ElasticSearchUserAuthorization < ArdaGrid

ArdaGrid Web>Dashboard>ElasticSearchUserAuthorization (2015-07-17, IvanKadochnikov)

Adding new application:
Adding basic http auth:
- Add new user(s):
- Add allowed groups to tbag secret
Adding CERN SSO access (e-group auth)
- Configure allowed e-groups in hiera
- Configure e-groups

Adding new application:

In repo it-puppet-hostgroup-dashboard, in data/hostgroup/dashboard/elasticsearch.yaml add the new application to the list elasticsearch_index_apps:

<appname>: "<prefix>[-*_a-z0-9A-Z]*(,<prefix>[-*_a-z0-9A-Z]*)*"

for example:

fts3: "fts3-[-*_a-z0-9A-Z]*(,fts3-[-*_a-z0-9A-Z]*)*"

Adding basic http auth:

Add new user(s):

On aiadm:

Get passwd from tbag

cd /tmp/$USER

for dev:

tbag show dashboard_elasticsearch_password --hg dashboard/elasticsearch/search/development --file passwd

for production:

tbag show dashboard_elasticsearch_password --hg dashboard/elasticsearch --file passwd

Add user(s) to passwd

For each user:

generate a password
```
htpasswd -m passwd <username>
```
enter the password
confirm the password

Set passwd in tbag

for dev:

tbag set dashboard_elasticsearch_password --hg dashboard/elasticsearch/search/development --file passwd

for production:

tbag set dashboard_elasticsearch_password --hg dashboard/elasticsearch --file passwd

rm passwd

Send password(s) to application admin(s)

Add allowed groups to tbag secret

On aiadm:

Get groupfile from tbag

cd /tmp/$USER

for dev:

tbag show dashboard_elasticsearch_group --hg dashboard/elasticsearch/search/development --file groupfile

for production:

tbag show dashboard_elasticsearch_group --hg dashboard/elasticsearch --file groupfile

Edit groupfile

add the new groups

<ro_group>: <ro_usernames>
<rw_group>: <rw_usernames>

for example:

fts3: fts3
fts3_rw: fts3

add the new users to group "anyone" that has access to safe urls like plugin and node status.

anyone: ... <ro_usernames> <rw_usernames>

for example:

anyone: ... fts3

Set goupfile in tbag

for dev:

tbag set dashboard_elasticsearch_group --hg dashboard/elasticsearch/search/development --file groupfile

for production:

tbag set dashboard_elasticsearch_group --hg dashboard/elasticsearch --file groupfile

rm groupfile

Configure allowed groups in hiera

In repo it-puppet-hostgroup-dashboard, in data/hostgroup/dashboard/elasticsearch.yaml add the groups allowed to read and write:

elasticsearch_index_groups_rw:
...
  <appname>: "<group(s) allowed to write>"
...
elasticsearch_index_groups_ro:
...
  <appname>: "<group(s) allowed to read>"
...

for example:

elasticsearch_index_groups_rw:
...
  fts3: "fts3_rw"
...
elasticsearch_index_groups_ro:
...
  fts3: "fts3"
...

Adding CERN SSO access (e-group auth)

Configure allowed e-groups in hiera

In repo it-puppet-hostgroup-dashboard, in data/hostgroup/dashboard/elasticsearch.yaml add the groups allowed to read and write:

elasticsearch_index_egroups_rw:
...
  <appname>: "<e-group(s) allowed to write>"
...
elasticsearch_index_egroups_ro:
...
  <appname>: "<e-group(s) allowed to read>"
...

for example:

elasticsearch_index_egroups_rw:
...
  fts3: "dashb-es-fts3-rw dashb-es-admins"
...
elasticsearch_index_egroups_ro:
...
  fts3: "dashb-es-fts3 dashb-es-admins"
...

Configure e-groups

Create e-groups

https://e-groups.cern.ch/e-groups/EgroupsSearchOwner.do

Populate with users/e-groups that should have r/o and r/w access

Add new e-groups to e-group dashb-es-users to allow saving kibana dashboards

Topic revision: r4 - 2015-07-17 - IvanKadochnikov

ArdaGrid

ArdaGrid Web
ArdaGrid Web Home
Changes
Index
Search

Public webs

Welcome Guest

- Cern Search
- TWiki Search
- Google Search
ArdaGrid All webs

Copyright &© 2008-2023 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback