Merge pull request #3174 from phspagiari/feature_auth_ldap

feat(controller): Adding LDAP/AD auth support

Author: mboersma

controller/build.sh

@@ -16,7 +16,7 @@ DEBIAN_FRONTEND=noninteractive
 # HACK: install git so we can install bacongobbler's fork of django-fsm
 # install openssh-client for temporary fleetctl wrapper
 apt-get update && \
-    apt-get install -yq python-dev libffi-dev libpq-dev libyaml-dev git
+    apt-get install -yq python-dev libffi-dev libpq-dev libyaml-dev git libldap2-dev libsasl2-dev
 
 # install pip
 curl -sSL https://raw.githubusercontent.com/pypa/pip/6.0.8/contrib/get-pip.py | python -

controller/deis/settings.py

@@ -8,6 +8,10 @@
 import string
 import sys
 import tempfile
+import ldap
+
+from django_auth_ldap.config import LDAPSearch, GroupOfNamesType
+
 
 PROJECT_ROOT = os.path.normpath(os.path.join(os.path.dirname(__file__), '..'))
 
@@ -138,6 +142,7 @@
     'django.contrib.sites',
     'django.contrib.staticfiles',
     # Third-party apps
+    'django_auth_ldap',
     'guardian',
     'json_field',
     'gunicorn',
@@ -151,6 +156,7 @@
 )
 
 AUTHENTICATION_BACKENDS = (
+    "django_auth_ldap.backend.LDAPBackend",
     "django.contrib.auth.backends.ModelBackend",
     "guardian.backends.ObjectPermissionBackend",
 )
@@ -324,6 +330,16 @@
 #  server       - Hostname based on CoreOS server hostname
 UNIT_HOSTNAME = 'default'
 
+# LDAP DEFAULT SETTINGS (Overrided by confd later)
+LDAP_ENDPOINT = ""
+BIND_DN = ""
+BIND_PASSWORD = ""
+USER_BASEDN = ""
+USER_FILTER = ""
+GROUP_BASEDN = ""
+GROUP_FILTER = ""
+GROUP_TYPE = ""
+
 # Create a file named "local_settings.py" to contain sensitive settings data
 # such as database configuration, admin email, or passwords and keys. It
 # should also be used for any settings which differ between development
@@ -334,9 +350,41 @@
 except ImportError:
     pass
 
-
 # have confd_settings within container execution override all others
 # including local_settings (which may end up in the container)
 if os.path.exists('/templates/confd_settings.py'):
     sys.path.append('/templates')
     from confd_settings import *  # noqa
+
+# LDAP Backend Configuration
+# Should be always after the confd_settings import.
+LDAP_USER_SEARCH = LDAPSearch(
+    base_dn=USER_BASEDN,
+    scope=ldap.SCOPE_SUBTREE,
+    filterstr="(%s=%%(user)s)" % USER_FILTER
+)
+LDAP_GROUP_SEARCH = LDAPSearch(
+    base_dn=GROUP_BASEDN,
+    scope=ldap.SCOPE_SUBTREE,
+    filterstr="(%s=%s)" % (GROUP_FILTER, GROUP_TYPE)
+)
+AUTH_LDAP_SERVER_URI = LDAP_ENDPOINT
+AUTH_LDAP_BIND_DN = BIND_DN
+AUTH_LDAP_BIND_PASSWORD = BIND_PASSWORD
+AUTH_LDAP_USER_SEARCH = LDAP_USER_SEARCH
+AUTH_LDAP_GROUP_SEARCH = LDAP_GROUP_SEARCH
+AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
+AUTH_LDAP_USER_ATTR_MAP = {
+    "first_name": "givenName",
+    "last_name": "sn",
+    "email": "mail",
+    "username": USER_FILTER,
+}
+AUTH_LDAP_GLOBAL_OPTIONS = {
+    ldap.OPT_X_TLS_REQUIRE_CERT: False,
+    ldap.OPT_REFERRALS: False
+}
+AUTH_LDAP_ALWAYS_UPDATE_USER = True
+AUTH_LDAP_MIRROR_GROUPS = True
+AUTH_LDAP_FIND_GROUP_PERMS = True
+AUTH_LDAP_CACHE_GROUPS = False

