Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable external auth support and disabling of user/group mgmt #809

Merged
merged 1 commit into from
Aug 27, 2021
Merged

Enable external auth support and disabling of user/group mgmt #809

merged 1 commit into from
Aug 27, 2021
+118 −52

Conversation

chambridge
Copy link
Contributor

  • Enable development setup for external authentication
  • Disable user/group management

Related to ansible/galaxy_ng#889

@himdel
Copy link
Collaborator

himdel commented Aug 16, 2021

Question, isUserMgmtDisabled seems to be used everywhere where there's a check for user.model_permissions.{add_group,change_group,delete_group,add_user,change_user,delete_user}

Would it make sense to just have the backend remove these from the list of permissions, instead of adding extra logic?

@chambridge
Copy link
Contributor Author

Question, isUserMgmtDisabled seems to be used everywhere where there's a check for user.model_permissions.{add_group,change_group,delete_group,add_user,change_user,delete_user}

Would it make sense to just have the backend remove these from the list of permissions, instead of adding extra logic?

Thanks for the feedback! I will take a look to see if this can be updated in the backend.

@chambridge
Copy link
Contributor Author

@himdel I made the following update that reduced some of the usage you pointed out:
https://github.com/ansible/galaxy_ng/pull/889/files#diff-416aea42d5d99e187f7340543709cb3b126924b4fe30e6c36be869388c997845R132-R159

It was necessary to utilize the pattern for the user profile, to manage the human readable permission set, and for cases where permissions can be applied to groups (change_group permission); but you still need to hide adding/removing users from the group detail.

@chambridge chambridge marked this pull request as ready for review August 16, 2021 22:04
@himdel
Copy link
Collaborator

himdel commented Aug 18, 2021

Makes sense 👍 :)

One last thing I'm confused about...

@chambridge
Copy link
Contributor Author

chambridge commented Aug 18, 2021
edited
Loading

@himdel Thanks for the above. I set the default to match what was defined in Paths here: https://github.com/ansible/ansible-hub-ui/pull/809/files#diff-ee5c055de3e53b22e883d37e2b0ef701779dfbd11691ca5a6504df271b53e008L29

I'm not sure updating it to /ui/login is actually the right fix. My concern now is that in a non-development build (i.e. static content in django server) the login path will still be /ui/login and not trigger the Keycloak login.

Perhaps you have a thought here?

@himdel
Copy link
Collaborator

himdel commented Aug 18, 2021

hm, I see what you mean .. we can't pass the same UI_LOGIN_URI both to replace and to places which previously used Paths.login.

Sounds like we need to distinguish between external login uris for replace and internal login urls for Redirect.
Maybe a simple solution is to replace(UI_BASE + UI_LOGIN_URI) and keep UI_LOGIN_URI='/login'.

Though I wonder if we could make it simpler by leaving Paths.login as is, and adding UI_EXTERNAL_LOGIN_URI instead, which defaults to null, and whose presence always triggers a full location.replace redirect (regardless of dev vs prod).

@chambridge chambridge force-pushed the 863-ext-auth branch 2 times, most recently from e413d69 to 81fc7c2 Compare August 18, 2021 17:23
@chambridge
Copy link
Contributor Author

@himdel I like the simplicity of the UI_EXTERNAL_LOGIN_URI option. I've reverted those previous changes. I also updated the server-side code so feature flags can be obtained if not authenticated so the login flow can be dynamically determined via that API.

https://github.com/ansible/galaxy_ng/pull/889/files#diff-85ab1792a81296d83b329359f5e9d8262535dad7cfda367e28ae6df427f2c2a6R9

@chambridge
Enable external auth support and disabling of user/group mgmt
748909a 
* Enable development setup for external authentication
* Disable user/group management

Related to ansible/galaxy_ng#889
@chambridge chambridge requested a review from himdel August 19, 2021 13:39
@himdel
Copy link
Collaborator

himdel commented Aug 23, 2021

@chambridge I'm on PTO this week, removing the review request for now, feel free to re-add :)

If you do end up going the route of "UI_EXTERNAL_LOGIN_URI can either be an absolute url, or a relative one absolute to UI root", this is currently misconfigured as it's missing the UI_BASE_PATH prefix, at least for standalone.

