Loading deploy/ansible/roles/auth/defaults/main.yml +10 −0 Original line number Diff line number Diff line Loading @@ -21,6 +21,16 @@ image_pull: true # Indicates if the auth service should be deployed or not auth_enabled: false # Default rego template (override this to use your own) auth_policy_template: policy.rego.j2 auth_policy_restricted_paths: [] # Settings for the opa image opa_image_prefix: "{{ image_prefix }}" opa_image_tag: "{{ image_tag }}" opa_image_pull: "{{ image_pull }}" opa_image_repository: opa # Settings for the auth-service image auth_image_prefix: "{{ image_prefix }}" auth_image_tag: "{{ image_tag }}" Loading deploy/ansible/roles/auth/tasks/auth_install.yml +42 −1 Original line number Diff line number Diff line Loading @@ -4,7 +4,40 @@ docker_network: name: esgf - name: Start auth container - name: Make auth config directory file: path: /esg/config/auth state: directory - name: Write rego policy file template: src: "{{ auth_policy_template }}" dest: /esg/config/auth/policy.rego - name: Write auth service settings template: src: settings.yaml.j2 dest: /esg/config/auth/settings.yaml - name: Start the opa container docker_container: name: opa image: "{{ opa_image_prefix }}/{{ opa_image_repository }}:{{ opa_image_tag }}" pull: "{{ opa_image_pull }}" detach: yes restart_policy: unless-stopped exposed_ports: - "8181" networks: - name: esgf networks_cli_compatible: yes volumes: # Mount the policy for the opa server - "/esg/config/auth/policy.rego:/policies/policy.rego:ro" state: started recreate: yes - name: Start auth service container docker_container: name: auth image: "{{ auth_image_prefix }}/{{ auth_image_repository }}:{{ auth_image_tag }}" Loading @@ -15,3 +48,11 @@ - "8080" networks: - name: esgf networks_cli_compatible: yes volumes: # Mount the settings for the auth service - "/esg/config/auth/settings.yaml:/etc/django/settings.d/20-runtime-settings.yaml:ro" # Mount the settings for the auth service - "/esg/config/auth/staticfiles:/var/django/staticfiles:ro" state: started recreate: yes deploy/ansible/roles/auth/tasks/auth_uninstall.yml +6 −1 Original line number Diff line number Diff line --- - name: Stop auth container - name: Stop opa container docker_container: name: opa state: absent - name: Stop auth service container docker_container: name: auth state: absent Loading deploy/ansible/roles/auth/templates/policy.rego.j2 0 → 100644 +33 −0 Original line number Diff line number Diff line package esgf default allow = false # Determine access to the resource allow = true { allowed_hosts[resource_host] count(violation) == 0 } # Check that the user belongs to a certain group has_group(name) { some i input.subject.groups[i] == name } # Separate parts of a resource URL, if applicable parts := regex.find_all_string_submatch_n("^(?:(?:http|https|ftp):\/\/([^\/ ]*))?(\/.*)", input.resource, -1) resource_host := parts[_][1] resource_path := parts[_][2] # Declare all allowed resource hosts allowed_hosts := { "{{ ansible_host }}", } # Check requested path against restricted paths {% for restricted_path in auth_policy_restricted_paths %} violation["{{ restricted_path['name'] }}"] { regex.match("{{ restricted_path['path'] }}", resource_path) not has_group("{{ restricted_path['group'] }}") } {% endfor %} No newline at end of file deploy/ansible/roles/auth/templates/settings.yaml.j2 0 → 100644 +35 −0 Original line number Diff line number Diff line MIDDLEWARE: - django.middleware.security.SecurityMiddleware - django.contrib.sessions.middleware.SessionMiddleware - django.middleware.common.CommonMiddleware - django.middleware.csrf.CsrfViewMiddleware - django.contrib.messages.middleware.MessageMiddleware - django.middleware.clickjacking.XFrameOptionsMiddleware - authenticate.oauth2.middleware.BearerTokenAuthenticationMiddleware - authenticate.oidc.middleware.OpenIDConnectAuthenticationMiddleware - authorize.opa.middleware.OPAAuthorizationMiddleware OPA_SERVER: host: opa port: 8181 package_path: esgf rule_name: allow RESOURCE_URI_QUERY_KEY: rd RESOURCE_URI_HEADER_KEY: HTTP_X_ORIGINAL_URL # Group info keys for authorization OAUTH2_GROUPS_KEY: group_membership OIDC_GROUPS_KEY: group_membership # OAuth Bearer Token auth settings OAUTH_CLIENT_ID: OAUTH_CLIENT_SECRET: OAUTH_TOKEN_URL: OAUTH_TOKEN_INTROSPECT_URL: # OIDC auth settings OIDC_BACKEND_CLIENT_NAME: esgf AUTHLIB_OAUTH_CLIENTS: esgf: client_id: client_secret: authorize_url: userinfo_endpoint: client_kwargs: scope: openid profile email Loading
