Team name for CE & different teams per google group

[kjee87]

Hello,

I have two questions related to teams:

Docker image: dbeaver/cloudbeaver:latest (CE version)

1. I am trying to customize team names from initial-data.conf, but it seems like it is showing default names as (admin and user, not the names in the conf file that I am using). Am I missing something here?

initial-data.conf file that I am using: { teams: [ { subjectId: "admin", name: "test-admin", description: "Administrative access. Has all permissions.", permissions: [ "admin" ] }, { subjectId: "user", name: "test-user", description: "All users, including anonymous.", permissions: [ ] } ] }

This is what I can see in the UI:

2. We are using reverse proxy with google SSO for auth. Is there way to create different teams per different google groups from the header using nginx/oauth? (Different google groups would have different database connection, and I think this can be managed by "team" connection access in the cloudbeaver UI).

Please let me know if you need any further information.

[EvgeniaBzzz]

Hi @kjee87! You found a right configuration file. First of all initial-data.conf is used only for the initial start.

There are several ways to change it. However, all of them are a bit complex.

1. Map the entire config folder, copying all configs. However, if a new config is added and the version is updated, your config will most likely disappear.
2. Change the config in the Docker image. But if the image is updated, the changes will be lost.
3. Build the image from source on your own, placing the correct config there.

We will answer the second question along with your previous nginx/oauth issue.

[kjee87]

Hi @EvgeniaBzzz

Thank you for your response. I just want to ask a bit more detail about your answers. In my dockerfile, I am starting with latest cloudbeaver image, followed by copying this "initial-data.conf" to /conf/initial-data.conf and I see this conf file as whatever I changed... Am I still wrongly understanding this why this change is still lost...?

`From dbeaver/cloudbeaver:latest

WORKDIR /opt/cloudbeaver COPY dbeaver/configs/initial-data.conf ./conf/initial-data.conf

COPY cloudbeaver/start.sh /start.sh RUN chmod +x /start.sh ENTRYPOINT ["/start.sh"] `

[alexander-skoblikov]

@kjee87 what command do you run the image with? do you use the same workspace every time? data from the initial-data.conf is used only at the time of the first connection to the database; if you use an old database with a new initial-data.conf, the data will not be overwritten

[kjee87]

@alexander-skoblikov I use regular port forwarding command to run the image: docker run -d -ti -p 5555:80 {image name}. I just dropped the schema & tables and re-run the docker image and still it went to the default "admin/user" names in UI.

[dariamarutkina]

Hi @kjee87 !

2. We added ability to configure reverse proxy header name and redirect URL at logout. Admin will now be able to configure all settings in .cloudbeaver.runtime . Team name is in the X-Role header. Is your question about default team names still relevant?

[alexander-skoblikov]

@kjee87 I researched the problem, migration is used, but in the examples we have an outdated format, team name must be specified using the teamName field instead of name. we will update the examples and documentation soon

[kjee87]

Hello,

Thank you for this release!

I tested out this most recent docker image (ver 23.3.4) and I was able to call oauth proxy sign_out endpoint (/oauth2/sign_out) to expire this cookie when the logout button was clicked. But once the log out was done, then it displays signed out page where you can input local login username/password. All users going through reverse proxy is "user" role and I am passing Admin username/password in .cloudbeaver.auto.conf file in docker image. But when I give admin username/password in the signed out page, it blocked me logging in as admin. How can I locally login with admin username/password here?

Also, once oauth proxy cookie expires, when I refreshed the page, it kept having the GQL sign in error that cannot be resolved until clearing browser history then triggers oauth sign-in page. Is this something that I am missing some other reverseproxy configuration at cloudbeaver side...?

Hi @kjee87 ! 2. We added ability to configure reverse proxy header name and redirect URL at logout. Admin will now be able to configure all settings in .cloudbeaver.runtime . Team name is in the X-Role header. Is your question about default team names still relevant?

[EvgeniaBzzz]

@kjee87 What do you have in .cloudbeaver.auto.conf and how do you configure reverseProxy?

We fixed the issue with default teams, now you can pre-configure them. Please, check it out in 23.3.5.