(Unless /login is considered the external url as everything else is /ui/something.)
Also, can you write down the intended defaults please? I'm pretty sure standalone.dev should have that null, not /login. (Or /ui/login instead of /login.) (I'm guessing standalone devel mode is never using external auth, as for the others, I can't tell the intent.)

@himdel himdel removed their request for review August 23, 2021 13:25
@chambridge
Copy link
Contributor Author

chambridge commented Aug 23, 2021
edited
Loading

@chambridge I'm on PTO this week, removing the review request for now, feel free to re-add :)

If you do end up going the route of "UI_EXTERNAL_LOGIN_URI can either be an absolute url, or a relative one absolute to UI root", this is currently misconfigured as it's missing the UI_BASE_PATH prefix, at least for standalone.

(Unless /login is considered the external url as everything else is /ui/something.)
Also, can you write down the intended defaults please? I'm pretty sure standalone.dev should have that null, not /login. (Or /ui/login instead of /login.) (I'm guessing standalone devel mode is never using external auth, as for the others, I can't tell the intent.)

/login is considered the external url as there is a redirect that will handle the flow to keycloak in the backend (https://github.com/ansible/galaxy_ng/pull/889/files#diff-f00335e89bdbb1cc98ff1161298369ec25e0fcaf7baccc1cfff44b3e733bef71R54).

@chambridge
Copy link
Contributor Author

@newswangerd based on my responses above I'm not sure what you would like me to update. Feel free to take a look at the responses and give an update; I'll re-request a review.

@chambridge chambridge requested a review from newswangerd August 23, 2021 13:42
@newswangerd
Copy link
Member

@newswangerd based on my responses above I'm not sure what you would like me to update. Feel free to take a look at the responses and give an update; I'll re-request a review.

Looks like you addressed all my questions.

newswangerd
newswangerd requested changes Aug 27, 2021
View reviewed changes
config/standalone.dev.webpack.config.js
@@ -4,6 +4,7 @@ const webpackBase = require('./webpack.base.config');
const proxyHost = process.env.API_PROXY_HOST || 'localhost';
const proxyPort = process.env.API_PROXY_PORT || '5001';
const apiBasePath = process.env.API_BASE_PATH || '/api/automation-hub/';
const uiExternalLoginURI = process.env.UI_EXTERNAL_LOGIN_URI || '/login';
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It just occurred to me that this won't work. This data needs to be passed to the UI by the API.

These configurations only affect the UI at build time, not at run time. For this to work, the UI would have to be recompiled for each environment that it's deployed in since the SSO login URL will presumably be different for every deployment.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In production deployment the value will be the default /login. The login flow does a window.location.replace() which will hit the login redirect in the API https://github.com/ansible/galaxy_ng/pull/889/files#diff-f00335e89bdbb1cc98ff1161298369ec25e0fcaf7baccc1cfff44b3e733bef71R54 it doesn't put it under the UI base path. Which should then trigger the SSO login calls.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah, so the redirrect happens on the api side. That makes sense.

@newswangerd newswangerd merged commit 503910e into ansible:master Aug 27, 2021
@ZitaNemeckova
Copy link
Member

ZitaNemeckova commented Aug 30, 2021
edited
Loading

In dev. env. it breaks with UI_EXTERNAL_LOGIN_URI.

Edit: nevermind. Backend and UI not in sync.

@chambridge
Copy link
Contributor Author

@ZitaNemeckova Do you have some logs or a link? I'm not encountering an error so I'm having trouble reproducing to try and resolve.

ZitaNemeckova added a commit to ZitaNemeckova/ansible-hub-ui that referenced this pull request Aug 30, 2021
@ZitaNemeckova
Revert "Enable external auth support and disabling of user/group mgmt (
e30cb15 
…ansible#809)"

This reverts commit 503910e.
@ZitaNemeckova
Copy link
Member

@chambridge It was my env. not having UI in sync with backend. Sorry for false alarm.

@himdel himdel mentioned this pull request Aug 31, 2021
Merged
@himdel himdel mentioned this pull request Oct 7, 2021
Merged
@patchback patchback bot mentioned this pull request Oct 11, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@himdel himdel

@newswangerd newswangerd

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@chambridge @himdel @newswangerd @ZitaNemeckova