ElasticSearchUserAuthorization < ArdaGrid

ArdaGrid Web>Dashboard>ElasticSearchUserAuthorization (2015-07-17, IvanKadochnikov) (raw view)

%TOC%
---++ Adding new application:

In repo it-puppet-hostgroup-dashboard, in data/hostgroup/dashboard/elasticsearch.yaml add the new application to the list elasticsearch_index_apps:

<verbatim><appname>: "<prefix>[-*_a-z0-9A-Z]*(,<prefix>[-*_a-z0-9A-Z]*)*"</verbatim>

for example:

<verbatim>fts3: "fts3-[-*_a-z0-9A-Z]*(,fts3-[-*_a-z0-9A-Z]*)*"</verbatim>

---++ Adding basic http auth:
---+++ Add new user(s):

On aiadm:
---++++ Get passwd from tbag
<verbatim>cd /tmp/$USER</verbatim>

for dev:

<verbatim>
tbag show dashboard_elasticsearch_password --hg dashboard/elasticsearch/search/development --file passwd</verbatim>

for production:

<verbatim>
tbag show dashboard_elasticsearch_password --hg dashboard/elasticsearch --file passwd</verbatim>
---++++ Add user(s) to passwd

For each user:
   * generate a password
   * <verbatim>
htpasswd -m passwd <username></verbatim>
   * enter the password
   * confirm the password
---++++ Set passwd in tbag

for dev:

<verbatim>tbag set dashboard_elasticsearch_password --hg dashboard/elasticsearch/search/development --file passwd</verbatim>

for production:

<verbatim>tbag set dashboard_elasticsearch_password --hg dashboard/elasticsearch --file passwd</verbatim>

<verbatim>rm passwd</verbatim>
---++++ Send password(s) to application admin(s)
---+++ Add allowed groups to tbag secret

On aiadm:
---++++ Get groupfile from tbag
<verbatim>cd /tmp/$USER</verbatim>

for dev:
<verbatim>tbag show dashboard_elasticsearch_group --hg dashboard/elasticsearch/search/development --file groupfile</verbatim>

for production:
<verbatim>tbag show dashboard_elasticsearch_group --hg dashboard/elasticsearch --file groupfile</verbatim>
---++++ Edit groupfile

add the new groups

<verbatim>
<ro_group>: <ro_usernames>
<rw_group>: <rw_usernames></verbatim>

for example:

<verbatim>
fts3: fts3
fts3_rw: fts3</verbatim>

add the new users to group "anyone" that has access to safe urls like plugin and node status.

<verbatim>
anyone: ... <ro_usernames> <rw_usernames>
</verbatim>

for example:

<verbatim>
anyone: ... fts3
</verbatim>

---++++ Set goupfile in tbag

for dev:
<verbatim>tbag set dashboard_elasticsearch_group --hg dashboard/elasticsearch/search/development --file groupfile</verbatim>

for production:
<verbatim>tbag set dashboard_elasticsearch_group --hg dashboard/elasticsearch --file groupfile</verbatim>

<verbatim>rm groupfile</verbatim>

---++++ Configure allowed groups in hiera

In repo it-puppet-hostgroup-dashboard, in data/hostgroup/dashboard/elasticsearch.yaml add the groups allowed to read and write:

<verbatim>
elasticsearch_index_groups_rw:
...
  <appname>: "<group(s) allowed to write>"
...
elasticsearch_index_groups_ro:
...
  <appname>: "<group(s) allowed to read>"
...</verbatim>

for example:

<verbatim>
elasticsearch_index_groups_rw:
...
  fts3: "fts3_rw"
...
elasticsearch_index_groups_ro:
...
  fts3: "fts3"
...</verbatim>

---++ Adding CERN SSO access (e-group auth)
---+++ Configure allowed e-groups in hiera

In repo it-puppet-hostgroup-dashboard, in data/hostgroup/dashboard/elasticsearch.yaml add the groups allowed to read and write:

<verbatim>
elasticsearch_index_egroups_rw:
...
  <appname>: "<e-group(s) allowed to write>"
...
elasticsearch_index_egroups_ro:
...
  <appname>: "<e-group(s) allowed to read>"
...</verbatim>

for example:

<verbatim>
elasticsearch_index_egroups_rw:
...
  fts3: "dashb-es-fts3-rw dashb-es-admins"
...
elasticsearch_index_egroups_ro:
...
  fts3: "dashb-es-fts3 dashb-es-admins"
...</verbatim>
---+++ Configure e-groups

Create e-groups

https://e-groups.cern.ch/e-groups/EgroupsSearchOwner.do

Populate with users/e-groups that should have r/o and r/w access

Add new e-groups to e-group dashb-es-users to allow saving kibana dashboards

Topic revision: r4 - 2015-07-17 - IvanKadochnikov

ArdaGrid

ArdaGrid Web
ArdaGrid Web Home
Changes
Index
Search

Public webs

Welcome Guest

- Cern Search
- TWiki Search
- Google Search
ArdaGrid All webs

Copyright &© 2008-2022 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback