osallou / go-docker / issues / #73 - LDAP Auth configuration sample — Bitbucket

Issue #73 resolved

DesmondC created an issue 2018-05-29

Dear Sir

Is it possible to provide LDAP(goauth) configuration sample in go-d.ini? I've referenced the old issue and documentation, but it's hard to understand for me.

Sorry I hate to bother you with this but I really have to use LDAP for our environment.

※because different time zone, I'll late to reply

Comments (56)

Olivier Sallou repo owner

well, it depends on your ldap (openldap, activedirectory, secure or not...) but here is an example:

auth_policy: 'goauth'

ldap_host: 'myldaphost'
ldap_port: 389
ldap_dn: 'dc=mycompany,dc=org'
ldap_base_dn_filter: 'ou=People'
ldap_admin_dn: null
ldap_admin_password: null
ldap:
    ssl: false
    # LDAP field mapping
    fields:
        homeDirectory: 'homeDirectory'

for anonymous find/bind, and users defined in "sub tree" People

2018-05-29T12:07:47+00:00

DesmondC reporter

Sir, my configuration is here.  Do you have any further suggestion?
Chrome Dev Console Messages：
Request error ../user/bind 401 Unauthorized
 #######################Authentication #######################
auth_policy: 'goauth'

# LDAP
ldap_host: 172.20.10.1
ldap_port: 389
ldap_dn: "dc=mydomain,dc=com"
ldap_base_dn_filter: 'ou=it,ou=user,ou=mydomain'
ldap_base_dn_group_filter: 'ou=it,ou=user,ou=mydomain'
ldap_admin_dn: 'cn=acct0001,ou=rd,ou=sys,ou=it,ou=user,ou=mydomain,dc=mydomain,dc=com'
ldap_admin_password: 'xxxx'

ldap:
    # Use ldaps (check that ldap_port matches ssl port of the ldap server)
    ssl: false
    # LDAP field mapping
    fields:
        homeDirectory: 'HomeDirectory'
    # Fields use to map user login against ldap entries
    ids:
        - 'sAMAccountName'
        - 'mail'

######Error message in godweb.log######
2018-05-30 08:23:08,961 ERROR [godweb][DummyThread-19] list index out of range
Traceback (most recent call last):
  File "/opt/go-docker/plugins/goauth.py", line 147, in __get_ldap_user_info
    userId = entry['uid'][0]
IndexError: list index out of range
2018-05-30 08:23:08,961 ERROR [godweb][DummyThread-19] list index out of range
Traceback (most recent call last):
  File "/opt/go-docker/plugins/goauth.py", line 147, in __get_ldap_user_info
    userId = entry['uid'][0]
IndexError: list index out of range

2018-05-30T00:24:44+00:00

DesmondC reporter
Sir, Finally, I've modified the goauth.py followed the Issue ~~#59~~ discussion. It's success login to godweb. Is this must be modifies when you use LDAP auth ?
- 2018-05-30T01:40:02+00:00
DesmondC reporter
Another Question, The option "admin = root" in production.ini(go-docker-web), Is it workable set the LDAP user?
- 2018-05-30T05:38:45+00:00
Olivier Sallou repo owner
Regarding admin in production.ini, it is the list of user ids that are considered as admin, it can be any ldap user. Ids are the one used to login.
- 2018-05-30T05:42:38+00:00
Olivier Sallou repo owner
Regarding ldap you use active directory? Don't your ldap users have uid and uidnumber/gidnumber attributes? In logs seems that auth binding was ok but did not find a uid attribute in ldap response. Godocker auths user against ldap and run job with his linux account uid and gid. Patch in issue 59 was to force a uid/gid for all users because ldap did not define the posix account schema. When ldap have posix accounts, goauth can be used without modification.

The problem with this fix is all jobs are executed with the same uid/gid, so users have the same rights and may read/overwrite some other users data. This must be used only in trusted env.

I could add an option for a default user mapping for non posix accounts
- 2018-05-30T05:57:47+00:00

DesmondC reporter

Sir, Thank you for reply.

Q1：admin option => is case-sentivie issue
Q2 :  I'll try to create ActiveDirectory attributes mapping UID/GID that it's more security at production env.

2018-05-30T06:28:13+00:00

Olivier Sallou repo owner
Yes, it is case sensitive. At login, goauth extracts from login the attributes uid, uidNumber, gidNumber. The uid is used as the user identifier, and is compared to "admin" in production.ini (case sensitive). If you patched according to ~~#59~~, then uid would be the sAMAccountName field. This field is also shown as your user identifier in web interface.

uid/uidNumber/gidNumber are then used at job time, in container, to create a local container user and job script is executed with this local user.
- 2018-05-30T07:02:58+00:00
DesmondC reporter
- changed status to resolved
Thanks Olivier great support at this issue.
- 2018-05-30T07:09:20+00:00

Olivier Sallou repo owner

I have updated in branch develop goauth to support non posix LDAPs.

