Extending Rancher Auth-Service for new providers

Our team is currently looking to use Rancher for a Docker container orchestration solution, and one the things I’m looking to do is try setting up Access Control on the Rancher server using a provider that isn’t supported by Rancher at the moment (this being Fiware Lab which can be an OAuth provider).

Rancher seems to handles authentication in a separate Golang service, and according to the wiki this could be extended to allow for a new provider for authentication beyond GitHub and shibboleth. What I’m confused about however is how I could then deploy my extended service with the Rancher Server. Is it possible to just run the extended service without having to effectively build a new Docker image for Rancher Server?

It is an external service mainly to make it easier for us to develop additional providers, and to pull that code out of the Cattle core (the migration of which is on-going, only Github is moved and Shibboleth was added as a new one only into the Golang one).

While it is possible, this is not currently a general public plugin point. There is not any formal way to register your own provider, get that into the server container, provide UI to configure it, or log into it once configured.

Thanks for the reply.

So then if we really wanted to add support for a provider we would need to extend the service ourselves, and build our own Rancher Server image using our extended auth-service in place of the current one, is that correct? Or is it more complicated than that, and we are going down a path that could turn out problematic in the future? ^^

That is correct, plus change the UI to support configuring and logging in with it.

One last question (hopefully): how is the rancher server image built? Is it done from the cattle repo Dockerfiles, or from the rancher repo?