Automate SSO configuration for your Ceph dashboard in Koor storage
The Ceph dashboard offers a lot of functionality, from giving a concise overview of the cluster’s state to managing block storage, filesystem volumes, and object storage buckets easily.
It is a powerful tool that needs to be handled with caution. Not a problem for the Ceph dashboard! It contains “system roles” and
you can even create custom roles for most of the Ceph dashboard functionality on a very granular level.
A role’s access to functionality is scoped, meaning that you can restrict the functionality to be read
, create
, update
, and delete
.
That lets you be very specific if the default system roles are too open for your environment.
To learn more about the Ceph dashboard’s user roles and permissions system, click here.
In the Rook Ceph operator, enabling the dashboard is as easy as setting the .spec.dashboard.enabled
field to true
!
Currently, only one admin account is created with a secure password stored in a Kubernetes secret by default.
We wanted to make the existing Ceph dashboard Single Sign-On (SSO) feature more convenient to use in Kubernetes, so we added the dashboard’s SSO configuration to the Koor Storage Distribution. You might be wondering: what is SSO, and why is it such a great addition to have automatically configured through existing GitOps flows?
Single sign-on is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems. True single sign-on allows the user to log in once and access services without re-entering authentication factors.
To translate this to a typical workday, you would log in once to your laptop with your account and every company application and web service would automatically know that it is you.
With this feature, you can just add your SSO details to your existing CephCluster
and have the operator automatically take care of the configuration.
Requirements for your cluster and infrastructure:
- You need to be running a Koor Storage Distribution cluster on the latest version.
- You need to have an existing SAML2 identity provider (IdP) running (e.g., Keycloak, Authentiq).
We’ll be using Keycloak (tested with 19.0.2
) for this example. We are going to assume your Ceph dashboard is currently exposed via Kubernetes Ingress on https://ceph-dash.example.com
and your Keycloak is running at https://keycloak.example.com/auth
(with a realm called myrealm
).
Keycloak Client Details:
- Protocol:
SAML2
- Client ID:
https://ceph-dash.example.com/auth/saml2/metadata
- Name: E.g.,
Ceph Dashboard
Settings
tab- Root URL:
https://ceph-dash.example.com
(without a slash at the end) - Valid redirect URIs:
/*
- Force POST binding: On.
- Sign documents: On.
- Front channel logout: On.
- Root URL:
Keys
tabSigning keys config
->Client signature required
: Off.
Client Scopes
tab- Remove the default
role_list
scope. - Click on the
Dedicated scope and mappers for this client
and add a newAttributeStatement Mapper
called, e.g.,username
.- Property:
username
- Friendly name: E.g.,
Username
. - SAML Attribute name:
username
- This needs to be set for the
idpAttributes.username
field in SSO spec of the CephCluster object.
- This needs to be set for the
- Property:
- Remove the default
Advanced
tab- Assertion Consumer Service POST Binding URL:
https://ceph-dash.example.com/#dashboard
- Assertion Consumer Service Redirect Binding URL:
https://ceph-dash.example.com/#dashboard
- Logout Service POST Binding URL:
https://ceph-dash.example.com/
- Assertion Consumer Service POST Binding URL:
Now that we have the SAML2 client configured in Keycloak or your IdP of choice, we need to add these details to your CephCluster
object:
|
|
Each of the fields needs to be set as follows:
enabled
- Set totrue
to enable the dashboard SSO configuration.baseURL
- The external address your dashboard is exposed on, e.g., if you have an Ingress exposing the dashboard onhttps://ceph-dash.example.com
this would be the whole URL (without a last slash added).entityID
- Optional. Use this when you have more than one entity ID in your IdP metadata.idpMetadataUrl
- Your IdP’s metadata file, e.g., on Keycloak this is located here:https://keycloak.example.com/auth/realms/myrealm/protocol/saml/descriptor
(in Keycloak you can find it under theRealm Settings
->General
tab ->SAML 2.0 Identity Provider Metadata
link).idpAttributes.username
- The SAML2 attribute name containing the user’s username (optional, defaults touid
).users
- List of users to create and which system roles to give them. You can also specify your custom roles, but you need to have made them already.
After adding this to your CephCluster
object, wait a minute or two for the operator to complete a reconciliation loop.
Now you should be auto-redirected to your IdP when accessing the Ceph dashboard.
As the SSO feature is currently implemented, users must be created before they can login to the dashboard. Manual creation of users is done currently as a security feature, though we are looking to improve this securely with the community to make SSO even easier.
To summarize, the Koor Storage Distribution now allows configuring the Ceph dashboard Single Sign-On via your CephCluster CRD, which means one more thing is automated and doesn’t need to be manually configured in your Ceph Cluster.
If you have any questions regarding Rook, Ceph or Koor, be sure to check out our bi-weekly Koor office hours. For more information and the meeting schedule, please refer to the readme file in the Koor GitHub project. If you wanna learn more about the Koor Storage Distribution product, be sure to reach out to us via email or social media channels.
Thanks for reading!