You can try updates if you want: https://bitbucket.org/osallou/go-docker/commits/c0f5ae0d155edc45a1b6482eaad336e850fa36af it updates go-d.ini.sample and plugins/goauth.py

In go-d.ini impact would be in your case:

ldap:
    # Use ldaps (check that ldap_port matches ssl port of the ldap server)
    ssl: false
    # LDAP field mapping
    fields:
        homeDirectory: 'HomeDirectory'
    # Fields use to map user login against ldap entries
    ids:
        - 'sAMAccountName'
        - 'mail'
    # if ldap does not have a uid attribute, use this attribute
    # to get user identifier (sAMAccountName for example with AD)
    fallback_user_id_attribute: 'sAMAccountName'
    # if ldap does not define POSIX account template and do not have uidNumber
    # and gidNumber attributes, use those default values
    # *WARNING*: all users will, in this case, use the same uid/gid, so must be
    # used in trusted environments only!!
    fallback_user_uidNumber: null
    fallback_user_gidNumber: null

if you don't have uidNumber/gidNumber, you could set fallback_user_uidNumber/gidNumber to an arbitrary value (1001 for example) that would be used for all users (like in issue ~~#59~~)

2018-05-30T07:29:28+00:00

DesmondC reporter
Is it possible to mapping uid/gid when computing node join domain(like samba)? Let uid/gid use samba mapping range.

samba option: idmap config * : range = 1000 - 200000000
- 2018-05-30T08:34:24+00:00
Olivier Sallou repo owner
I don't really understand the question, I don't use samba.

goauth requests info from ldap then uses those information to create user in container. request occurs on godocker web server and user is created in container on compute nodes.

if some information comes from an other system than ldap, then you can customiez goauth (or create an other authorization plugin based on goauth).

in goauth.py, when trying to set :
```
                    ...
                    uidNumber = entry['uidNumber'][0]
                    gidNumber = entry['gidNumber'][0]
                    ....
```
you could get information for any requested system.

In localauth, for example, we get uid and gid directly from local system
```
        if uid is None:
            uid = pwd.getpwnam(login).pw_uid
        if gid is None:
            gid = pwd.getpwnam(login).pw_gid
        if sgids is None:
            sgids = self.get_groups(login)
```
if you need some information from ldap and other from local server or any other system, then you can customize goauth to do this.

For samba itself, I don't know how it works.
- 2018-05-30T08:47:21+00:00
Olivier Sallou repo owner
looks like however that if you use samba, your ldap should already contain uidNumber and the gidNumber, so using goauth as is should be ok. if only missing info is uid , with my last commit , filling
```
 fallback_user_id_attribute: 'sAMAccountName'
```
would be enough, and uidNumber and gidNumber would be fetched from ldap.
- 2018-05-30T08:51:14+00:00

DesmondC reporter

try to the develop goauth.py & go-d.ini

Traceback (most recent call last):
  File "/opt/go-docker/plugins/goauth.py", line 165, in __get_ldap_user_info
    homeDirectory = entry[homeDirectoryField][0]
IndexError: list index out of range
2018-05-30 16:50:28,518 ERROR [godweb][DummyThread-3] list index out of range
Traceback (most recent call last):
  File "/opt/go-docker/plugins/goauth.py", line 165, in __get_ldap_user_info
    homeDirectory = entry[homeDirectoryField][0]
IndexError: list index out of range

2018-05-30T08:54:17+00:00

Olivier Sallou repo owner
entry[homeDirectoryField][0] is not found

You should define in god.ini the field where home directory is defined in your ldap. Default is homeDirectory but you can specify a different field name in ldap fields homedirectory section.
- 2018-05-30T09:04:56+00:00
DesmondC reporter
could you give me a sample about homeDirectory setting at go-d.ini?

Default is homeDirectory => you mean /home/UID?
- 2018-05-30T09:15:38+00:00
Olivier Sallou repo owner
you should update homeDirectory field to match the field in your ldap that contains the user home directory (/home/UID or equivalent).
```
ldap:
    # Use ldaps (check that ldap_port matches ssl port of the ldap server)
    ssl: false
    # LDAP field mapping
    fields:
        homeDirectory: 'field_name_in_your_ldap'
```
field_name_in_your_ldap depends on your ldap schema
- 2018-05-30T09:20:14+00:00
DesmondC reporter
I think If you could design this attribute like fallback_user_id_attribute, It may be more easy to the setting.
- 2018-05-30T10:01:54+00:00
Olivier Sallou repo owner
I can't change without breaking existing install

or I could change fallback_user_id_attribute to be in ldap/fields, something like:
```
ldap:
    # Use ldaps (check that ldap_port matches ssl port of the ldap server)
    ssl: false
   # LDAP field mapping
    fields:
        homeDirectory: 'field_name_in_your_ldap'
        uid: 'sAMAccountName'
```
just keeping fallbvack for uidNumber and gidNumber where we define non existing ldap fields
- 2018-05-30T10:06:04+00:00
Olivier Sallou repo owner
I have updated code to define mapping as above, uidNumber and gidNumber fallbacks are kept
- 2018-05-30T10:16:30+00:00

DesmondC reporter

Sorry Sir, about quota setting
I've config as below, But the user quota information always show 0s and 0%

# Quotas ###################################
quotas:
  # Kill running jobs if quota is reached
  kill_on_limit: true
  defaults:
    users:
        quota_time: 10000
        quota_cpu: 3600
        quota_ram: 48
        quota_gpu: 3600

2018-05-31T04:36:57+00:00

Olivier Sallou repo owner
Defaults are put in user info at first user login. Did you set defaults before first login? Else it used 0 as default.

New users should get your defaults. Existing users in godocker can be updated by web ui / api or removing user from mongo (at login will recreate user). Only admin modify them of course
- 2018-05-31T04:58:22+00:00
DesmondC reporter
Sir, Thank you for quick reply. I thought that's change by next login.
- 2018-05-31T05:18:11+00:00
Olivier Sallou repo owner
Defaults in general are only applied at first login.
- 2018-05-31T05:55:13+00:00
DesmondC reporter
- attached quota.png
- 2018-05-31T06:50:42+00:00
DesmondC reporter
Sir, The job always show quota reached When I set the quota(like attachment).
- 2018-05-31T06:51:46+00:00
Olivier Sallou repo owner
When you execute job, it is rejected due to quota? You use default project? What is in scheduler logs?
- 2018-05-31T10:07:24+00:00
Olivier Sallou repo owner
Could you try setting 0 instead of 0s for ram?
- 2018-05-31T10:10:36+00:00
DesmondC reporter
When you execute job, => after quota setting (I've removed the user) it is rejected due to quota? ( => yes) You use default project? (yes, but I am not set the project quota) What is in scheduler logs? => (no thing about this. I use the tail command to follow log output)

※attach the job status capture
- 2018-05-31T10:12:00+00:00
DesmondC reporter
- attached quota_reached.png
- 2018-05-31T10:12:14+00:00
Olivier Sallou repo owner
0s should be the issue, i just tested
- 2018-05-31T10:14:59+00:00

DesmondC reporter

quota setting as below(go-d.ini):
I've tried another new user the job submit is ok.
Which log file could check about quota reached limitation?

# Quotas ###################################
quotas:
  # Kill running jobs if quota is reached
  kill_on_limit: true
  defaults:
    users:
        quota_time: 1000000
        quota_cpu: 360000
        quota_ram: 0
        quota_gpu: 360000

2018-05-31T10:15:25+00:00

Olivier Sallou repo owner

if not set, set debug log level to debug in go-d.ini:

...
    'watcher':
        'class': 'logging.FileHandler'
        'filename': 'godwatcher.log'
        'formatter': 'generic'
        'level': 'DEBUG'
    'scheduler':
        'class': 'logging.FileHandler'
        'filename': 'godscheduler.log'
        'formatter': 'generic'
        'level': 'DEBUG'
....
    'godocker-watcher':
        'level': 'DEBUG'
        'handlers':
            - 'console'
            - 'watcher'
    'godocker-scheduler':
        'level': 'DEBUG'
        'handlers':
            - 'console'
            - 'scheduler'

then execute a job

in godscheduler log file you should see something like:

Quota:IsReached:xxxx

2018-05-31T10:20:20+00:00

Olivier Sallou repo owner
could you also give the json of the task (can extract it from network tab of your browser developper tools)
- 2018-05-31T10:24:22+00:00
Olivier Sallou repo owner
You says: "I've tried another new user the job submit is ok."

you mean it is ok for a new user? It shows correct quotas info, and job is scheduled.

so pb seems to be link to user created before setting quotas? maybe there was an issue in manually updated quota.
- 2018-05-31T10:37:04+00:00
DesmondC reporter
- attached 241.json
- 2018-05-31T10:37:51+00:00
DesmondC reporter
Sir, please check the attach name 241.json
- 2018-05-31T10:38:07+00:00
Olivier Sallou repo owner
I don't understand, your projects quotas are set to 0 (which is fine for default project), and your user quota are correctly set in task. So it seems it finds some reason to reject, though the GUI shows 0% of use...
- 2018-05-31T11:00:00+00:00

Olivier Sallou repo owner

For debug only, could you modify godocker/godscheduler.py:

reject = reject or quotaTools.is_quota_exceeded(task, get_usage)
=>
reject = reject or quotaTools.is_quota_exceeded(task, get_usage, logger=self.logger)

and godocker/quotaTools.py

def is_quota_exceeded(task, get_usage, duration=0):
=>
def is_quota_exceeded(task, get_usage, duration=0, logger=None):
...
if __is_quota_present(requirements, mapping):
    usage = get_usage(user[key], kind)
+     if logger:
+       logger.warn("##QUOTA " + str(kind) + ","  + str(usage))

goscheduler.log should display the found quotas for your task

2018-05-31T11:10:06+00:00

DesmondC reporter

debug message:
##QUOTA user,{'total_time': 1960200.0, 'total_cpu': 1963604.0, 'total_gpu': 4161.0, 'total_ram': 1987671.0}

This user has submitted a hundred jobs (my test account) before setting the default quota(remove the user), the all submit record still exist in "webpage overjobs table".  Is it a reason give rise to quota reached?

2018-06-01T01:09:55+00:00

Olivier Sallou repo owner
It indeed gets some past usage info, so quota is indeed reached and user tasks rejected. What i don't understand is why it shows 0% of use in web ui. Quot is calculated on a sliding window. You can delete his past usage in redis if needed, or in the meanwhile, set this user quota back to 0s
- 2018-06-01T04:16:56+00:00
DesmondC reporter
The quota usage always shows 0% in another new user. Maybe something wrong with my environment, btw let me disable quota limit
- 2018-06-01T05:06:02+00:00
Olivier Sallou repo owner
Usage info are fetched from user info page, should see network request sent to server. Could i get user and usage json? (to see if a display error or request pb).
- 2018-06-01T05:28:29+00:00
Olivier Sallou repo owner
Will do a check on my side
- 2018-06-01T05:30:54+00:00
DesmondC reporter
- attached user.json
- attached usage.json
- 2018-06-01T05:38:45+00:00
DesmondC reporter
Sir, The files was upload. I've masked some personal information.
- 2018-06-01T05:40:20+00:00
Olivier Sallou repo owner
Thanks, data looks good, so may be a display issue, will do some local testing.
- 2018-06-01T05:52:51+00:00
Olivier Sallou repo owner
Date field i usage looks strange but will compare with local setup
- 2018-06-01T05:53:52+00:00
Olivier Sallou repo owner
this was indeed a bug after a change in quota display, I am fixing it. I created a new issue for that in go-docker-web

https://bitbucket.org/osallou/go-docker-web/issues/51/invalid-user-quota-display
- 2018-06-01T07:31:07+00:00
DesmondC reporter
Hi Sir, thank you very much. a question, Is the Quotas & priorities real-time display after refresh page?

I've submitted multi-job then monitor by dev console check the usage, It seems always keep at 1% and same value(watch in usage json)
- 2018-06-01T09:08:21+00:00
Olivier Sallou repo owner
It counts only terminated jobs, not jobs in progress
- 2018-06-01T09:11:24+00:00
DesmondC reporter
If it's counted terminated jobs, so the quota limit is calculated by daily?
- 2018-06-01T09:15:50+00:00
Olivier Sallou repo owner
no, quota limit is checked during job execution, but display is only on terminated jobs because it would need to do a lot of requests/computation to get current status, and is not really effective for a web request. But godwatcher calculates current quota for the current job. However it counts only past usage + current task (not what other running tasks are using)
- 2018-06-01T09:36:31+00:00
DesmondC reporter
it counts only past usage + current task => In this Conditions If the quota is full how could be reset the quota? (Resetful to reset by user?)
- 2018-06-04T00:28:02+00:00
Olivier Sallou repo owner
What do you mean? Quota is calculted on last X days (X is configured in god.ini and a sliding window). So will count for example past usage during last 30 days. This is not calendar based (reset the 1st of the month for example)

Api and godocker cli provides projet quota full reset, but i don't think there is one for user. I think should add one.
- 2018-06-04T03:00:14+00:00
DesmondC reporter
Sir, thank you for much kindly support.
- 2018-06-04T07:05:30+00:00
Log in to comment

Assignee: –

Type: task

Priority: major

Status: resolved

Votes: 0

Watchers: 1