Merge pull request #228 from ESGF/ansible-auth-config

Added Ansible config for auth components (allowing access control)

Author: watucker

deploy/ansible/host_vars/esgf.data.example.org

@@ -34,3 +34,55 @@
 
 ### See: https://github.com/ESGF/esgf-docker/blob/master/docs/deploy-ansible.md#enabling-ssl
 
+
+## OPTIONAL: Enabling access control components
+
+#auth_enabled: true/false
+
+## Configuration for the auth service container
+#auth_settings:
+#  MIDDLEWARE:
+#    - authenticate.oauth2.middleware.BearerTokenAuthenticationMiddleware
+#    - authenticate.oidc.middleware.OpenIDConnectAuthenticationMiddleware
+#    - authorize.opa.middleware.OPAAuthorizationMiddleware
+#  OPA_SERVER:
+#    package_path: esgf
+#    rule_name: allow
+#  # Group info keys for authorization
+#  OAUTH2_GROUPS_KEY: group_membership
+#  OIDC_GROUPS_KEY: group_membership
+#  # OAuth Bearer Token auth settings
+#  OAUTH_CLIENT_ID:
+#  OAUTH_CLIENT_SECRET:
+#  OAUTH_TOKEN_URL:
+#  OAUTH_TOKEN_INTROSPECT_URL:
+#  # OIDC auth settings
+#  OIDC_BACKEND_CLIENT_NAME: esgf
+#  AUTHLIB_OAUTH_CLIENTS:
+#    esgf:
+#      client_id:
+#      client_secret:
+#      authorize_url:
+#      userinfo_endpoint:
+#      client_kwargs:
+#        scope: openid profile email
+
+## Default rego template (override this to use your own).
+#opa_policy_template: policy.rego.j2
+
+## Paths to apply the authorisation policy to and the access group that a user will need.
+#opa_policy_restricted_paths:
+#  - name: threddsdata
+#    path: /thredds/fileServer/restricted/.*
+#    group: admins
+#  - name: example
+#    path: /some/restricted/path/.*
+#    group: admins
+
+## Your server's name. The default policy will deny requests from other hostnames.
+#opa_policy_server_host: example.com
+
+## The logging level of the OPA container. Set this to debug for troubleshooting.
+#opa_log_level: info
+
+### See: https://github.com/ESGF/esgf-docker/blob/master/docs/deploy-ansible.md#enabling-access-control

deploy/ansible/roles/auth/defaults/main.yml

@@ -21,6 +21,38 @@ image_pull: true
 # Indicates if the auth service should be deployed or not
 auth_enabled: false
 
+auth_settings_base:
+  MIDDLEWARE:
+    - django.middleware.security.SecurityMiddleware
+    - django.contrib.sessions.middleware.SessionMiddleware
+    - django.middleware.common.CommonMiddleware
+    - django.middleware.csrf.CsrfViewMiddleware
+    - django.contrib.messages.middleware.MessageMiddleware
+    - django.middleware.clickjacking.XFrameOptionsMiddleware
+  OPA_SERVER:
+    host: opa
+    port: 8181
+  RESOURCE_URI_QUERY_KEY: rd
+  RESOURCE_URI_HEADER_KEY: HTTP_X_ORIGINAL_URL
+
+# Default rego template (override this to use your own)
+opa_policy_template: policy.rego.j2
+
+# Paths to apply security restrictions to
+opa_policy_restricted_paths: []
+
+# Whitelist access based on the server's hostname
+opa_policy_server_host: "{{ ansible_host }}"
+
+# Logging level for the OPA server
+opa_log_level: info
+
+# Settings for the opa image
+opa_image_prefix: "{{ image_prefix }}"
+opa_image_tag: "{{ image_tag }}"
+opa_image_pull: "{{ image_pull }}"
+opa_image_repository: opa
+
 # Settings for the auth-service image
 auth_image_prefix: "{{ image_prefix }}"
 auth_image_tag: "{{ image_tag }}"

