Project

General

Profile

Bug #48306

Feature #48314: mgr/dashboard: reverse proxy support

mgr/dashboard: Unable accessing dashboard SSO via reverse proxy

Added by Samson Hui 2 months ago. Updated about 1 month ago.

Status:
Triaged
Priority:
Normal
Assignee:
Alfonso Martínez
Category:
dashboard/auth-sso
Target version:
Ceph - v16.0.0
% Done:

0%

Source:
Community (user)
Tags:
Backport:
nautilus, octopus
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
Ceph - v14.0.0, Ceph - v14.2.0, Ceph - v14.2.1, Ceph - v14.2.10, Ceph - v14.2.11, Ceph - v14.2.12, Ceph - v14.2.13, Ceph - v14.2.14, Ceph - v14.2.15, Ceph - v14.2.16, Ceph - v14.2.2, Ceph - v14.2.3, Ceph - v14.2.4, Ceph - v14.2.5, Ceph - v14.2.6, Ceph - v14.2.7, Ceph - v14.2.8, Ceph - v14.2.9, Ceph - v15.0.0, Ceph - v15.2.1, Ceph - v15.2.2, Ceph - v15.2.3, Ceph - v15.2.4, Ceph - v15.2.5, Ceph - v15.2.6, Ceph - v15.2.7, Ceph - v15.2.8, Ceph - v16.0.0
ceph-qa-suite:
Pull request ID:
Crash signature:

Description

I have set up a Ceph cluster on Kubernetes with Rook, we have SSL offloading outside Kubernetes so we config the Ceph dashboard with SSL false.

After we enable SSO with the following command

ceph dashboard sso setup saml2 https://<hostname> <metadata.xml>

Ceph dashboard successfully redirect to our SAML server, but the RelayState of the SAML request is http://&lt;hostname&gt;/auth/saml2/login instead of https://&lt;hostname&gt;/auth/saml2/login
As the result, SAML login failed with message

{"is_authenticated": false, "errors": ["invalid_response"], "reason": "The response was received at http://<hostname>/auth/saml2 instead of https://<hostname>/auth/saml2"}

I have also try tho setup saml2 with hostname http://, but the SAML server (ADFS) don't allow us the use http for login endpoint.

What you expected to happen:

Able to tell Ceph to set the RelayState protocol to HTTPS

Dockerfile I use to install python3-saml to the container

FROM ceph/ceph:v15.2.5
RUN dnf install -y python3-xmlsec
RUN yes | pip3 install python3-saml
Environment:
  • OS (e.g. from /etc/os-release): Red Hat Enterprise Linux Atomic Host 7.7.2
  • Kernel (e.g. uname -a): 3.10.0-1062.4.1.el7.x86_64
  • Docker version (e.g. docker version): 1.13.1
  • Ceph version (e.g. ceph -v): 15.2.5

History

#1 Updated by Ernesto Puerta 2 months ago

  • Parent task set to #48314

#2 Updated by Ernesto Puerta 2 months ago

  • Subject changed from Unable accessing dashboard SSO via reverse proxy to mgr/dashboard: Unable accessing dashboard SSO via reverse proxy

#3 Updated by Ernesto Puerta about 1 month ago

  • Status changed from New to Triaged
  • Assignee set to Alfonso Martínez
  • Target version changed from v15.2.5 to v16.0.0
  • Backport set to nautilus, octopus
  • Affected Versions v14.0.0, v14.2.0, v14.2.1, v14.2.10, v14.2.11, v14.2.12, v14.2.13, v14.2.14, v14.2.15, v14.2.16, v14.2.2, v14.2.3, v14.2.4, v14.2.5, v14.2.6, v14.2.7, v14.2.8, v14.2.9, v15.0.0, v15.2.1, v15.2.2, v15.2.3, v15.2.4, v15.2.6, v15.2.7, v15.2.8, v16.0.0 added

Also available in: Atom PDF