From e19d42b19097e02506c44b291aee37e4123d9877 Mon Sep 17 00:00:00 2001 From: Swann Croiset Date: Tue, 28 Jun 2016 12:36:55 +0200 Subject: [PATCH] Implement LDAP integration for Kibana Implement-blueprint: ldap-integration-in-stacklight Change-Id: I838c84333feab7828adda0dfc731a8582287f83d --- .../puppet/manifests/firewall.pp | 10 + .../puppet/manifests/haproxy.pp | 32 ++++ .../puppet/manifests/hiera_override.pp | 49 ++++- deployment_scripts/puppet/manifests/kibana.pp | 29 ++- .../manifests/kibana_authentication.pp | 69 ++++++- ...ng_analytics_kibana_authentication_spec.rb | 117 +++++++++++- .../templates/apache_kibana_proxy.conf.erb | 22 ++- .../apache_kibana_proxy_viewer.conf.erb | 56 ++++++ environment_config.yaml | 174 ++++++++++++++++++ 9 files changed, 532 insertions(+), 26 deletions(-) create mode 100644 deployment_scripts/puppet/modules/lma_logging_analytics/templates/apache_kibana_proxy_viewer.conf.erb diff --git a/deployment_scripts/puppet/manifests/firewall.pp b/deployment_scripts/puppet/manifests/firewall.pp index 91582f2..12246c8 100644 --- a/deployment_scripts/puppet/manifests/firewall.pp +++ b/deployment_scripts/puppet/manifests/firewall.pp @@ -14,6 +14,8 @@ notice('fuel-plugin-elasticsearch-kibana: firewall.pp') +$authnz = hiera_hash('lma::kibana::authnz') + class {'::firewall':} firewall { '000 accept all icmp requests': @@ -80,6 +82,14 @@ firewall { '101 proxy-kibana': action => 'accept', } +if $authnz['ldap_authorization_enabled'] { + firewall { '101 proxy-kibana-viewer': + port => hiera('lma::elasticsearch::kibana_frontend_viewer_port'), + proto => 'tcp', + action => 'accept', + } +} + firewall { '999 drop all other requests': proto => 'all', chain => 'INPUT', diff --git a/deployment_scripts/puppet/manifests/haproxy.pp b/deployment_scripts/puppet/manifests/haproxy.pp index f8a3a44..ebc1e57 100644 --- a/deployment_scripts/puppet/manifests/haproxy.pp +++ b/deployment_scripts/puppet/manifests/haproxy.pp @@ -16,7 +16,9 @@ notice('fuel-plugin-elasticsearch-kibana: haproxy.pp') $es_port = hiera('lma::elasticsearch::rest_port') $kibana_backend_port = hiera('lma::elasticsearch::apache_port') +$kibana_backend_viewer_port = hiera('lma::elasticsearch::apache_viewer_port') $kibana_frontend_port = hiera('lma::elasticsearch::kibana_frontend_port') +$kibana_frontend_viewer_port = hiera('lma::elasticsearch::kibana_frontend_viewer_port') $vip = hiera('lma::elasticsearch::vip') $nodes_ips = hiera('lma::elasticsearch::nodes') @@ -45,6 +47,7 @@ openstack::ha::haproxy_service { $es_haproxy_service: } $kibana_tls = hiera_hash('lma::kibana::tls') +$authnz = hiera_hash('lma::kibana::authnz') if $kibana_tls['enabled'] { openstack::ha::haproxy_service { 'kibana': order => '921', @@ -59,6 +62,22 @@ if $kibana_tls['enabled'] { 'mode' => 'http', }, } + if $authnz['ldap_enabled'] and $authnz['ldap_authorization_enabled'] { + openstack::ha::haproxy_service { 'kibana-viewer': + order => '922', + internal_ssl => true, + internal_ssl_path => $kibana_tls['cert_file_path'], + listen_port => $kibana_frontend_viewer_port, + balancermember_port => $kibana_backend_viewer_port, + balancermember_options => 'check inter 10s fastinter 2s downinter 3s rise 3 fall 3', + haproxy_config_options => { + 'option' => ['httplog', 'http-keep-alive', 'prefer-last-server', 'dontlog-normal'], + 'balance' => 'roundrobin', + 'mode' => 'http', + }, + } + } + } else { openstack::ha::haproxy_service { 'kibana': order => '921', @@ -71,4 +90,17 @@ if $kibana_tls['enabled'] { 'mode' => 'http', } } + if $authnz['ldap_enabled'] and $authnz['ldap_authorization_enabled'] { + openstack::ha::haproxy_service { 'kibana-viewer': + order => '922', + listen_port => $kibana_frontend_viewer_port, + balancermember_port => $kibana_backend_viewer_port, + balancermember_options => 'check inter 10s fastinter 2s downinter 3s rise 3 fall 3', + haproxy_config_options => { + 'option' => ['httplog', 'http-keep-alive', 'prefer-last-server', 'dontlog-normal'], + 'balance' => 'roundrobin', + 'mode' => 'http', + } + } + } } diff --git a/deployment_scripts/puppet/manifests/hiera_override.pp b/deployment_scripts/puppet/manifests/hiera_override.pp index e7604a3..316ff9b 100644 --- a/deployment_scripts/puppet/manifests/hiera_override.pp +++ b/deployment_scripts/puppet/manifests/hiera_override.pp @@ -90,7 +90,29 @@ if $tls_enabled { content => $elasticsearch_kibana['kibana_ssl_cert']['content'], require => File[$cert_dir] } +} +$ldap_enabled = $elasticsearch_kibana['ldap_enabled'] or false +$ldap_protocol = $elasticsearch_kibana['ldap_protocol'] +$ldap_servers = split($elasticsearch_kibana['ldap_servers'], '\s+') +$ldap_bind_dn = $elasticsearch_kibana['ldap_bind_dn'] +$ldap_bind_password = $elasticsearch_kibana['ldap_bind_password'] +$ldap_user_search_base_dns = $elasticsearch_kibana['ldap_user_search_base_dns'] +$ldap_user_search_filter = $elasticsearch_kibana['ldap_user_search_filter'] +$ldap_user_attribute = $elasticsearch_kibana['ldap_user_attribute'] +$ldap_authorization_enabled = $elasticsearch_kibana['ldap_authorization_enabled'] or false +$ldap_group_attribute = $elasticsearch_kibana['ldap_group_attribute'] +$ldap_admin_group_dn = $elasticsearch_kibana['ldap_admin_group_dn'] +$ldap_viewer_group_dn = $elasticsearch_kibana['ldap_viewer_group_dn'] + +if empty($elasticsearch_kibana['ldap_server_port']) { + if downcase($ldap_protocol) == 'ldap' { + $ldap_port = 389 + } else { + $ldap_port = 636 + } +} else { + $ldap_port = $elasticsearch_kibana['ldap_server_port'] } $calculated_content = inline_template(' @@ -102,7 +124,9 @@ lma::elasticsearch::vip: <%= @vip %> lma::elasticsearch::es_haproxy_service: elasticsearch-rest lma::elasticsearch::listen_address: <%= @listen_address%> lma::elasticsearch::kibana_frontend_port: 80 +lma::elasticsearch::kibana_frontend_viewer_port: 81 lma::elasticsearch::apache_port: 80 +lma::elasticsearch::apache_viewer_port: 81 lma::elasticsearch::kibana_port: 5601 lma::elasticsearch::kibana_index: .kibana lma::elasticsearch::rest_port: 9200 @@ -128,8 +152,29 @@ lma::kibana::tls: hostname: <%= @kibana_hostname %> cert_file_path: <%= @cert_file_path %> <% end -%> -lma::kibana::username: <%= @elasticsearch_kibana["kibana_username"] %> -lma::kibana::password: <%= @elasticsearch_kibana["kibana_password"] %> +lma::kibana::authnz: + username: <%= @elasticsearch_kibana["kibana_username"] %> + password: <%= @elasticsearch_kibana["kibana_password"] %> + ldap_enabled: <%= @ldap_enabled %> + ldap_authorization_enabled: <%= @ldap_authorization_enabled %> +<% if @ldap_enabled -%> + ldap_servers: +<% @ldap_servers.each do |s| -%> + - "<%= s %>" +<% end -%> + ldap_protocol: <%= @ldap_protocol %> + ldap_port: <%= @ldap_port %> + ldap_bind_dn: <%= @ldap_bind_dn %> + ldap_bind_password: <%= @ldap_bind_password %> + ldap_user_search_base_dns: <%= @ldap_user_search_base_dns %> + ldap_user_attribute: <%= @ldap_user_attribute %> + ldap_user_search_filter: <%= @ldap_user_search_filter %> + ldap_group_attribute: <%= @ldap_group_attribute %> +<% if @ldap_authorization_enabled -%> + ldap_admin_group_dn: <%= @ldap_admin_group_dn %> + ldap_viewer_group_dn: <%= @ldap_viewer_group_dn %> +<% end -%> +<% end -%> ') file { $hiera_file: diff --git a/deployment_scripts/puppet/manifests/kibana.pp b/deployment_scripts/puppet/manifests/kibana.pp index 037e745..f1a480d 100644 --- a/deployment_scripts/puppet/manifests/kibana.pp +++ b/deployment_scripts/puppet/manifests/kibana.pp @@ -22,12 +22,27 @@ class { 'lma_logging_analytics::kibana': version => '4.5.1', } +$authnz = hiera_hash('lma::kibana::authnz') class { 'lma_logging_analytics::kibana_authentication': - listen_address => hiera('lma::elasticsearch::listen_address'), - listen_port => hiera('lma::elasticsearch::apache_port'), - kibana_address => '127.0.0.1', - kibana_port => hiera('lma::elasticsearch::kibana_port'), - username => hiera('lma::kibana::username'), - password => hiera('lma::kibana::password'), - require => Class[lma_logging_analytics::kibana], + listen_address => hiera('lma::elasticsearch::listen_address'), + listen_port => hiera('lma::elasticsearch::apache_port'), + kibana_address => '127.0.0.1', + kibana_port => hiera('lma::elasticsearch::kibana_port'), + username => $authnz['username'], + password => $authnz['password'], + ldap_enabled => $authnz['ldap_enabled'], + ldap_protocol => $authnz['ldap_protocol'], + ldap_port => $authnz['ldap_port'], + ldap_servers => $authnz['ldap_servers'], + ldap_bind_dn => $authnz['ldap_bind_dn'], + ldap_bind_password => $authnz['ldap_bind_password'], + ldap_user_search_base_dns => $authnz['ldap_user_search_base_dns'], + ldap_user_search_filter => $authnz['ldap_user_search_filter'], + ldap_user_attribute => $authnz['ldap_user_attribute'], + ldap_authorization_enabled => $authnz['ldap_authorization_enabled'], + listen_port_viewer => hiera('lma::elasticsearch::apache_viewer_port'), + ldap_group_attribute => $authnz['ldap_group_attribute'], + ldap_admin_group_dn => $authnz['ldap_admin_group_dn'], + ldap_viewer_group_dn => $authnz['ldap_viewer_group_dn'], + require => Class[lma_logging_analytics::kibana], } diff --git a/deployment_scripts/puppet/modules/lma_logging_analytics/manifests/kibana_authentication.pp b/deployment_scripts/puppet/modules/lma_logging_analytics/manifests/kibana_authentication.pp index efb5701..5c1a039 100644 --- a/deployment_scripts/puppet/modules/lma_logging_analytics/manifests/kibana_authentication.pp +++ b/deployment_scripts/puppet/modules/lma_logging_analytics/manifests/kibana_authentication.pp @@ -21,12 +21,59 @@ class lma_logging_analytics::kibana_authentication ( $kibana_address, $username, $password, + $ldap_enabled = false, + $ldap_protocol = undef, + $ldap_servers = [], + $ldap_port = undef, + $ldap_bind_dn = undef, + $ldap_bind_password = undef, + $ldap_user_search_base_dns = undef, + $ldap_user_search_filter = undef, + $ldap_user_attribute = undef, + $ldap_authorization_enabled = false, + $listen_port_viewer = undef, + $ldap_group_attribute = undef, + $ldap_admin_group_dn = undef, + $ldap_viewer_group_dn = undef, ) { include lma_logging_analytics::params - $apache_modules = ['proxy', 'proxy_http', 'rewrite', - 'authn_file', 'auth_basic', 'authz_user'] + validate_integer($listen_port) + validate_integer($kibana_port) + + $default_apache_modules = ['proxy', 'proxy_http', 'rewrite', + 'authn_file', 'auth_basic', 'authz_user'] + + if $ldap_enabled { + if empty($ldap_servers) { + fail('ldap_servers list parameter is empty') + } + if ! $ldap_port { fail('Missing ldap_port parameter')} + if ! $ldap_protocol { fail('Missing ldap_protocol parameter')} + if ! $ldap_bind_dn { fail('Missing ldap_bind_dn parameter')} + if ! $ldap_bind_password { fail('Missing ldap_bind_password parameter')} + if ! $ldap_user_search_base_dns { fail('Missing ldap_user_search_base_dns parameter')} + if ! $ldap_user_search_filter { fail('Missing ldap_user_search_filter parameter')} + if ! $ldap_user_attribute { fail('Missing ldap_user_attribute parameter')} + + if $ldap_authorization_enabled { + if ! $ldap_group_attribute {fail('Missing ldap_group_attribute parameter')} + if ! $ldap_admin_group_dn {fail('Missing ldap_admin_group_dn parameter')} + if ! $ldap_viewer_group_dn {fail('Missing ldap_viewer_group_dn parameter')} + if ! $listen_port_viewer {fail('Missing listen_port_viewer parameter')} + + validate_integer($listen_port_viewer) + } + $apache_modules = concat($default_apache_modules, ['ldap', 'authnz_ldap']) + + # LDAP url is used by apache::custom_config + $ldap_urls = suffix($ldap_servers, ":${ldap_port}/${ldap_user_search_base_dns}?${ldap_user_attribute}?sub?${ldap_user_search_filter}") + + $ldap_url = join($ldap_urls, ' ') + } else { + $apache_modules = $default_apache_modules + } ## Configure apache class { 'apache': @@ -55,8 +102,20 @@ class lma_logging_analytics::kibana_authentication ( require => Class[Apache], } - apache::custom_config { 'kibana-proxy': - content => template('lma_logging_analytics/apache_kibana_proxy.conf.erb'), - require => [Class['apache'], File[$htpasswd_file]], + if $ldap_authorization_enabled { + apache::custom_config { 'kibana-proxy': + content => template('lma_logging_analytics/apache_kibana_proxy.conf.erb'), + require => [Class['apache'], File[$htpasswd_file]], + } + apache::listen { "${listen_address}:${listen_port_viewer}": } + apache::custom_config { 'kibana-proxy-viewer': + content => template('lma_logging_analytics/apache_kibana_proxy_viewer.conf.erb'), + require => [Class['apache'], File[$htpasswd_file]], + } + } else { + apache::custom_config { 'kibana-proxy': + content => template('lma_logging_analytics/apache_kibana_proxy.conf.erb'), + require => [Class['apache'], File[$htpasswd_file]], + } } } diff --git a/deployment_scripts/puppet/modules/lma_logging_analytics/spec/classes/lma_logging_analytics_kibana_authentication_spec.rb b/deployment_scripts/puppet/modules/lma_logging_analytics/spec/classes/lma_logging_analytics_kibana_authentication_spec.rb index b6d1f1c..f3c1f5b 100644 --- a/deployment_scripts/puppet/modules/lma_logging_analytics/spec/classes/lma_logging_analytics_kibana_authentication_spec.rb +++ b/deployment_scripts/puppet/modules/lma_logging_analytics/spec/classes/lma_logging_analytics_kibana_authentication_spec.rb @@ -20,18 +20,115 @@ describe 'lma_logging_analytics::kibana_authentication' do :concat_basedir => '/foo' } end - let(:params) do - {:listen_address => '127.0.0.1', :listen_port => 80, - :kibana_address => '127.0.0.1', :kibana_port => 5106, - :username => 'foouser', :password => 'foopass' + describe 'default parameters' do + let(:params) do + {:listen_address => '127.0.0.1', :listen_port => 80, + :kibana_address => '127.0.0.1', :kibana_port => 5106, + :username => 'foouser', :password => 'foopass' + } + end + + it { + should contain_class('apache') + should contain_apache__custom_config('kibana-proxy') + should contain_htpasswd('foouser') + should contain_file('/etc/apache2/kibana.htpasswd') + } + end + describe 'ldap parameters' do + let(:params) do + {:listen_address => '127.0.0.1', :listen_port => 80, + :kibana_address => '127.0.0.1', :kibana_port => 5106, + :username => 'foouser', :password => 'foopass', + :ldap_enabled => true, + :ldap_protocol => 'ldap', + :ldap_port => 389, + :ldap_servers => ['ldap.foo.fr'], + :ldap_bind_dn => 'cn=admin,dc=example,dc=com', + :ldap_bind_password => 'foopass', + :ldap_user_search_base_dns => 'ou=groups,dc=example,dc=com', + :ldap_user_search_filter => '(&(objectClass=posixGroup)(memberUid=%s))', + :ldap_user_attribute => 'uid', + } + end + + it { + should contain_class('apache') + should contain_apache__custom_config('kibana-proxy') + should contain_htpasswd('foouser') + should contain_file('/etc/apache2/kibana.htpasswd') + } + end + describe 'ldap parameters are missing' do + let(:params) do + {:listen_address => '127.0.0.1', :listen_port => 80, + :kibana_address => '127.0.0.1', :kibana_port => 5106, + :username => 'foouser', :password => 'foopass', + :ldap_enabled => true, + :ldap_protocol => 'ldap', + :ldap_port => 389, + :ldap_servers => ['ldap.foo.fr'], + :ldap_user_search_base_dns => 'ou=groups,dc=example,dc=com', + :ldap_user_search_filter => '(&(objectClass=posixGroup)(memberUid=%s))', + :ldap_user_attribute => 'uid', + } + end + + it { is_expected.to raise_error(Puppet::Error, /Missing ldap_/) } + end + + describe 'ldap parameters with authorization' do + let(:params) do + {:listen_address => '127.0.0.1', :listen_port => 80, + :kibana_address => '127.0.0.1', :kibana_port => 5106, + :username => 'foouser', :password => 'foopass', + :ldap_enabled => true, + :ldap_protocol => 'ldap', + :ldap_port => 389, + :ldap_servers => ['ldap.foo.fr'], + :ldap_bind_dn => 'cn=admin,dc=example,dc=com', + :ldap_bind_password => 'foopass', + :ldap_user_search_base_dns => 'ou=groups,dc=example,dc=com', + :ldap_user_search_filter => '(&(objectClass=posixGroup)(memberUid=%s))', + :ldap_user_attribute => 'uid', + :ldap_authorization_enabled => true, + :listen_port_viewer => 81, + :ldap_group_attribute => 'memberUid', + :ldap_admin_group_dn => 'cn=admin_group,dc=example,dc=com', + :ldap_viewer_group_dn => 'cn=viewer_group,dc=example,dc=com', + } + end + + it { + should contain_class('apache') + should contain_apache__custom_config('kibana-proxy') + should contain_htpasswd('foouser') + should contain_file('/etc/apache2/kibana.htpasswd') } end - it { - should contain_class('apache') - should contain_apache__custom_config('kibana-proxy') - should contain_htpasswd('foouser') - should contain_file('/etc/apache2/kibana.htpasswd') - } + describe 'ldap parameters with authorization missing' do + let(:params) do + {:listen_address => '127.0.0.1', :listen_port => 80, + :kibana_address => '127.0.0.1', :kibana_port => 5106, + :username => 'foouser', :password => 'foopass', + :ldap_enabled => true, + :ldap_protocol => 'ldap', + :ldap_port => 389, + :ldap_servers => ['ldap.foo.fr'], + :ldap_bind_dn => 'cn=admin,dc=example,dc=com', + :ldap_bind_password => 'foopass', + :ldap_user_search_base_dns => 'ou=groups,dc=example,dc=com', + :ldap_user_search_filter => '(&(objectClass=posixGroup)(memberUid=%s))', + :ldap_user_attribute => 'uid', + :ldap_authorization_enabled => true, + #:ldap_group_attribute => 'memberUid', + #:ldap_admin_group_dn => 'cn=admin_group,dc=example,dc=com', + #:ldap_viewer_group_dn => 'cn=viewer_group,dc=example,dc=com', + } + end + + it { is_expected.to raise_error(Puppet::Error, /Missing/) } + end end diff --git a/deployment_scripts/puppet/modules/lma_logging_analytics/templates/apache_kibana_proxy.conf.erb b/deployment_scripts/puppet/modules/lma_logging_analytics/templates/apache_kibana_proxy.conf.erb index f2fc6a4..5fbbbef 100644 --- a/deployment_scripts/puppet/modules/lma_logging_analytics/templates/apache_kibana_proxy.conf.erb +++ b/deployment_scripts/puppet/modules/lma_logging_analytics/templates/apache_kibana_proxy.conf.erb @@ -15,14 +15,32 @@ AuthName "Kibana Access" AuthType Basic AuthUserFile <%= @htpasswd_file %> +<% if @ldap_enabled -%> + AuthBasicProvider file ldap + AuthLDAPURL "<%= @ldap_protocol %>://<%= @ldap_url %>" + AuthLDAPBindDN "<%= @ldap_bind_dn %>" + AuthLDAPBindPassword <%= @ldap_bind_password %> +<% if @ldap_authorization_enabled -%> + AuthLDAPGroupAttribute <%= @ldap_group_attribute %> + AuthLDAPGroupAttributeIsDN off + AuthBasicAuthoritative on + + require user <%= @username %> + Require ldap-group <%= @ldap_admin_group_dn %> + +<% else -%> require valid-user +<% end -%> +<% else -%> + require valid-user +<% end -%> ProxyPass / http://<%= @kibana_address %>:<%= @kibana_port %> ProxyPassReverse / http://<%= @kibana_address %>:<%= @kibana_port %> RewriteEngine on - RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f - RewriteRule .