Page MenuHomePhabricator

orchestrator: Support SSO
Open, MediumPublic

Description

Orchestrator supports auth via forwarded headers (https://github.com/openark/orchestrator/blob/master/docs/security.md). Ideally we can put it behind idp/cas.
Also use SSL

Related Objects

StatusSubtypeAssignedTask
OpenNone
OpenNone

Event Timeline

Kormat triaged this task as Medium priority.Oct 21 2020, 9:05 AM
Kormat created this task.
LSobanski moved this task from Triage to Ready on the DBA board.Oct 21 2020, 9:16 AM

Adding profile::idp::client::httpd, and configuring orchestrator appropriately should work.

11:21:49 <jbond42> kormat: if thats that case i would use the header X-CAS-CN (environment variable HTTP_X_CAS_CN) as the default CAS-User header suffers from the case insensetive issue that icinga has

Configurable here: https://github.com/wikimedia/puppet/blob/production/modules/profile/manifests/idp/client/httpd/site.pp#L23

Change 635520 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] Add IDP service definition for orchestrator.wikimedia.org

https://gerrit.wikimedia.org/r/635520

Change 635520 merged by Muehlenhoff:
[operations/puppet@production] Add IDP service definition for orchestrator.wikimedia.org

https://gerrit.wikimedia.org/r/635520

Marostegui updated the task description. (Show Details)Fri, Nov 6, 1:18 PM