controller/requirements.txt

@@ -9,6 +9,7 @@ django-cors-headers==1.0.0
 django-fsm==2.2.0
 django-guardian==1.2.5
 django-json-field==0.5.7
+django-auth-ldap==1.2.5
 djangorestframework==3.0.5
 docker-py==0.7.2
 gunicorn==19.3.0
@@ -19,3 +20,4 @@ PyYAML==3.11
 setproctitle==1.1.8
 static==1.1.1
 South==1.0.2
+python-ldap==2.4.19

controller/templates/confd_settings.py

@@ -45,3 +45,16 @@
 WEB_ENABLED = bool({{ getv "/deis/controller/webEnabled" }})
 {{ end }}
 UNIT_HOSTNAME = '{{ if exists "/deis/controller/unitHostname" }}{{ getv "/deis/controller/unitHostname" }}{{ else }}default{{ end }}'
+
+# AUTH
+# LDAP
+{{ if exists "/deis/controller/auth/ldap/endpoint" }}
+LDAP_ENDPOINT = '{{ if exists "/deis/controller/auth/ldap/endpoint" }}{{ getv "/deis/controller/auth/ldap/endpoint"}}{{ else }} {{ end }}'
+BIND_DN = '{{ if exists "/deis/controller/auth/ldap/bind/dn" }}{{ getv "/deis/controller/auth/ldap/bind/dn"}}{{ else }} {{ end }}'
+BIND_PASSWORD = '{{ if exists "/deis/controller/auth/ldap/bind/password" }}{{ getv "/deis/controller/auth/ldap/bind/password"}}{{ else }} {{ end }}'
+USER_BASEDN = '{{ if exists "/deis/controller/auth/ldap/user/basedn" }}{{ getv "/deis/controller/auth/ldap/user/basedn"}}{{ else }} {{ end }}'
+USER_FILTER = '{{ if exists "/deis/controller/auth/ldap/user/filter" }}{{ getv "/deis/controller/auth/ldap/user/filter"}}{{ else }} {{ end }}'
+GROUP_BASEDN = '{{ if exists "/deis/controller/auth/ldap/group/basedn" }}{{ getv "/deis/controller/auth/ldap/group/basedn"}}{{ else }} {{ end }}'
+GROUP_FILTER = '{{ if exists "/deis/controller/auth/ldap/group/filter" }}{{ getv "/deis/controller/auth/ldap/group/filter"}}{{ else }} {{ end }}'
+GROUP_TYPE = '{{ if exists "/deis/controller/auth/ldap/group/type" }}{{ getv "/deis/controller/auth/ldap/group/type"}}{{ else }} {{ end }}'
+{{ end }}

