Skip to content
This repository has been archived by the owner on Apr 17, 2024. It is now read-only.
Prachi Damle edited this page Nov 1, 2016 · 5 revisions

Auth Service in Rancher:

The rancher-auth-service listens at endpoint /v1-auth/ on <rancher_ip>:8080/v1-auth by default. This is a go micro-service that runs separately from cattle, but all requests to the service are proxied via cattle.

Code reference:

The source code is at this repo: https://github.com/rancher/rancher-auth-service

This service has implementations for two auth providers/drivers: github and shibboleth(saml)

Implementing an Access Control/Auth Provider

Auth Config:

Each access control provider has its own top-level API type for configuration specific to that type of authentication. So each provider should design the configuration model needed to configure the provider and add it to the API below.

Following is the API to be used to save the provider specific configuration to the DB:

/v1-auth/config
{
 "type":"config",
 "provider":"<name of the config enclosed(githubconfig/shibbolethconfig)>",
 "enabled":false,
 "accessMode":"unrestricted",
 "allowedIdentities":[],
 "githubconfig": {}
 "shibbolethconfig": {}
}

Checkout the https://github.com/rancher/rancher-auth-service/tree/master/model package for examples of existing configs.

Auth provider interface

Each auth provider should implement the https://github.com/rancher/rancher-auth-service/blob/master/providers/identity_provider.go interface and add the provider to the supported list of providers.

Each auth provider implementation should:

  • Define the list of setting names against which the provider config gets stored in cattle DB.
  • Provide logic to list the settings, initialize the settings from the config object
  • Encapsulate the provider specific internal implementation based on the specific protocol.
  • Provide translation from provider specific accounts/org structures to rancher model
  • Implement the provider specific token generation and lookup of identities.

Checkout the existing implementations of github/shibboleth providers under: https://github.com/rancher/rancher-auth-service/tree/master/providers

Clone this wiki locally