deploy/ansible/roles/auth/tasks/auth_install.yml

@@ -4,7 +4,47 @@
   docker_network:
     name: esgf
 
-- name: Start auth container
+- name: Make auth config directory
+  file:
+    path: /esg/config/auth
+    state: directory
+
+- name: Write rego policy file
+  template:
+    src: "{{ opa_policy_template }}"
+    dest: /esg/config/auth/policy.rego
+
+- name: Write auth service settings
+  template:
+    src: settings.yaml.j2
+    dest: /esg/config/auth/settings.yaml
+
+- name: Start the opa container
+  docker_container:
+    name: opa
+    image: "{{ opa_image_prefix }}/{{ opa_image_repository }}:{{ opa_image_tag }}"
+    pull: "{{ opa_image_pull }}"
+    detach: yes
+    restart_policy: unless-stopped
+    exposed_ports:
+      - "8181"
+    networks:
+      - name: esgf
+    networks_cli_compatible: yes
+    volumes:
+      # Mount the policy for the opa server
+      - "/esg/config/auth/policy.rego:/policies/policy.rego:ro"
+    entrypoint:
+      - "/opa"
+      - "run"
+      - "--ignore=.*"  # exclude hidden dirs created by Kubernetes
+      - "--log-level={{ opa_log_level }}"
+      - "--server"
+      - "/policies"
+    state: started
+    recreate: yes
+
+- name: Start auth service container
   docker_container:
     name: auth
     image: "{{ auth_image_prefix }}/{{ auth_image_repository }}:{{ auth_image_tag }}"
@@ -15,3 +55,11 @@
       - "8080"
     networks:
       - name: esgf
+    networks_cli_compatible: yes
+    volumes:
+      # Mount the settings for the auth service
+      - "/esg/config/auth/settings.yaml:/etc/django/settings.d/20-runtime-settings.yaml:ro"
+      # Mount the settings for the auth service
+      - "/esg/config/auth/staticfiles:/var/django/staticfiles:ro"
+    state: started
+    recreate: yes

deploy/ansible/roles/auth/tasks/auth_uninstall.yml

@@ -1,6 +1,11 @@
 ---
 
-- name: Stop auth container
+- name: Stop opa container
+  docker_container:
+    name: opa
+    state: absent
+
+- name: Stop auth service container
   docker_container:
     name: auth
     state: absent

deploy/ansible/roles/auth/templates/policy.rego.j2

@@ -0,0 +1,33 @@
+package esgf
+
+default allow = false
+
+# Determine access to the resource
+allow = true {
+    allowed_hosts[resource_host]
+    count(violation) == 0
+}
+
+# Check that the user belongs to a certain group
+has_group(name) {
+    some i
+    input.subject.groups[i] == name
+}
+
+# Separate parts of a resource URL, if applicable
+parts := regex.find_all_string_submatch_n("^(?:(?:http|https|ftp):\/\/([^\/ ]*))?(\/.*)", input.resource, -1)
+resource_host := parts[_][1]
+resource_path := parts[_][2]
+
+# Declare all allowed resource hosts
+allowed_hosts := {
+    "{{ ansible_host }}",
+}
+
+# Check requested path against restricted paths
+{% for restricted_path in opa_policy_restricted_paths %}
+violation["{{ restricted_path['name'] }}"] {
+    regex.match("{{ restricted_path['path'] }}", resource_path)
+    not has_group("{{ restricted_path['group'] }}")
+}
+{% endfor %}

deploy/ansible/roles/auth/templates/settings.yaml.j2

@@ -0,0 +1,3 @@
+# Generated by Ansible
+
+{{ auth_settings_base | combine(auth_settings, recursive=true, list_merge='append_rp') | to_yaml(indent=2) }}

deploy/ansible/roles/proxy/templates/proxy.conf.j2

@@ -1,3 +1,10 @@
+{% macro auth_check() -%}
+        error_page 401 = @error401;
+        auth_request /verify;
+        auth_request_set $username $upstream_http_x_username;
+        auth_request_set $sid $upstream_http_x_session;
+{%- endmacro %}
+
 # HTTP and HTTPS server blocks that proxy to the other containers running on this host
 
 server {
@@ -41,7 +48,7 @@ server {
     }
 
     location @error401 {
-        return 302 /login;
+        return 302 http://$host/login;
     }
     {% endif %}
 
