Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allowing TiDB maintainers to specify TiDB dashboard SSO credentials during deployment #1528

Open
xsfeng-zodiac opened this issue May 31, 2023 · 4 comments
Open

Allowing TiDB maintainers to specify TiDB dashboard SSO credentials during deployment #1528

xsfeng-zodiac opened this issue May 31, 2023 · 4 comments
Labels
status/discussion type/feature-request

Comments

@xsfeng-zodiac
Copy link

Feature Request

Is your feature request related to a problem? Please describe:

Currently, In order to enable TiDB dashboard SSO login, TiDB maintainers need to set up TiDB dashboard OIDC client ID, OIDC discovery URL, Impersonate SQL User username/password manually. This works when maintainers only need to manage several clusters but could be quite heavy lifting when they have to manage tens or hundreds of TiDB clusters.

Describe the feature you'd like:

Kubernetes Official Doc suggests secrets can be mounted as files so that containers can read them. Inspired by this, I am proposing to have TiDB dashboard reading these files:

  1. /var/lib/sso-secrets/oidc_client_id
  2. /var/lib/sso-secrets/oidc_discovery_url
  3. /var/lib/sso-secrets/sql_username
  4. /var/lib/sso-secrets/sql_password

to setup SSOCoreConfig.ClientID, SSOCoreConfig.DiscoveryURL and building new SessionUser.

Existence of any file will stop TiDB dashboard from accepting new oidc_client_id as well as oidc_discovery_url via SetConfigRequest, and accepting new impersonate sql user information via CreateImpersonationRequest; Users sending such requests shall receive error responses indicating these setups are managed by TiDB dashboard deployments and are immutable.

This allows maintainers who are deploying TiDB cluster via Kubernetes to manage SSO secrets with Kubernetes secrets (thus allowing automation).

Describe alternatives you've considered:

An alternative is to use environment variables (as is suggested by Kubernetes official doc). Decided to use files since environment variables can be exposed to /proc filesystems and potentially prometheus.

Teachability, Documentation, Adoption, Migration Strategy:

N/A
@xsfeng-zodiac xsfeng-zodiac changed the title Allowing users to specify TiDB dashboard SSO credentials programmatically Allowing TiDB maintainers to specify TiDB dashboard SSO credentials during deployment May 31, 2023
@csuzhangxc
Copy link
Member

@baurine Cloud you take a look?

@baurine
Copy link
Collaborator

baurine commented May 31, 2023

/cc @lilyjazz

@xsfeng-zodiac
Copy link
Author

Folks, this is something we need for further TiDB migration. Please let me know if your guys don't have time on it; I can create a PR.

@baurine
Copy link
Collaborator

baurine commented Jun 1, 2023

Folks, this is something we need for further TiDB migration. Please let me know if your guys don't have time on it; I can create a PR.

Yep, recently we don't have time on this, so, please go on, welcome and appreciate PR from community!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status/discussion type/feature-request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@baurine @csuzhangxc @xsfeng-zodiac