Adding new application:

In repo it-puppet-hostgroup-dashboard, in data/hostgroup/dashboard/elasticsearch.yaml add the new application to the list elasticsearch_index_apps:

<appname>: "<prefix>[-*_a-z0-9A-Z]*(,<prefix>[-*_a-z0-9A-Z]*)*"

for example:

fts3: "fts3-[-*_a-z0-9A-Z]*(,fts3-[-*_a-z0-9A-Z]*)*"

Adding basic http auth:

Add new user(s):

On aiadm:

Get passwd from tbag

cd /tmp/$USER

for dev:

tbag show dashboard_elasticsearch_password --hg dashboard/elasticsearch/search/development --file passwd

for production:

tbag show dashboard_elasticsearch_password --hg dashboard/elasticsearch --file passwd

Add user(s) to passwd

For each user:

  • generate a password
  • htpasswd -m passwd <username>
  • enter the password
  • confirm the password

Set passwd in tbag

for dev:

tbag set dashboard_elasticsearch_password --hg dashboard/elasticsearch/search/development --file passwd

for production:

tbag set dashboard_elasticsearch_password --hg dashboard/elasticsearch --file passwd

rm passwd

Send password(s) to application admin(s)

Add allowed groups to tbag secret

On aiadm:

Get groupfile from tbag

cd /tmp/$USER

for dev:

tbag show dashboard_elasticsearch_group --hg dashboard/elasticsearch/search/development --file groupfile

for production:

tbag show dashboard_elasticsearch_group --hg dashboard/elasticsearch --file groupfile

Edit groupfile

add lines

<ro_group>: <ro_usernames>
<rw_group>: <rw_usernames>

for example:

fts3: fts3
fts3_rw: fts3

Set goupfile in tbag

for dev:

tbag set dashboard_elasticsearch_group --hg dashboard/elasticsearch/search/development --file groupfile

for production:

tbag set dashboard_elasticsearch_group --hg dashboard/elasticsearch --file groupfile

rm groupfile

Configure allowed groups in hiera

In repo it-puppet-hostgroup-dashboard, in data/hostgroup/dashboard/elasticsearch.yaml add the groups allowed to read and write:

elasticsearch_index_groups_rw:
...
  <appname>: "<group(s) allowed to write>"
...
elasticsearch_index_groups_ro:
...
  <appname>: "<group(s) allowed to read>"
...

for example:

elasticsearch_index_groups_rw:
...
  fts3: "fts3_rw"
...
elasticsearch_index_groups_ro:
...
  fts3: "fts3"
...

Adding CERN SSO access (e-group auth)

Configure allowed e-groups in hiera

In repo it-puppet-hostgroup-dashboard, in data/hostgroup/dashboard/elasticsearch.yaml add the groups allowed to read and write:

elasticsearch_index_egroups_rw:
...
  <appname>: "<e-group(s) allowed to write>"
...
elasticsearch_index_egroups_ro:
...
  <appname>: "<e-group(s) allowed to read>"
...

for example:

elasticsearch_index_egroups_rw:
...
  fts3: "dashb-es-fts3-rw dashb-es-admins"
...
elasticsearch_index_egroups_ro:
...
  fts3: "dashb-es-fts3 dashb-es-admins"
...

Configure e-groups

Create e-groups

https://e-groups.cern.ch/e-groups/EgroupsSearchOwner.do

Populate with users/e-groups that should have r/o and r/w access

Add new e-groups to e-group dashb-es-users to allow saving kibana dashboards

Edit | Attach | Watch | Print version | History: r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r3 - 2015-02-02 - IvanKadochnikov
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    ArdaGrid All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2022 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback