-
Notifications
You must be signed in to change notification settings - Fork 22
Home
The rancher-auth-service listens at endpoint /v1-auth/ on <rancher_ip>:8080/v1-auth by default. This is a go micro-service that runs separately from cattle, but all requests to the service are proxied via cattle.
The source code is at this repo: https://github.com/rancher/rancher-auth-service
This service has implementations for two auth providers/drivers: github and shibboleth(saml)
Each access control provider has its own top-level API type for configuration specific to that type of authentication. So each provider should design the configuration model needed to configure the provider and add it to the API below.
Following is the API to be used to save the provider specific configuration to the DB: /v1-auth/config { "type":"config", "provider":"<name of the config enclosed(githubconfig/shibbolethconfig)>", "enabled":false, "accessMode":"unrestricted", "allowedIdentities":[], "githubconfig": {} "shibbolethconfig": {} }
Checkout the https://github.com/rancher/rancher-auth-service/tree/master/model package for examples of existing configs.
Each auth provider should implement the https://github.com/rancher/rancher-auth-service/blob/master/providers/identity_provider.go interface and add the provider to the supported list of providers.
Each auth provider implementation should:
- Define the list of setting names against which the provider config gets stored in cattle DB.
- Provide logic to list the settings, initialize the settings from the config object
- Encapsulate the provider specific internal implementation based on the specific protocol.
- Provide translation from provider specific accounts/org structures to rancher model
- Implement the provider specific token generation and lookup of identities.
Checkout the existing implementations of github/shibboleth providers under: https://github.com/rancher/rancher-auth-service/tree/master/providers