* http://<%= @kibana_address %>:<%= @kibana_port %>%{REQUEST_URI} [P,QSA] + # Passthrough the request to Kibana with the orginal query string + RewriteRule .* http://<%= @kibana_address %>:<%= @kibana_port %>%{REQUEST_URI} [P,QSA,L] ErrorLog "/var/log/apache2/kibana_error.log" ServerSignature Off diff --git a/deployment_scripts/puppet/modules/lma_logging_analytics/templates/apache_kibana_proxy_viewer.conf.erb b/deployment_scripts/puppet/modules/lma_logging_analytics/templates/apache_kibana_proxy_viewer.conf.erb new file mode 100644 index 0000000..28e8a35 --- /dev/null +++ b/deployment_scripts/puppet/modules/lma_logging_analytics/templates/apache_kibana_proxy_viewer.conf.erb @@ -0,0 +1,56 @@ +# ************************************ +# Vhost template in module lma_logging_analytics +# Managed by Puppet +# ************************************ + +:<%= @listen_port_viewer %>> + ServerName kibana + DocumentRoot "/opt/kibana" + + ProxyRequests Off + + + Order Allow,Deny + Allow From All + AuthName "Kibana Access" + AuthType Basic + AuthUserFile <%= @htpasswd_file %> +<% if @ldap_enabled -%> + AuthBasicProvider file ldap + AuthLDAPURL "<%= @ldap_protocol %>://<%= @ldap_url %>" + AuthLDAPBindDN "<%= @ldap_bind_dn %>" + AuthLDAPBindPassword <%= @ldap_bind_password %> +<% if @ldap_authorization_enabled -%> + AuthLDAPGroupAttribute <%= @ldap_group_attribute %> + AuthLDAPGroupAttributeIsDN off + AuthBasicAuthoritative on + + require user <%= @username %> + Require ldap-group <%= @ldap_viewer_group_dn %> + Require ldap-group <%= @ldap_admin_group_dn %> + +<% else -%> + require valid-user +<% end -%> +<% else -%> + require valid-user +<% end -%> + + + ProxyPass / http://<%= @kibana_address %>:<%= @kibana_port %> + ProxyPassReverse / http://<%= @kibana_address %>:<%= @kibana_port %> + RewriteEngine on + # Deleting is forbidden for viewers + RewriteCond %{REQUEST_METHOD} DELETE + RewriteRule .* - [F,L] + # Creation/update is forbidden for viewers + RewriteCond %{REQUEST_METHOD} POST + RewriteCond %{QUERY_STRING} op_type=create + RewriteRule .* - [F,L] + # Passthrough the request to Kibana with the orginal query string + RewriteRule .* http://<%= @kibana_address %>:<%= @kibana_port %>%{REQUEST_URI} [P,QSA,L] + + ErrorLog "/var/log/apache2/kibana_error.log" + ServerSignature Off + CustomLog "/var/log/apache2/kibana_access.log" combined + diff --git a/environment_config.yaml b/environment_config.yaml index 88847ab..1983edd 100644 --- a/environment_config.yaml +++ b/environment_config.yaml @@ -139,3 +139,177 @@ attributes: - condition: "settings:elasticsearch_kibana.tls_enabled.value == false" action: "hide" # TLS Settings: END + # LDAP Settings: BEGIN + ldap_enabled: + value: false + label: 'Use LDAP for Kibana authentication' + description: '' + weight: 100 + type: "checkbox" + + ldap_protocol: + type: "radio" + value: 'ldap' + weight: 110 + label: 'LDAP protocol' + values: + - data: "ldap" + label: "LDAP" + - data: "ldaps" + label: "LDAPS" + restrictions: + - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false" + action: hide + + ldap_servers: + value: '' + label: 'LDAP servers' + description: 'Specify one or several LDAP servers separated by space.' + weight: 120 + type: "text" + regex: + source: '^\w[\w\-\s.]