 401 (or other suitable code) instead of 200 when authentication fails</li>
<li>More detail in failure messages. We don't get much information to convey, but at least we can mention the word PAM, and if the password is never even requested, we can mention that in case it's a useful clue.</li>
<li>If needed, pull the ldap server docker image explicitly before calling docker-run. Perhaps this will help avoid the timeout encountered in note-10.</li>
</ul>
<p>The case for HTTP authentication doesn't sound compelling to me. It invariably results in terrible UX. If we need something better than linking WB1 to WB2's login, I think it would make more sense to add a form on WB1.</p>
<p>Admin docs do need to be added but I don't think it's a blocker for merging the backend.</p>
<p>16212-pam-login @ <a class="changeset" title="16212: Merge branch 'master' Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom@tomclegg.ca>" href="https://dev.arvados.org/projects/arvados/repository/arvados/revisions/16b5f7275ffa2bd4347134f7269744f4cd4baa2a">16b5f7275ffa2bd4347134f7269744f4cd4baa2a</a> -- <a class="external" href="https://ci.arvados.org/view/Developer/job/developer-run-tests/1793/"<a href="https://ci.arvados.org/view/Developer/job/developer-run-tests/1793/">developer-run-tests: #1793 <img src="https://ci.arvados.org/buildStatus/icon?job=developer-run-tests&build=1793" alt="" /></a></a></p> Arvados - Feature #16212: Can choose PAM as an authentication backendhttps://dev.arvados.org/issues/16212?journal_id=833192020-03-31T22:03:17ZLucas Di Pentimalucas.dipentima@curii.com
<ul></ul><p>Thanks for the fixes and more verbose messaging.</p>
<p>Using <code>arvbox</code> I'm having an issue on WB2 that I've just was able to reproduce using curl.</p>
<p>The following (as per you docker test) fails:<br /><pre>
$ curl -s --include -d username=foo -d password=bar -k https://controller:8000/arvados/v1/users/authenticate
HTTP/1.1 401 Unauthorized
Server: nginx/1.10.3
Date: Tue, 31 Mar 2020 21:58:09 GMT
Content-Type: application/json
Content-Length: 80
Connection: keep-alive
Access-Control-Allow-Headers: Authorization, Content-Type, X-Http-Method-Override
Access-Control-Allow-Methods: GET, HEAD, PUT, POST, PATCH, DELETE
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 86486400
X-Content-Type-Options: nosniff
{"errors":["PAM: Authentication failure (with username \"foo\" and password)"]}
</pre></p>
<p>Then, if using curl with <code>-F</code>, it fails the same way than on WB2:</p>
<pre>
curl -s --include -X POST -F username=foo -F password=bar -k https://controller:8000/arvados/v1/users/authenticate
HTTP/1.1 401 Unauthorized
Server: nginx/1.10.3
Date: Tue, 31 Mar 2020 22:01:08 GMT
Content-Type: application/json
Content-Length: 77
Connection: keep-alive
Access-Control-Allow-Headers: Authorization, Content-Type, X-Http-Method-Override
Access-Control-Allow-Methods: GET, HEAD, PUT, POST, PATCH, DELETE
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 86486400
X-Content-Type-Options: nosniff
{"errors":["PAM: Authentication failure (with username \"\" and password)"]}
</pre>
<p>Just for the record, I've run <code>arvbox shell</code> and created the <code>foo</code> user with password <code>bar</code>, it should be enough for the test to work, right?</p> Arvados - Feature #16212: Can choose PAM as an authentication backendhttps://dev.arvados.org/issues/16212?journal_id=833272020-04-01T16:12:43ZLucas Di Pentimalucas.dipentima@curii.com
<ul></ul><p>Commit c217a294 at WB2 branch updates the login form to use the new endpoint and data url-encoding.</p>
<p>Still not able to fully test it as the PAM feature isn't working for me on arvbox, what I may be missing?</p> Arvados - Feature #16212: Can choose PAM as an authentication backendhttps://dev.arvados.org/issues/16212?journal_id=833282020-04-01T16:43:58ZLucas Di Pentimalucas.dipentima@curii.com
<ul></ul><p>Figured out why it isn’t working on arvbox: because the process should be running as root, or else the auth process only works for the running process’ user… so I got into arvbox shell, set arvbox user a password, et voilá! :)</p>
<p>Taken from: <a class="external" href="https://pkg.go.dev/github.com/msteinert/pam?tab=doc#example-package-Authenticate">https://pkg.go.dev/github.com/msteinert/pam?tab=doc#example-package-Authenticate</a></p>
<p>So on arvbox (and anywhere else?), <code>arvados-controller</code> should be running as root.</p> Arvados - Feature #16212: Can choose PAM as an authentication backendhttps://dev.arvados.org/issues/16212?journal_id=833682020-04-01T20:01:07ZTom Cleggtom@curii.com
<ul></ul>16212-pam-login @ <a class="changeset" title="16212: Return error for users/authenticate endpoint in SSO mode. Arvados-DCO-1.1-Signed-off-by: ..." href="https://dev.arvados.org/projects/arvados/repository/arvados/revisions/7010ed0b94f9c572f2f7220a2a1eb17b61325fe7">7010ed0b94f9c572f2f7220a2a1eb17b61325fe7</a> -- <a class="external" href="https://ci.arvados.org/view/Developer/job/developer-run-tests/1799/"<a href="https://ci.arvados.org/view/Developer/job/developer-run-tests/1799/">developer-run-tests: #1799 <img src="https://ci.arvados.org/buildStatus/icon?job=developer-run-tests&build=1799" alt="" /></a></a>
<ul>
<li>return a "u/p auth not available" error (instead of forwarding the request to Rails and getting a "not logged in" error) if the arvados/v1/users/authenticate endpoint is used when PAM is not enabled</li>
<li>handle the arvados/v1/users/authenticate endpoint in controller, even when ForceLegacyAPI14 mode is enabled (there is no legacy API for this)</li>
</ul> Arvados - Feature #16212: Can choose PAM as an authentication backendhttps://dev.arvados.org/issues/16212?journal_id=834112020-04-07T21:02:21ZPeter Amstutzpeter.amstutz@curii.com
<ul></ul><p>I still can't seem to get this to work:</p>
<pre>
$ echo '{"username": "foo", "password": "bar"}' | curl -k -d- https://172.17.0.2:8000/arvados/v1/users/authenticate
{"errors":["PAM: Authentication failure (with username \"\" and password)"]}
$ curl -k -F username=foo -F password=bar https://172.17.0.2:8000/arvados/v1/users/authenticate
{"errors":["PAM: Authentication failure (with username \"\" and password)"]}
</pre>
<p>The fact that username is being returned as empty doesn't inspire confidence. It should probably specifically check and specifically send an error on blank username and/or password.</p> Arvados - Feature #16212: Can choose PAM as an authentication backendhttps://dev.arvados.org/issues/16212?journal_id=834122020-04-07T21:13:38ZPeter Amstutzpeter.amstutz@curii.com
<ul></ul><p>We determined this works with <code>curl -d username=foo ...</code> instead of -F</p>
<p>Now it works. However, the "scopes" and "uuid" fields ought to have values:</p>
<p>$ curl -k -d username=foo -d password=bar <a class="external" href="https://172.17.0.2:8000/arvados/v1/users/authenticate">https://172.17.0.2:8000/arvados/v1/users/authenticate</a>
{"api_token":"v2/x1u39-gj3su-s3ehqzevde7h9tz/5fpfi2ldbvl9hwd5ixwaoloujk8wpt1aifecc135qgtkmuw9da","expires_at":"","kind":"arvados#aPIClientAuthorization","scopes":null,"uuid":""}</p> Arvados - Feature #16212: Can choose PAM as an authentication backendhttps://dev.arvados.org/issues/16212?journal_id=834142020-04-07T21:27:17ZTom Cleggtom@curii.com
<ul></ul><p>Updated to return the full record. But now that it's a real api_client_authorization record, the api_token field only has the "secret" part, not the <code>v2/$uuid/</code> part, so the wb2 code will need to change accordingly.</p>
<p>16212-pam-login @ <a class="changeset" title="16212: Populate all api_client_auth fields. Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom@tomcle..." href="https://dev.arvados.org/projects/arvados/repository/arvados/revisions/5a1b5b69bbd4aa6995164eefab7d7cea52ee40ed">5a1b5b69bbd4aa6995164eefab7d7cea52ee40ed</a> -- <a class="external" href="https://ci.arvados.org/view/Developer/job/developer-run-tests/1803/"<a href="https://ci.arvados.org/view/Developer/job/developer-run-tests/1803/">developer-run-tests: #1803 <img src="https://ci.arvados.org/buildStatus/icon?job=developer-run-tests&build=1803" alt="" /></a></a></p> Arvados - Feature #16212: Can choose PAM as an authentication backendhttps://dev.arvados.org/issues/16212?journal_id=834152020-04-07T21:47:45ZPeter Amstutzpeter.amstutz@curii.com
<ul></ul><p>The LDAP test still won't start for me. I don't know if it is because of arvbox docker-in-docker or something else.</p>
<p>I'm inclined to say merge it because unix PAM works but leave the LDAP story open until we have a reliable PAM-LDAP test running somewhere (could be on jenkins).</p> Arvados - Feature #16212: Can choose PAM as an authentication backendhttps://dev.arvados.org/issues/16212?journal_id=834162020-04-07T21:54:00ZLucas Di Pentimalucas.dipentima@curii.com
<ul></ul><p>Commit 2c1a7eb9 at <code>16212-login-form</code> (wb2 branch) assembles <code>v2</code> token from controller's response.</p> Arvados - Feature #16212: Can choose PAM as an authentication backendhttps://dev.arvados.org/issues/16212?journal_id=834332020-04-08T15:35:44ZTom Cleggtom@curii.com
<ul><li><strong>Target version</strong> changed from <i>2020-04-08 Sprint</i> to <i>2020-04-22</i></li></ul> Arvados - Feature #16212: Can choose PAM as an authentication backendhttps://dev.arvados.org/issues/16212?journal_id=835682020-04-15T21:21:54ZPeter Amstutzpeter.amstutz@curii.com
<ul><li><strong>Blocks</strong> deleted (<i><a class="issue tracker-2 status-3 priority-4 priority-default closed parent" href="/issues/15881">Feature #15881</a>: [controller] LDAP login support</i>)</li></ul> Arvados - Feature #16212: Can choose PAM as an authentication backendhttps://dev.arvados.org/issues/16212?journal_id=836152020-04-22T14:44:55ZPeter Amstutzpeter.amstutz@curii.com
<ul><li><strong>Target version</strong> changed from <i>2020-04-22</i> to <i>2020-05-06 Sprint</i></li></ul> Arvados - Feature #16212: Can choose PAM as an authentication backendhttps://dev.arvados.org/issues/16212?journal_id=837112020-04-22T21:12:27ZTom Cleggtom@curii.com
<ul></ul><p>16212-pam-install-docs @ <a class="changeset" title="16212: Add PAM authentication option to install docs. Arvados-DCO-1.1-Signed-off-by: Tom Clegg <..." href="https://dev.arvados.org/projects/arvados/repository/arvados/revisions/5792ec3a8ddfdba959da5c09dfa1be4ac7472c20">5792ec3a8ddfdba959da5c09dfa1be4ac7472c20</a> -- <a class="external" href="https://ci.arvados.org/view/Developer/job/developer-run-tests/1823/"<a href="https://ci.arvados.org/view/Developer/job/developer-run-tests/1823/">developer-run-tests: #1823 <img src="https://ci.arvados.org/buildStatus/icon?job=developer-run-tests&build=1823" alt="" /></a></a></p> Arvados - Feature #16212: Can choose PAM as an authentication backendhttps://dev.arvados.org/issues/16212?journal_id=837152020-04-23T15:05:33ZTom Cleggtom@curii.com
<ul><li><strong>File</strong> <a href="/attachments/2526">16212-docs.png</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/2526/16212-docs.png">16212-docs.png</a> added</li></ul><p><img src="https://dev.arvados.org/attachments/download/2526/16212-docs.png" alt="" /></p> Arvados - Feature #16212: Can choose PAM as an authentication backendhttps://dev.arvados.org/issues/16212?journal_id=837482020-04-23T18:50:18ZPeter Amstutzpeter.amstutz@curii.com
<ul></ul><p>Feel like this could be expanded at least a little bit about what PAM is (I don't see "Portable Authentication Module" spelled out anywhere), why you might want to use it, and a link to somewhere like <a class="external" href="http://www.linux-pam.org/">http://www.linux-pam.org/</a> more information.</p> Arvados - Feature #16212: Can choose PAM as an authentication backendhttps://dev.arvados.org/issues/16212?journal_id=837492020-04-23T19:29:55ZPeter Amstutzpeter.amstutz@curii.com
<ul></ul><p>reviewing 16212-login-form @ 2c1a7eb9248df217c86caf1685a05d5a2aaaac84</p>
<p>First couple of comments, I haven't actually tried it yet:</p>
<ul>
<li>is it possible to add some Cypress testing, now that it is merged -- need to figure out how to have an authenticate endpoint for testing</li>
<li>This is looking at the Login.PAM flag. This requires a backend tweak but it would be better if the configuration just advertises whether to use 'login' or 'authenticate' and wb2 doesn't need to know whether the backend is SSO or Google or LDAP or PAM or something else.</li>
</ul> Arvados - Feature #16212: Can choose PAM as an authentication backendhttps://dev.arvados.org/issues/16212?journal_id=837502020-04-23T20:26:00ZPeter Amstutzpeter.amstutz@curii.com
<ul></ul><p>I tried to load workbench2 and it failed:</p>
<pre>
TypeError: Object(...) is not a function
./src/views-components/login-form/login-form.tsx/LoginForm<
src/workbench2/src/views-components/login-form/login-form.tsx:54
51 |
52 | export const LoginForm = withStyles(styles)(
53 | ({ handleSubmit, loginLabel, dispatch, classes }: LoginFormProps) => {
> 54 | const userInput = useRef<HTMLInputElement>(null);
55 | const [username, setUsername] = useState('');
56 | const [password, setPassword] = useState('');
57 | const [isButtonDisabled, setIsButtonDisabled] = useState(true);
</pre> Arvados - Feature #16212: Can choose PAM as an authentication backendhttps://dev.arvados.org/issues/16212?journal_id=837512020-04-23T20:35:50ZPeter Amstutzpeter.amstutz@curii.com
<ul></ul><p>Peter Amstutz wrote:</p>
<blockquote>
<p>I tried to load workbench2 and it failed:</p>
<p>[...]</p>
</blockquote>
<p>I needed to update modules, after `yarn install` it worked.</p> Arvados - Feature #16212: Can choose PAM as an authentication backendhttps://dev.arvados.org/issues/16212?journal_id=837522020-04-23T21:26:14ZPeter Amstutzpeter.amstutz@curii.com
<ul></ul><p>From chat:</p>
<p>PAM only provides a username. Currently the PAM support also fills in the email address field, which is either username@domain (if configured) or just the username. First_name and last_name are blank.</p>
<p>As a result, there are places in the UI where the user display is blank.</p>
<ul>
<li>The top of the user menu is blank.</li>
<li>The sharing dialog shows <email> in search but then the chip is blank</li>
</ul>
<p>Proposed solution: add a generic "user display name" function and use that everywhere.</p>
<p>Display strategy is A: first/last names, B: email, C: username</p> Arvados - Feature #16212: Can choose PAM as an authentication backendhttps://dev.arvados.org/issues/16212?journal_id=837852020-04-28T16:47:01ZLucas Di Pentimalucas.dipentima@curii.com
<ul></ul><p>Updates at commit 1866fb495 (wb2 repo) address the comments from the note above.<br />Test run: <a class="external" href="https://ci.arvados.org/view/Developer/job/developer-tests-workbench2/23/"<a href="https://ci.arvados.org/view/Developer/job/developer-tests-workbench2/23/">developer-tests-workbench2: #23 <img src="https://ci.arvados.org/buildStatus/icon?job=developer-tests-workbench2&build=23" alt="" /></a></a></p>
<p>On the particular sharing dialog case, I had to do some refactoring to clean that up, and took the opportunity to properly name the <code>PeopleSelect</code> component that wasn't just offering 'people selection' but also groups.<br />One thing that I'm not sure is a good idea is that the component makes requests to the API server while the user types to do auto-completion, and it just asks for the first 5 items using <code>limit</code>. I left it that way but if we're going to remove that limit, will have to see how to avoid the UI covering the input field whenever too many items are listed.</p> Arvados - Feature #16212: Can choose PAM as an authentication backendhttps://dev.arvados.org/issues/16212?journal_id=837862020-04-28T18:28:14ZLucas Di Pentimalucas.dipentima@curii.com
<ul></ul><p>Updates at <a class="changeset" title="16212: Exports Login.Endpoint new config item to hint WB2 the auth method. Also, unexports Login..." href="https://dev.arvados.org/projects/arvados/repository/arvados/revisions/4d3cc2eb8f4c6e3eaecbcd3a7c0625dcbd10ffa0">4d3cc2eb8</a> - branch <code>16212-login-endpoint-exported-config</code><br />Test run: <a class="external" href="https://ci.arvados.org/job/developer-run-tests/1829/"<a href="https://ci.arvados.org/job/developer-run-tests/1829/">developer-run-tests: #1829 <img src="https://ci.arvados.org/buildStatus/icon?job=developer-run-tests&build=1829" alt="" /></a></a></p>
<ul>
<li>Unexports config <code>Login.PAM</code></li>
<li>Adds exported config <code>Login.Endpoint</code> with default value <code>login</code></li>
</ul> Arvados - Feature #16212: Can choose PAM as an authentication backendhttps://dev.arvados.org/issues/16212?journal_id=837882020-04-28T18:43:16ZLucas Di Pentimalucas.dipentima@curii.com
<ul></ul><p>Updates at commit <code>eda123a5</code> (wb2 repo) - branch <code>16212-login-form</code><br />Test run: <a class="external" href="https://ci.arvados.org/view/Developer/job/developer-tests-workbench2/24/"<a href="https://ci.arvados.org/view/Developer/job/developer-tests-workbench2/24/">developer-tests-workbench2: #24 <img src="https://ci.arvados.org/buildStatus/icon?job=developer-tests-workbench2&build=24" alt="" /></a></a></p>
<ul>
<li>Uses <code>Login.Endpoint</code> exported config to decide whether to show the login button or form</li>
</ul> Arvados - Feature #16212: Can choose PAM as an authentication backendhttps://dev.arvados.org/issues/16212?journal_id=837892020-04-28T20:24:47ZPeter Amstutzpeter.amstutz@curii.com
<ul></ul><p>Lucas Di Pentima wrote:</p>
<blockquote>
<p>Updates at <a class="changeset" title="16212: Exports Login.Endpoint new config item to hint WB2 the auth method. Also, unexports Login..." href="https://dev.arvados.org/projects/arvados/repository/arvados/revisions/4d3cc2eb8f4c6e3eaecbcd3a7c0625dcbd10ffa0">4d3cc2eb8</a> - branch <code>16212-login-endpoint-exported-config</code><br />Test run: <a class="external" href="https://ci.arvados.org/job/developer-run-tests/1829/"<a href="https://ci.arvados.org/job/developer-run-tests/1829/">developer-run-tests: #1829 <img src="https://ci.arvados.org/buildStatus/icon?job=developer-run-tests&build=1829" alt="" /></a></a></p>
<ul>
<li>Unexports config <code>Login.PAM</code></li>
<li>Adds exported config <code>Login.Endpoint</code> with default value <code>login</code></li>
</ul>
</blockquote>
<p>Could the config loader set this automatically based on which login method is enabled? Then it doesn't need to be mentioned anywhere in config.default.yml.</p> Arvados - Feature #16212: Can choose PAM as an authentication backendhttps://dev.arvados.org/issues/16212?journal_id=838092020-04-29T20:34:33ZLucas Di Pentimalucas.dipentima@curii.com
<ul></ul><p>The following discussion went on chat about adding a computed config knob about login endpoints:</p>
<pre>
[...]
