Feature #56429
openmgr/dashboard: Remote user authentication (e.g. via apache2)
0%
Description
Description¶
Authenticate users using a header from a trusted reverse proxy in front of the mgr dashboard.
This enables cluster administrators to instantly use many other ways to authenticate users, for example, using apache2 auth modules:
- LDAP
- OpenID Connect
- TLS client certs
- MFA
- External auth requests
This greatly eases integrating the Ceph Dashboard into existing environments, such as non-SAML SSO portals, specific MFA methods, or just simple authentication with LDAP.
Target persona¶
Context¶
A revers proxy, such as apache2, handles the actual authentication. It adds some configurable header to all requests to the mgr/dashboard, for example X-Remote-User: username
. There are many authentication methods already available for e.g. apache2.
Many plugins also support passing extra headers, such as groups, which could be used to pass roles to mgr/dashboard, e.g. `X-Remote-Roles: block-manager, cephfs-manager`. This would allow for automatic user creation (or just keeping the current in-memory is possible), to greatly ease onboarding for new users, as all manual set up steps can be skipped.
mgr/dashboard would have to accept these headers from a trusted reverse proxy source. A setting could specified trusted IP ranges, e.g. ::1/128, 127.0.0.0/8
. The header would only be accepted if the connection comes from a source in that range.
Design¶
Example: LDAP¶
┌───────────┐ ┌───────────┐ ┌───────────┐ ┌───────────────┐ │ │ │ │ │ │ │ │ │ Browser │ │ Apache2 │ │ LDAP │ │ mgr/dashboard │ │ │ │ │ │ │ │ │ └─────┬─────┘ └─────┬─────┘ └─────┬─────┘ └───────┬───────┘ │ │ │ │ ┌┴┐ │ │ │ │ │ GET / │ │ │ │ ├────────────────────────┬┴┐ │ │ │ │ │ │ │ │ │ │ Unauthorized │ │ │ │ │ ├────────────────────────┴┬┘ │ │ │ │ │ │ │ │ ├─────┐ │ │ │ │ │ │request username │ │ │ │ │ │and password │ │ │ │ ├─────┘ │ │ │ │ │ │ │ │ │ │ GET / │ │ │ │ │ Authorization: ... │ │ │ │ ├────────────────────────┬┴┐ check user/pass │ │ │ │ │ ├──────────────────────►┌┴┐ │ │ │ │ │ │ │ │ │ │ │ │ OK: contains groups │ │ │ │ │ │ │◄──────────────────────┴┬┘ │ │ │ │ │ │ │ │ │ │ │ GET / │ │ │ │ │ X-Remote-User: john │ │ │ │ │ X-Remote-Role: block-manager, cephfs-manager │ │ │ │ ├────────────────────────────────────────────────►┌┴┐ │ │ │ │ │ ├──┐ │ │ │ │ │ │ │check source │ │ │ │ │ │ │create user │ │ │ │ OK │ │◄─┘ │ │ OK │ ├─────────────────────────────────────────────────┴┬┘ │ ├────────────────────────┴┬┘ │ └┬┘ │ │ │ │ │
Additional Info¶
Examples of other dashboards or web UI consoles providing the same functionality
- https://icinga.com/docs/icinga-web-2/latest/doc/05-Authentication/#external-authentication
- https://grafana.com/docs/grafana/next/setup-grafana/configure-security/configure-authentication/auth-proxy/
Files