@@ -51,19 +58,16 @@ server {
         include /etc/nginx/includes/proxy_params.conf;
         proxy_pass http://thredds:8080;
 
-        {% if auth_enabled %}
-        error_page 401 = @error401;
-        auth_request /auth/verify;
-        auth_request_set $username $upstream_http_x_username;
-        auth_request_set $sid $upstream_http_x_session;
-        {% endif %}
+        {% if auth_enabled %}{{ auth_check() }}{% endif %}
     }
     {% endif %}
 
     {% if fileserver_enabled %}
     location /thredds/fileServer {
         include /etc/nginx/includes/proxy_params.conf;
         proxy_pass http://fileserver:8080;
+
+        {% if auth_enabled %}{{ auth_check() }}{% endif %}
     }
     {% endif %}
     {% endif %}
@@ -74,13 +78,17 @@ server {
     location ~ ^/solr/[a-z]+/replication {
         include /etc/nginx/includes/proxy_params.conf;
         proxy_pass http://solr-slave:8983;
+
+        {% if auth_enabled %}{{ auth_check() }}{% endif %}
     }
     {% endif %}
 
     {% if search_enabled %}
     location /esg-search {
         include /etc/nginx/includes/proxy_params.conf;
         proxy_pass http://search:8080;
+
+        {% if auth_enabled %}{{ auth_check() }}{% endif %}
     }
     {% endif %}
     {% endif %}

deploy/ansible/roles/proxy/templates/ssl.proxy.conf.j2

@@ -1,3 +1,10 @@
+{% macro auth_check() -%}
+        error_page 401 = @error401;
+        auth_request /verify;
+        auth_request_set $username $upstream_http_x_username;
+        auth_request_set $sid $upstream_http_x_session;
+{%- endmacro %}
+
 # HTTP and HTTPS server blocks that proxy to the other containers running on this host
 server {
     listen 8080 default_server;
@@ -25,18 +32,55 @@ server {
         return 404;
     }
 
+    {% if auth_enabled %}
+    location /verify {
+        set $query '';
+        if ($request_uri ~* "[^\?]+\?(.*)$") {
+            set $query $1;
+        }
+
+        proxy_pass http://auth:8080/verify/?next=$scheme://$http_host$http_port$request_uri;
+        proxy_pass_request_body off;
+
+        proxy_set_header Content-Length '0';
+        proxy_set_header Host $host;
+        proxy_set_header X-Origin-URI $request_uri;
+        proxy_set_header X-Origin-Query $query;
+        proxy_set_header X-Forwarded-Host $host;
+    }
+
+    location /login {
+        proxy_pass http://auth:8080/login;
+        proxy_pass_request_body off;
+
+        proxy_set_header Content-Length '0';
+        proxy_set_header Host $host;
+        proxy_set_header X-Origin-URI $request_uri;
+        proxy_set_header X-Origin-Query $query;
+        proxy_set_header X-Forwarded-Host $host;
+    }
+
+    location @error401 {
+        return 302 https://$host/login;
+    }
+    {% endif %}
+
     {% if 'data' in group_names %}
     {% if thredds_enabled %}
     location /thredds {
         include /etc/nginx/includes/proxy_params.conf;
         proxy_pass http://thredds:8080;
+
+        {% if auth_enabled %}{{ auth_check() }}{% endif %}
     }
     {% endif %}
 
     {% if fileserver_enabled %}
     location /thredds/fileServer {
         include /etc/nginx/includes/proxy_params.conf;
         proxy_pass http://fileserver:8080;
+
+        {% if auth_enabled %}{{ auth_check() }}{% endif %}
     }
     {% endif %}
     {% endif %}
@@ -47,13 +91,17 @@ server {
     location ~ ^/solr/[a-z]+/replication {
         include /etc/nginx/includes/proxy_params.conf;
         proxy_pass http://solr-slave:8983;
+
+        {% if auth_enabled %}{{ auth_check() }}{% endif %}
     }
     {% endif %}
 
     {% if search_enabled %}
     location /esg-search {
         include /etc/nginx/includes/proxy_params.conf;
         proxy_pass http://search:8080;
+
+        {% if auth_enabled %}{{ auth_check() }}{% endif %}
     }
     {% endif %}
     {% endif %}