+$' + error: "You must provide a hostname or IP" + restrictions: + - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false" + action: hide + - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false" + action: disable + + ldap_server_port: + value: '' + label: 'Port' + description: 'If empty, the default value is 389 for LDAP and 636 for LDAPS.' + weight: 130 + type: "text" + regex: + source: '^\d{0,5}$' + error: "You must provide a valid port number" + restrictions: + - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false" + action: hide + - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false" + action: disable + + ldap_bind_dn: + value: '' + label: 'Bind DN' + description: 'DN used to bind to the server when searching for entries.' + weight: 140 + type: "text" + regex: ¬_empty_parameter + source: '\S' + error: "Invalid value" + restrictions: + - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false" + action: hide + - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false" + action: disable + + ldap_bind_password: + value: '' + label: 'Bind password' + description: 'Password to use in conjunction with the bind DN.' + weight: 150 + type: "password" + regex: *not_empty_parameter + restrictions: + - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false" + action: hide + - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false" + action: disable + + ldap_user_search_base_dns: + value: '' + label: 'User search base DN' + description: 'The base DN to search for users.' + weight: 160 + type: "text" + regex: *not_empty_parameter + restrictions: + - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false" + action: hide + - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false" + action: disable + + ldap_user_attribute: + value: 'uid' + label: 'User attribute to search for' + description: "It's a good idea to choose an attribute that will be unique across all entries." + weight: 165 + type: "text" + regex: *not_empty_parameter + restrictions: + - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false" + action: hide + - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false" + action: disable + + ldap_user_search_filter: + value: '(objectClass=*)' + label: 'User search filter' + description: 'A valid LDAP search filter.' + weight: 170 + type: "text" + regex: *not_empty_parameter + restrictions: + - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false" + action: hide + - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false" + action: disable + + ldap_authorization_enabled: + value: false + label: 'Enable group-based authorization' + description: 'It allows to associate the users with the Admin or Viewer role. Otherwise all users are assigned to admin role.' + weight: 200 + type: "checkbox" + restrictions: + - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false" + action: hide + + ldap_group_attribute: + value: 'memberUid' + label: 'LDAP group attribute' + description: 'LDAP attribute used to identify the user members of groups.' + weight: 205 + type: "text" + regex: *not_empty_parameter + restrictions: + - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false" + action: hide + - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false" + action: disable + - condition: "settings:elasticsearch_kibana.ldap_authorization_enabled.value == false" + action: disable + + ldap_admin_group_dn: + value: '' + label: 'Group DN mapping to the Admins role' + description: '' + weight: 210 + type: "text" + regex: *not_empty_parameter + restrictions: + - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false" + action: hide + - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false" + action: disable + - condition: "settings:elasticsearch_kibana.ldap_authorization_enabled.value == false" + action: disable + + ldap_viewer_group_dn: + value: '' + label: 'Group DN mapping to the Viewers role' + description: '' + weight: 220 + type: "text" + regex: *not_empty_parameter + restrictions: + - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false" + action: hide + - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false" + action: disable + - condition: "settings:elasticsearch_kibana.ldap_authorization_enabled.value == false" + action: disable + # LDAP Settings: END