Project:Infrastructure/Single Sign-on

From Gentoo Wiki
Jump to:navigation Jump to:search

Keycloak

Keycloak is currently used to implement a Single sign-on (SSO) for Gentoo developers. It is currently deployed on sso.gentoo.org (tyrant) and sso-fallback.gentoo.org (gadwall).

Realms

Keycloak has two realms today.

  1. Admin: This realm is to administer the keycloak deployment. It has significantly more restrictions on credentials; normal users don't use this realm and don't have accounts here.
  2. Gentoo: This realm reads from ldap.gentoo.org and is otherwise readonly for most attributes.

Deployment

Keycloak is deployed using docker containers. Postgres is used as database.

State is generally kept in /var/lib/gentoo-sso and these are mounted in various places in the containers to sustain state between container deployments.

Backups

Keycloak runs on two machines in an active / passive configuration. On the passive machine, keycloak is not even running. The postgres databases replicate from master => passive using pg_basebackup.

Failover

The normal postgres failover documentation should be used: https://www.postgresql.org/docs/12/warm-standby-failover.html.

NOTE: We should dump our realm config every so often so we can reload it.

Service integrations

Service Integration Status Notes
Bugzilla Gatekeeper Not Started We can set bugzilla user_info_class to ENV, CGI
Wiki OpenId Extension Not Started https://www.mediawiki.org/wiki/Extension:OpenID_Connect#Example:_Using_it_against_Keycloak
AWS SAML 2.0 Not Started Use their existing identity provider stuff with SAML 2.0
Gentoo Admin Gatekeeper Not Started Use htpasswd as fallback (i.e. in case sso.g.o is down)
Infrawiki Gatekeeper Not Started Use htpasswd as fallback (i.e. in case sso.g.o is down)
Glsamaker (ruby) Gatekeeper Not Started Set a cookie to integrate with the existing user management
Glsamaker (go) Go OpenId Client Not Started i.e. https://github.com/coreos/go-oidc
Gerrit SAML Not Started https://gerrit.googlesource.com/plugins/saml/+/refs/heads/stable-2.14/README.md
Gitea OAuth2 Not Started -
Forums ? Not Started -

TODOs

  1. Move the secrets in the puppet module to eyaml (DONE)
  2. Set up database replicatioɳ (DONE)
  3. Mount the keycloak config in the container (DONE)
  4. check keycloak config into puppet (DONE)
  5. Create a Gentoo theme for Keycloak (DONE, https://gitweb.gentoo.org/sites/sso/tyrian-keycloak-theme.git/)
  6. Discuss the design of the Gentoo theme