docs/customizing_deis/controller_settings.rst

@@ -105,4 +105,51 @@ server
 
     Changes to ``/deis/controller/unitHostname`` requires either pushing a new build to 
     every application or scaling them down and up.
-    The change is only detected when a container unit is deployed.
+    The change is only detected when a container unit is deployed.
+
+Using a LDAP Auth
+-----------------
+Deis Controller supports Single Sign On access control, for now Deis is able to authenticate using LDAP or Active Directory.
+
+Settings used by LDAP
+^^^^^^^^^^^^^^^^^^^^^
+=========================================           =================================================================================
+setting                                             description
+=========================================           =================================================================================
+/deis/controller/auth/ldap/endpoint                 The full LDAP endpoint. (Ex.: ldap://ldap.company.com)
+/deis/controller/auth/ldap/bind/dn                  Full user for bind. (Ex.: user@company.com. For Anonymous bind leave blank)
+/deis/controller/auth/ldap/bind/password            Password of the user for bind. (For anonymous bind leave blank)
+/deis/controller/auth/ldap/user/basedn              The BASE DN where your LDAP Users are placed. (Ex.: OU=TeamX,DC=Company,DC=com)
+/deis/controller/auth/ldap/user/filter              The field that we will match with username of Deis. (In most cases is uuid, AD uses sAMAccountName)
+/deis/controller/auth/ldap/group/basedn             The BASE DN where the groups of your LDAP are are located. (Ex.: OU=Groups,OU=TeamX,DC=Company,DC=com)
+/deis/controller/auth/ldap/group/filter             The field that we will locate your groups with LDAPSearch. (In most cases is objectClass)
+/deis/controller/auth/ldap/group/type               The Groups type of LDAP. (Use groupOfNames if you don't know)
+=========================================           =================================================================================
+
+Configuring LDAP on Controller
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+.. important::
+
+    It's important that you register the first user of the default auth in order to have an admin ( see :ref:`Register a User <register-user>` ) without this you don't have any deis admin because LDAP users haven't this permission, you will need to set this later.
+    After this you need to disable the registration ( see :ref:`disable_user_registration` ) avoiding that "ghost" users register and access your Deis. The auth model of controller by default allows multiple source auths so LDAP and non-LDAP users will be able to login.
+
+
+.. code-block:: console
+
+    $ deisctl config controller set auth/ldap/endpoint=<ldap-endpoint>
+    $ deisctl config controller set auth/ldap/bind/dn=<bind-dn-full-user>
+    $ deisctl config controller set auth/ldap/bind/password=<bind-dn-user-password>
+    $ deisctl config controller set auth/ldap/user/basedn=<user-base-dn>
+    $ deisctl config controller set auth/ldap/user/filter=<user-filter>
+    $ deisctl config controller set auth/ldap/group/basedn=<group-base-dn>
+    $ deisctl config controller set auth/ldap/group/filter=<group-filter>
+    $ deisctl config controller set auth/ldap/group/type=<group-type>
+
+.. note::
+
+    You can set a LDAP user as admin by using ``deis perms:create <LDAP User> --admin`` with the admin created before.
+
+.. note::
+
+    LDAP support was contributed by community member Pedro Spagiari (`@phspagiari <http://github.com/phspagiari/>`_) and is unsupported by the Deis core team.

docs/docs_requirements.txt

@@ -13,13 +13,15 @@ django-cors-headers==1.0.0
 django-fsm==2.2.0
 django-guardian==1.2.5
 django-json-field==0.5.7
+django-auth-ldap==1.2.5
 djangorestframework==3.0.5
 docker-py==0.7.2
 gunicorn==19.3.0
 paramiko==1.15.2
 python-etcd==0.3.2
 PyYAML==3.11
 South==1.0.2
+python-ldap==2.4.19
 
 # Deis client requirements
 docopt==0.6.2

docs/using_deis/register-user.rst

@@ -1,6 +1,7 @@
 :title: Register a new Deis user using the client
 :description: First steps for developers using Deis to deploy and scale applications.
 
+.. _register-user:
 
 Register a User
 ===============

tests/bin/setup-node.sh

@@ -33,7 +33,7 @@ echo 'export PATH=$PATH:/usr/local/go/bin' >> /etc/profile
 echo "You must reboot for the global $PATH changes to take effect."
 
 # install test suite requirements
-apt-get install -yq curl mercurial python-dev libffi-dev libpq-dev libyaml-dev git postgresql postgresql-client
+apt-get install -yq curl mercurial python-dev libffi-dev libpq-dev libyaml-dev git postgresql postgresql-client libldap2-dev libsasl2-dev
 curl -sSL https://raw.githubusercontent.com/pypa/pip/6.0.8/contrib/get-pip.py | python -
 pip install virtualenv