Lucas Di Pentima @ldipenti 16:57
When I try to run the arvados boot, with a config that has a zzzzz cluster, xxxxx still appears, and errors out because all login options are disabled
Tom Clegg @tomclegg 16:58
Maybe it shouldn't become an error to have no login options enabled.
I know, that means no user can login via web, but there are other ways of getting tokens -- e.g., while you're setting up a new cluster and you don't need more strictly ordered sequences of install steps.
Lucas Di Pentima @ldipenti 17:00
Ok, will refine the check, thanks
Tom Clegg @tomclegg 17:00
yw
Lucas Di Pentima @ldipenti 17:01
Other thing I saw, if we start using this kind of computed configs, if they’re not listed on the default config they’ll be notified as deprecated or unknown
Tom Clegg @tomclegg 17:02
I see why you're adding it (because exported config is a subset of actual config), but don't love the idea of adding a config file entry that isn't actually a config knob.
Lucas Di Pentima @ldipenti 17:02
OTOH, adding those to the default config exposes them to the public
Tom Clegg @tomclegg 17:02
IOW, "computed config" isn't config.
Lucas Di Pentima @ldipenti 17:02
right :)
had a funny smell my approach
So, should I make exported config not a sctrict config subset?
Tom Clegg @tomclegg 17:03
So I wonder what our other options are. I had decided to just export PAM and leave the pam-awareness in wb/wb2 for now, even though ideally it should be abstracted out.
Lucas Di Pentima @ldipenti 17:04
Yes, that was the way it worked the branch some weeks go :D
the issue that I think talked about with @tetron is what would happen when ldap is added
Tom Clegg @tomclegg 17:06
Frankly that's still my preferred approach. It's simple, and relegated to about 2 LOC. The alternative (so far) touches lots of places and makes more weirdness.
Maybe we can fix it between now and LDAP (or expand it to "PAM || LDAP") instead of getting hung up on it here.
Or we can pause here and figure out the real answer to "server config as needed by an API client is not actually a strict subset of server config as seen by a human admin"
e.g., is this something that really belongs in the discovery doc? (remembering that the DD already has lots of things that don't belong there)
Tom Clegg @tomclegg 17:11
The distinction between "exported config" and "api discovery doc" is fuzzy
Lucas Di Pentima @ldipenti 17:11
You mean, putting the Endpoint as a DD data instead of exported config?
I think it makes more sense to put it on the DD, as it’s a mixed bag of things, and not to put it on the exported config, avoiding making that another mixed bag of things in the process.
Tom Clegg @tomclegg 17:13
Hm. Maybe we should follow the crunch1 example. Advertise the endpoint(s) that can actually work.
So delete /login or /authenticate from the discovery doc, depending on pam. This is a bit sketchy given our discovery doc caching strategy, though.
Lucas Di Pentima @ldipenti 17:16
Ok, will go that way! Caching may not be an issue as it isn’t something that changes frequently
Tom Clegg @tomclegg 17:16
You know ... I think we should just leave it as PAM: true for now. Specifying one of two endpoints isn't a good solution anyway -- it can't support enabling multiple auth mechanisms, which surely we'll want soon enough.
