Authentication

Owned by Olivier Sallou
Last updated: Dec 23, 2016
2 min read

Different authentication mechanisms are available via plugins.

FakeAuth

For debug/test only, user can connect without password

GoAuth

This plugin authenticates against an LDAP. LDAP configuration must be enabled on servers running the web server, software will indeed extract user primary and secondary groups with system calls.

At first login, user will be created in GoDocker and updated at regular interval (if last login > 1 day).

LocalAuth

This plugin is mainly used for single server/test environements where a central user database (ldap) is not available.

Users need to be created/present with the same uid/gid on all nodes.

Then administrator need to create users in GoDocker using create_local_user.py script in seed directory. Password is not the system user password but defined when executing the script.

Once user is created, user can connect to GoDocker. 

Proxy authentication ( go-docker-web >= 1.2)

REMOTE_USER header can be set with a web proxy after proxy user authentication. If header is set, GoDocker will skip user authentication/login redirection.

This feature is optional in configuration.

If option is enabled, proxy should take care of overriding the REMOTE_USER on all requests to prevent user setting them to bypass authentication.

This feature must be mixed with one of the other authentication plugin. Indeed, REMOTE_USER manage user authentication but software still need an authentication plugin to extract user info from ldap, local, etc., its role is only to bypass login/password checks.


Kerberos


Kerberos authentication has already been tested (thanks to Marius Wigger), and can used as below example. In this case, server is configured to support REMOTE_USER and Kerberos auth is managed via a web proxy.

 


Kerberos client example
import json
import requests
from requests_kerberos import HTTPKerberosAuth, DISABLED
kerberos_auth = HTTPKerberosAuth(mutual_authentication=DISABLED)
 
 
job={
    "meta": {
        "name": "test-02"
    },
    "requirements": {
        "cpu": 1,
        "ram": 2
    },
    "container": {
        "image": "god-testimage/ubuntu-sshd",
        "volumes": [],
        "root": False
    },
    "command": {
        "interactive": False,
        "cmd" : "sleep 6000"
    }
}
 
 
response= requests.post(r"https://gatewayserver:3456/api/1.0/task", auth=kerberos_auth,  verify="c:\path\to\CA.pem" , json=job)
taskdata=json.loads(response.text)
task_id=taskdata["id"]
 
response= requests.get(r"https:// gatewayserver:3456/api/1.0/task/{0:d}".format(task_id), auth=kerberos_auth,  verify="c:\path\to\CA.pem")
taskdata=json.loads(response.text)
print(taskdata)