Set up web based login

Select one of the following login mechanisms for your cluster.

  1. If all users will authenticate with Google, configure Google login.
  2. If all users will authenticate with an OpenID Connect provider (other than Google), configure OpenID Connect.
  3. If all users will authenticate with an existing LDAP service, configure LDAP.
  4. If all users will authenticate using PAM as configured on your controller node, configure PAM.

Google login

With this configuration, users will sign in with their Google accounts.

Use the Google Developers Console to create a set of client credentials.

  1. Select or create a project.
  2. Click + Enable APIs and Services.
    • Search for People API and click Enable API.
    • Navigate back to the main “APIs & Services” page.
  3. On the sidebar, click OAuth consent screen.
    • On consent screen settings, enter your identifying details.
    • Under Authorized domains add your domain (example.com).
    • Click Save.
  4. On the sidebar, click Credentials, then click Create credentialsOAuth client ID
  5. Under Application type select Web application.
  6. Add the JavaScript origin: https://ClusterID.example.com/
  7. Add the Redirect URI: https://ClusterID.example.com/login
  8. Copy the values of Client ID and Client secret to the Login.Google section of config.yml.
    Login:
      Google:
        Enable: true
        ClientID: "0000000000000-zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz.apps.googleusercontent.com"
        ClientSecret: "zzzzzzzzzzzzzzzzzzzzzzzz"

OpenID Connect

With this configuration, users will sign in with a third-party OpenID Connect provider. The provider will supply appropriate values for the issuer URL, client ID, and client secret config entries.

    Login:
      OpenIDConnect:
        Enable: true
        Issuer: https://accounts.example.com/
        ClientID: "0123456789abcdef"
        ClientSecret: "zzzzzzzzzzzzzzzzzzzzzzzz"

Check the OpenIDConnect section in the default config file for more details and configuration options.

LDAP

With this configuration, authentication uses an external LDAP service like OpenLDAP or Active Directory.

Enable LDAP authentication and provide your LDAP server’s host, port, and credentials (if needed to search the directory) in config.yml:

    Login:
      LDAP:
        Enable: true
        URL: ldap://ldap.example.com:389
        SearchBindUser: cn=lookupuser,dc=example,dc=com
        SearchBindPassword: xxxxxxxx
        SearchBase: ou=Users,dc=example,dc=com

The email address reported by LDAP will be used as primary key for Arvados accounts. This means users must not be able to edit their own email addresses in the directory.

Additional configuration settings are available:

  • StartTLS is enabled by default.
  • StripDomain and AppendDomain modify the username entered by the user before searching for it in the directory.
  • SearchAttribute (default uid) is the LDAP attribute used when searching for usernames.
  • SearchFilters accepts LDAP filter expressions to control which users can log in.

Check the LDAP section in the default config file for more details and configuration options.

PAM

With this configuration, authentication is done according to the Linux PAM (“Pluggable Authentication Modules”) configuration on your controller host.

Enable PAM authentication in config.yml:

    Login:
      PAM:
        Enable: true

Check the default config file for more PAM configuration options.

The default PAM configuration on most Linux systems uses the local user/password database in /etc/passwd and /etc/shadow for all logins. In this case, in order to log in to Arvados, users must have a UNIX account and password on the controller host itself. This can be convenient for a single-user or test cluster. Configuring a user account with a shell of /bin/false will enable the user to log into Arvados but not log into shell login on the controller host.

PAM can also be configured to use other authentication systems such such as NIS or Kerberos. In a production environment, PAM configuration should use the service name (“arvados” by default) and set a separate policy for Arvados login. In this case, Arvados users should not have shell accounts on the controller node.

For information about configuring PAM, refer to the PAM System Administrator’s Guide.


Previous: Install Keep-balance Next: Install the websocket server

The content of this documentation is licensed under the Creative Commons Attribution-Share Alike 3.0 United States licence.
Code samples in this documentation are licensed under the Apache License, Version 2.0.