</pre>
<p>So, branch <code>16212-login-endpoint-exported-config</code> isn't needed anymore.</p>
<p>As for the wb2 branch <code>16212-login-form</code>, I rebased it to drop the commit that changed config's use from <code>Login.PAM</code> to <code>Login.Endpoint</code>, so now its on commit <code>63ee9df09</code> (wb2 repo of course, is there a way to link commit from that repo here?), with a couple of new integration tests.<br />Test run: <a class="external" href="https://ci.arvados.org/view/Developer/job/developer-tests-workbench2/25/"<a href="https://ci.arvados.org/view/Developer/job/developer-tests-workbench2/25/">developer-tests-workbench2: #25 <img src="https://ci.arvados.org/buildStatus/icon?job=developer-tests-workbench2&build=25" alt="" /></a></a></p> Arvados - Feature #16212: Can choose PAM as an authentication backendhttps://dev.arvados.org/issues/16212?journal_id=838732020-04-30T20:45:03ZPeter Amstutzpeter.amstutz@curii.com
<ul></ul><p>Lucas Di Pentima wrote:</p>
<blockquote>
<p>The following discussion went on chat about adding a computed config knob about login endpoints:</p>
<p>[...]</p>
</blockquote>
<p>I guess I've been outvoted, then.</p>
<blockquote>
<p>So, branch <code>16212-login-endpoint-exported-config</code> isn't needed anymore.</p>
<p>As for the wb2 branch <code>16212-login-form</code>, I rebased it to drop the commit that changed config's use from <code>Login.PAM</code> to <code>Login.Endpoint</code>, so now its on commit <code>63ee9df09</code> (wb2 repo of course, is there a way to link commit from that repo here?), with a couple of new integration tests.<br />Test run: <a class="external" href="https://ci.arvados.org/view/Developer/job/developer-tests-workbench2/25/"<a href="https://ci.arvados.org/view/Developer/job/developer-tests-workbench2/25/">developer-tests-workbench2: #25 <img src="https://ci.arvados.org/buildStatus/icon?job=developer-tests-workbench2&build=25" alt="" /></a></a></p>
</blockquote>
<p>LGTM.</p> Arvados - Feature #16212: Can choose PAM as an authentication backendhttps://dev.arvados.org/issues/16212?journal_id=838842020-05-01T18:28:32ZTom Cleggtom@curii.com
<ul></ul><p>Peter Amstutz wrote:</p>
<blockquote>
<p>Feel like this could be expanded at least a little bit about what PAM is (I don't see "Portable Authentication Module" spelled out anywhere), why you might want to use it, and a link to somewhere like <a class="external" href="http://www.linux-pam.org/">http://www.linux-pam.org/</a> more information.</p>
</blockquote>
<p>16212-pam-install-docs @ <a class="changeset" title="16212: Merge branch 'master' Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom@tomclegg.ca>" href="https://dev.arvados.org/projects/arvados/repository/arvados/revisions/44a02057129016d806b32cc5478bdffef1a565f8">44a02057129016d806b32cc5478bdffef1a565f8</a></p> Arvados - Feature #16212: Can choose PAM as an authentication backendhttps://dev.arvados.org/issues/16212?journal_id=838862020-05-01T18:48:22ZPeter Amstutzpeter.amstutz@curii.com
<ul></ul><p>Tom Clegg wrote:</p>
<blockquote>
<p>Peter Amstutz wrote:</p>
<blockquote>
<p>Feel like this could be expanded at least a little bit about what PAM is (I don't see "Portable Authentication Module" spelled out anywhere), why you might want to use it, and a link to somewhere like <a class="external" href="http://www.linux-pam.org/">http://www.linux-pam.org/</a> more information.</p>
</blockquote>
<p>16212-pam-install-docs @ <a class="changeset" title="16212: Merge branch 'master' Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom@tomclegg.ca>" href="https://dev.arvados.org/projects/arvados/repository/arvados/revisions/44a02057129016d806b32cc5478bdffef1a565f8">44a02057129016d806b32cc5478bdffef1a565f8</a></p>
</blockquote>
<p>Thanks, that's exactly what I had in mind. LGTM.</p> Arvados - Feature #16212: Can choose PAM as an authentication backendhttps://dev.arvados.org/issues/16212?journal_id=839112020-05-04T17:30:39ZTom Cleggtom@curii.com
<ul><li><strong>Status</strong> changed from <i>In Progress</i> to <i>Resolved</i></li></ul> Arvados - Feature #16212: Can choose PAM as an authentication backendhttps://dev.arvados.org/issues/16212?journal_id=876632020-10-07T02:11:53ZPeter Amstutzpeter.amstutz@curii.com
<ul><li><strong>Release</strong> set to <i>25</i></li></ul>