I was trying to setup the catalog entry “openvpn HTTP Basic” and i was wondering if there is any way to use rancher authentication mechanism to authentify against ?
Using the api we were able to authenticate in a given environment using APIs keys, but this is not very handy and i would like to recycle the usernames and password used in rancher. Thus, if you give a user access to the rancher UI, you give it access to the internal VPN. That makes sense (at least for my needs).
If possible then what happen if you have setup a github authentication ? an ldap authentication ?
If you just want to check it out before it is merged you can install an openvpn-httpbasic stack then upgrade using the gui and change to docker hub image missionmode/rancher-openvpn:latest and change the AUTH_METHOD variable:
It looks like this is only authenticating that you have an account, not that your account is a member of the particular Environment (project in the API) that the VPN stack is running in.
Yes ! It would be nice indeed to have the choice of restricting users that have an access to current env (and why not with a minimal role like user/operator/owner …)
Thanxs all for the work. The restriction feature could be very interresting indeed but for our needs the 1st step is already a big one.
Another idea could be to check if it’s possible to leverage on rancher SSO with github or Active Directory (but if you go AD you already have another backend so maybe not usefull).
I will try to look through the code for that point.
@AlexisDucastel, if you push a new version for the catalog, could you make the text hint for the URL have the /v1/token postfix? Right now if someone uses that catalog entry they will likely leave that part off.
Even better, I suppose making the localrancher function in the python code deal with either case would be even better user experience. If you think so, I can add that bit. Let me know.
@sra , in fact, the hint doesn’t expose the /v1/token postfix because i’ve written it the hard way in the docker-compose.yml (docker-compose on github at line 15)
It would be great to get the ability to choose a right level for accessing vpn, like :
account = user must have a valid account in Rancher API
readonly = user must have a valid account and a role “readonly” or greater in current VPN environment
restricted =user must have a valid account and a role “restricted” or greater in current VPN environment
member = user must have a valid account and a role “member” or greater in current VPN environment
owner = user must have a valid account and a role “owner” in current VPN environment
Does it make sense ?
Furthermode, @vincent is there a way to discover current VPN environment identifier via metadata api ? (169.254.169.250)
And finally, is there a way to hit the rancher api through the rancher managed network (like metadata api), in order to remove the need to declare rancher api URL ?
Yes, I know, it’s a lot of questions in one post !! sorry about that
Oh! Clever. I didn’t notice that the URL was completed in the compose file - that is a better way of doing it.
I think that the different types of account could be done fairly easily - the return value of the POST to /v1/token has a JSON object that has a bunch of information about the account. This stuff might have what is needed. I only have access to a localauthconfig version of rancher, but you can check it out with your own.
I looked through the metadata available using curl rancher-metadata/latest and there isn’t any entry that shows the URL of the server that is managing it.
Then you will get CATTLE_URL, CATTLE_ACCESS_KEY, and CATTLE_SECRET_KEY environment variables inside the container(s) which you can use to hit the API (as the environment you are running in, and with access to only it) to make any calls you want.
