ldap_type PAM is ignored, frontend_url is ignored, REFERER_CHECK is ignored

cloudera-labs / cloudera.cluster

An Ansible collection for lifecycle and management of Cloudera CDP Private Cloud resources on bare metal, IaaS, and PaaS.

Apache License 2.0

32 stars 46 forks source link

ldap_type PAM is ignored, frontend_url is ignored, REFERER_CHECK is ignored #178

Closed hadoopch closed 6 months ago

hadoopch commented 6 months ago

Hi,

i set various cloudera_manager_options:

cloudera_manager_options:
  krb_auth_enable: true
  auth_backend_order: "DB_THEN_LDAP"
  authorization_backend_order: "EXTERNAL_AND_DB"
  ldap_type: PAM
  proxyuser_knox_groups: "*"
  proxyuser_knox_hosts: "*"
  proxyuser_knox_users: "*"
  REFERER_CHECK: false
  frontend_url: "https://{{haproxy_gw.domain}}:37180"

frontend-URL was not set. ldap_type PAM wqas ignored. Instead of that ldap_type LDAP was used. . Referer_check was also ignored and false is set. In a fromer release at least ldap_type and frontend_url were working

wmudge commented 6 months ago

Are you setting auth_provider in your definition? The task that executes the CM external auth setup (https://github.com/cloudera-labs/cloudera.cluster/blob/main/roles/cloudera_manager/external_auth/tasks/main.yml#L31-L37) only runs if that variable is set. The configs are then marshaled via this Jinja template: https://github.com/cloudera-labs/cloudera.cluster/blob/main/roles/cloudera_manager/external_auth/templates/external_auth_configs.j2

hadoopch commented 6 months ago

Hi wmduge,

My settings are

cloudera_manager_options:
  krb_auth_enable: true
  auth_backend_order: "DB_THEN_LDAP"
  authorization_backend_order: "EXTERNAL_AND_DB"
  ldap_type: PAM
  proxyuser_knox_groups: "*"
  proxyuser_knox_hosts: "*"
  proxyuser_knox_users: "*"
  REFERER_CHECK: false
  frontend_url: "https://{{haproxy_gw.domain}}:37180"

But the playbooks configure LDAP settings if is use the above mentioned configuration.

I just want to use PAM for cloudera manager - that means cloudera manager is using the users and groups from the OS.
I like this configuration because the underlying OS normally has already its own AD / LDAP configuration via SSSD . Then for CM and you don't need to configure all this stuff again. This makes configuration very simple.
But for any reason it is not working. If i check the configuration history, you can see that the values were set at the beginning. But then frontend_url is deleted and PAM is replaced by LDAP and some LDAP settings are made.

Regards

Uli

wmudge commented 6 months ago

Try the following in your definition.yml:

cloudera_manager_options:
  KRB_AUTH_ENABLE: "true"
  REFERER_CHECK: "false"

frontend_url: "https://proxy.your.domain"

auth_providers:
  PAM:
    type: PAM

cloudera_manager_external_auth:
  provider: PAM

hadoopch commented 6 months ago

@wmudge: Thanks a lot. I have a more or less working config now.

i finally set :

cloudera_manager_options:
  KRB_AUTH_ENABLE: true
  AUTH_BACKEND_ORDER: "DB_THEN_LDAP"
  proxyuser_knox_groups: "*"
  proxyuser_knox_users: "*"
  proxyuser_knox_hosts: "*"
  REFERER_CHECK: false
  CDPPC_REPO_URLS: "https://cdpsoft2.obs.{{ep_suffix}}/parcels/DS/1.5.2-h1"
  REMOTE_PARCEL_REPO_URLS: "https://cdpsoft2.obs.{{ep_suffix}}/parcels/DS/1.5.2-h1/parcels/"
  SESSION_TIMEOUT: 3600

frontend_url: "https://{{haproxy_gw.domain}}:37180"

auth_providers:
  PAM:
    type: PAM

cloudera_manager_external_auth:
  provider: PAM
  external_only: no
  external_first: no

external_only and external_first are required otherwise you run into an error.
With the config: referer_check ist still ignored.
With this config: the following parameter are unintentionally set:

      "name": "ldap_group_search_filter",
      "value": "(member={0})"

      "name": "ldap_user_search_filter",
      "value": "(sAMAccountName={0})"