deploy/ansible/roles/auth/defaults/main.yml +10 −0 Original line number Diff line number Diff line Loading @@ -21,6 +21,16 @@ image_pull: true # Indicates if the auth service should be deployed or not auth_enabled: false # Default rego template (override this to use your own) auth_policy_template: policy.rego.j2 auth_policy_restricted_paths: [] # Settings for the opa image opa_image_prefix: "{{ image_prefix }}" opa_image_tag: "{{ image_tag }}" opa_image_pull: "{{ image_pull }}" opa_image_repository: opa # Settings for the auth-service image auth_image_prefix: "{{ image_prefix }}" auth_image_tag: "{{ image_tag }}" Loading
deploy/ansible/roles/auth/tasks/auth_install.yml +42 −1 Original line number Diff line number Diff line Loading @@ -4,7 +4,40 @@ docker_network: name: esgf - name: Start auth container - name: Make auth config directory file: path: /esg/config/auth state: directory - name: Write rego policy file template: src: "{{ auth_policy_template }}" dest: /esg/config/auth/policy.rego - name: Write auth service settings template: src: settings.yaml.j2 dest: /esg/config/auth/settings.yaml - name: Start the opa container docker_container: name: opa image: "{{ opa_image_prefix }}/{{ opa_image_repository }}:{{ opa_image_tag }}" pull: "{{ opa_image_pull }}" detach: yes restart_policy: unless-stopped exposed_ports: - "8181" networks: - name: esgf networks_cli_compatible: yes volumes: # Mount the policy for the opa server - "/esg/config/auth/policy.rego:/policies/policy.rego:ro" state: started recreate: yes - name: Start auth service container docker_container: name: auth image: "{{ auth_image_prefix }}/{{ auth_image_repository }}:{{ auth_image_tag }}" Loading @@ -15,3 +48,11 @@ - "8080" networks: - name: esgf networks_cli_compatible: yes volumes: # Mount the settings for the auth service - "/esg/config/auth/settings.yaml:/etc/django/settings.d/20-runtime-settings.yaml:ro" # Mount the settings for the auth service - "/esg/config/auth/staticfiles:/var/django/staticfiles:ro" state: started recreate: yes
deploy/ansible/roles/auth/tasks/auth_uninstall.yml +6 −1 Original line number Diff line number Diff line --- - name: Stop auth container - name: Stop opa container docker_container: name: opa state: absent - name: Stop auth service container docker_container: name: auth state: absent Loading
deploy/ansible/roles/auth/templates/policy.rego.j2 0 → 100644 +33 −0 Original line number Diff line number Diff line package esgf default allow = false # Determine access to the resource allow = true { allowed_hosts[resource_host] count(violation) == 0 } # Check that the user belongs to a certain group has_group(name) { some i input.subject.groups[i] == name } # Separate parts of a resource URL, if applicable parts := regex.find_all_string_submatch_n("^(?:(?:http|https|ftp):\/\/([^\/ ]*))?(\/.*)", input.resource, -1) resource_host := parts[_][1] resource_path := parts[_][2] # Declare all allowed resource hosts allowed_hosts := { "{{ ansible_host }}", } # Check requested path against restricted paths {% for restricted_path in auth_policy_restricted_paths %} violation["{{ restricted_path['name'] }}"] { regex.match("{{ restricted_path['path'] }}", resource_path) not has_group("{{ restricted_path['group'] }}") } {% endfor %} No newline at end of file
deploy/ansible/roles/auth/templates/settings.yaml.j2 0 → 100644 +35 −0 Original line number Diff line number Diff line MIDDLEWARE: - django.middleware.security.SecurityMiddleware - django.contrib.sessions.middleware.SessionMiddleware - django.middleware.common.CommonMiddleware - django.middleware.csrf.CsrfViewMiddleware - django.contrib.messages.middleware.MessageMiddleware - django.middleware.clickjacking.XFrameOptionsMiddleware - authenticate.oauth2.middleware.BearerTokenAuthenticationMiddleware - authenticate.oidc.middleware.OpenIDConnectAuthenticationMiddleware - authorize.opa.middleware.OPAAuthorizationMiddleware OPA_SERVER: host: opa port: 8181 package_path: esgf rule_name: allow RESOURCE_URI_QUERY_KEY: rd RESOURCE_URI_HEADER_KEY: HTTP_X_ORIGINAL_URL # Group info keys for authorization OAUTH2_GROUPS_KEY: group_membership OIDC_GROUPS_KEY: group_membership # OAuth Bearer Token auth settings OAUTH_CLIENT_ID: OAUTH_CLIENT_SECRET: OAUTH_TOKEN_URL: OAUTH_TOKEN_INTROSPECT_URL: # OIDC auth settings OIDC_BACKEND_CLIENT_NAME: esgf AUTHLIB_OAUTH_CLIENTS: esgf: client_id: client_secret: authorize_url: userinfo_endpoint: client_kwargs: scope: openid profile email