[kjee87]

Hello,

This is my setting in .cloudbeaver.auto.conf: CB_SERVER_NAME = cloudbeaver test CB_SERVER_URL = cloudbeaver_host_url CB_ADMIN_NAME = CB_ADMIN_NAME CB_ADMIN_PASSWORD = CB_ADMIN_PASSWORD

reverseProxy- ngix: `server { listen 80; server_name localhost;

location /oauth2/ { proxy_pass http://127.0.0.1:4180; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Scheme $scheme; proxy_set_header X-Auth-Request-Redirect $request_uri;

or, if you are handling multiple domains:

# proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;

} location = /oauth2/auth { proxy_pass http://127.0.0.1:4180; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Scheme $scheme;

nginx auth_request includes headers but not body

proxy_set_header Content-Length   "";
proxy_pass_request_body           off;

}

location / { auth_request /oauth2/auth; error_page 401 = /oauth2/sign_in;

# pass information via X-User and X-Email headers to backend,
# requires running with --set-xauthrequest flag
auth_request_set $user     $upstream_http_x_auth_request_user;
auth_request_set $email   $upstream_http_x_auth_request_email;
auth_request_set $role    $upstream_http_x_auth_request_role;
proxy_set_header X-User   $email;
proxy_set_header X-Role   user;

# if you enabled --pass-access-token, this will pass the token to the backend
auth_request_set $token  $upstream_http_x_auth_request_access_token;
proxy_set_header X-Access-Token $token;

# if you enabled --cookie-refresh, this is needed for it to work with auth_request
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;

# When using the --set-authorization-header flag, some provider's cookies can exceed the 4kb
# limit and so the OAuth2 Proxy splits these into multiple parts.
# Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response,
# so if your cookies are larger than 4kb, you will need to extract additional cookies manually.
auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;

# Extract the Cookie attributes from the first Set-Cookie header and append them
# to the second part ($upstream_cookie_* variables only contain the raw cookie content)
if ($auth_cookie ~* "(; .*)") {
    set $auth_cookie_name_0 $auth_cookie;
    set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";
}

# Send both Set-Cookie headers now if there was a second part
if ($auth_cookie_name_upstream_1) {
    add_header Set-Cookie $auth_cookie_name_0;
    add_header Set-Cookie $auth_cookie_name_1;
}

# cloudbeaver header
proxy_pass       http://localhost:8978;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";

} }`

.cloudbeaver.runtime.conf: app: { ... authConfigurations: [ { id: reverseProxy, provider: reverseProxy, displayName: X-User, disabled: false, iconURL: "", description: "", parameters: { logout-url: https://cloudbeaver_host_url/oauth2/sign_out, user-header: X-User, team-header: X-Role, team-delimiter: "", first-name-header: "", last-name-header: "" } } ] }

I also added these in the .cloudbeaver.runtime.conf as well:

defaultAuthProvider: "reverseProxy", enabledAuthProviders: [ "local", "reverseProxy" ],

[EvgeniaBzzz]

Please, check that .cloudbeaver.auto.conf is in the same folder as .cloudbever.conf. Also do not use 'admin' or other team-names as your username. Can you login with envs in docker command line? Like -e CB_SERVER_NAME=cloudbeaver -e CB_SERVER_URL=cloudbeaver_host_url -e CB_ADMIN_NAME=CB_ADMIN_NAME -e CB_ADMIN_PASSWORD=CB_ADMIN_PASSWORD

Change X-Role to X-Team. Now X-Team is responsible for assigning teams (to avoid name confusion). And just in any case put proxy settings in quotes. Like:

          {
            "id": "reverseProxy",
            "provider": "reverseProxy",
            "displayName": "Reverse Proxy",
            "disabled": false,
            "iconURL": "",
            "description": "Automatically created provider after changing Reverse Proxy configuration way in 23.3.4 version",
            "parameters": {
              "first-name-header": "X-First-name",
              "user-header": "X-User",
              "team-header": "X-Team",
              "last-name-header": "X-Last-name",
              "logout-url": "https://www.google.com/"
            }
          }
        ]

Regarding your question about oauth proxy cookie expires. Try to set the same lifetime for applicatoin and oauth

[EvgeniaBzzz]

Hi @kjee87! Are there any issues still actual here?

[EvgeniaBzzz]

Please feel free to ask to reopen the ticket if it is still actual for you.