Feature #56429
openmgr/dashboard: Remote user authentication (e.g. via apache2)
0%
Description
Description¶
Authenticate users using a header from a trusted reverse proxy in front of the mgr dashboard.
This enables cluster administrators to instantly use many other ways to authenticate users, for example, using apache2 auth modules:
- LDAP
- OpenID Connect
- TLS client certs
- MFA
- External auth requests
This greatly eases integrating the Ceph Dashboard into existing environments, such as non-SAML SSO portals, specific MFA methods, or just simple authentication with LDAP.
Target persona¶
Context¶
A revers proxy, such as apache2, handles the actual authentication. It adds some configurable header to all requests to the mgr/dashboard, for example X-Remote-User: username. There are many authentication methods already available for e.g. apache2.
Many plugins also support passing extra headers, such as groups, which could be used to pass roles to mgr/dashboard, e.g. `X-Remote-Roles: block-manager, cephfs-manager`. This would allow for automatic user creation (or just keeping the current in-memory is possible), to greatly ease onboarding for new users, as all manual set up steps can be skipped.
mgr/dashboard would have to accept these headers from a trusted reverse proxy source. A setting could specified trusted IP ranges, e.g. ::1/128, 127.0.0.0/8. The header would only be accepted if the connection comes from a source in that range.
Design¶
Example: LDAP¶
┌───────────┐ ┌───────────┐ ┌───────────┐ ┌───────────────┐
│ │ │ │ │ │ │ │
│ Browser │ │ Apache2 │ │ LDAP │ │ mgr/dashboard │
│ │ │ │ │ │ │ │
└─────┬─────┘ └─────┬─────┘ └─────┬─────┘ └───────┬───────┘
│ │ │ │
┌┴┐ │ │ │
│ │ GET / │ │ │
│ ├────────────────────────┬┴┐ │ │
│ │ │ │ │ │
│ │ Unauthorized │ │ │ │
│ ├────────────────────────┴┬┘ │ │
│ │ │ │ │
│ ├─────┐ │ │ │
│ │ │request username │ │ │
│ │ │and password │ │ │
│ ├─────┘ │ │ │
│ │ │ │ │
│ │ GET / │ │ │
│ │ Authorization: ... │ │ │
│ ├────────────────────────┬┴┐ check user/pass │ │
│ │ │ ├──────────────────────►┌┴┐ │
│ │ │ │ │ │ │
│ │ │ │ OK: contains groups │ │ │
│ │ │ │◄──────────────────────┴┬┘ │
│ │ │ │ │ │
│ │ │ │ GET / │
│ │ │ │ X-Remote-User: john │
│ │ │ │ X-Remote-Role: block-manager, cephfs-manager │
│ │ │ ├────────────────────────────────────────────────►┌┴┐
│ │ │ │ │ ├──┐
│ │ │ │ │ │ │check source
│ │ │ │ │ │ │create user
│ │ │ │ OK │ │◄─┘
│ │ OK │ ├─────────────────────────────────────────────────┴┬┘
│ ├────────────────────────┴┬┘ │
└┬┘ │ │
│ │ │
Additional Info¶
Examples of other dashboards or web UI consoles providing the same functionality
- https://icinga.com/docs/icinga-web-2/latest/doc/05-Authentication/#external-authentication
- https://grafana.com/docs/grafana/next/setup-grafana/configure-security/configure-authentication/auth-proxy/
Files
