Bug #48306
Feature #48314: mgr/dashboard: reverse proxy support
mgr/dashboard: Unable accessing dashboard SSO via reverse proxy with mixed mode (HTTP-HTTPS)
0%
Description
I have set up a Ceph cluster on Kubernetes with Rook, we have SSL offloading outside Kubernetes so we config the Ceph dashboard with SSL false.
After we enable SSO with the following command
ceph dashboard sso setup saml2 https://<hostname> <metadata.xml>
Ceph dashboard successfully redirect to our SAML server, but the RelayState of the SAML request is http://<hostname>/auth/saml2/login instead of https://<hostname>/auth/saml2/login
As the result, SAML login failed with message
{"is_authenticated": false, "errors": ["invalid_response"], "reason": "The response was received at http://<hostname>/auth/saml2 instead of https://<hostname>/auth/saml2"}
I have also try tho setup saml2 with hostname http://, but the SAML server (ADFS) don't allow us the use http for login endpoint.
What you expected to happen:
Able to tell Ceph to set the RelayState protocol to HTTPS
Dockerfile I use to install python3-saml to the container
FROM ceph/ceph:v15.2.5
RUN dnf install -y python3-xmlsec
RUN yes | pip3 install python3-saml
Environment:
- OS (e.g. from /etc/os-release): Red Hat Enterprise Linux Atomic Host 7.7.2
- Kernel (e.g. uname -a): 3.10.0-1062.4.1.el7.x86_64
- Docker version (e.g. docker version): 1.13.1
- Ceph version (e.g. ceph -v): 15.2.5
History
#1 Updated by Ernesto Puerta about 3 years ago
- Parent task set to #48314
#2 Updated by Ernesto Puerta about 3 years ago
- Subject changed from Unable accessing dashboard SSO via reverse proxy to mgr/dashboard: Unable accessing dashboard SSO via reverse proxy
#3 Updated by Ernesto Puerta almost 3 years ago
- Status changed from New to Triaged
- Assignee set to Alfonso Martínez
- Target version changed from v15.2.5 to v16.0.0
- Backport set to nautilus, octopus
- Affected Versions v14.0.0, v14.2.0, v14.2.1, v14.2.10, v14.2.11, v14.2.12, v14.2.13, v14.2.14, v14.2.15, v14.2.16, v14.2.2, v14.2.3, v14.2.4, v14.2.5, v14.2.6, v14.2.7, v14.2.8, v14.2.9, v15.0.0, v15.2.1, v15.2.2, v15.2.3, v15.2.4, v15.2.6, v15.2.7, v15.2.8, v16.0.0 added
#4 Updated by Ernesto Puerta over 2 years ago
- Subject changed from mgr/dashboard: Unable accessing dashboard SSO via reverse proxy to mgr/dashboard: Unable accessing dashboard SSO via reverse proxy with mixed mode (HTTP-HTTPS)
#5 Updated by Alfonso Martínez over 2 years ago
- Status changed from Triaged to Rejected
- Assignee changed from Alfonso Martínez to Ernesto Puerta
As per our conversation in 2021-05-20 backlog grooming meeting,
the correct solution here is to enable HTTPS in the Dashboard.
#6 Updated by Tareq Sharafy about 2 years ago
Hi Alfonso,
I am facing a similar problem. I run a ceph mgr provisioned by rook inside a kubernetes cluster. An istio is exposed externally and acts as a reverse proxy for all the servers that run inside the cluster. Istio itself receives the traffic as TLS and forwards it to the ceph mgr as plaintext http. I enable SAML 2.0 SSO and the callback fails with a similar error as above (received http, expected https). Enabling/Disabling ssl does not change anything.
ceph config set mgr mgr/dashboard/ssl true/false
any ideas?
thank you