Page MenuHomePhabricator
Create Task
Maniphest T331512

Support for multiple SSO thanos-web backends
Closed, ResolvedPublic
Actions

Description

In T323913: Move thanos-sso away from CNAME discovery.wmnet we moved away from dns-controlled thanos-fe hosts for thanos-web (i.e. thanos.w.o) and to a conftool-controlled service.

The move solved the problem of easily swapping backends (e.g. for maintenance) though it created a nuisance: namely that we currently need to (remember to) have a single thanos-fe host pooled at a time per site.

This is because mod_auth_cas / SSO sessions are not shared between hosts, and backend selection is (for all intended purposes) random. Therefore, if we have more than one backend pooled then clients (in this case ATS, by way of the frontend cdn) could land on different hosts and not have their SSO session stored there.

After a chat/brainstorm with @Muehlenhoff here's my current thinking:

  1. We need an authenticating proxy in front of thanos anyways since thanos web serving doesn't ship authentication/authorization natively
  2. We want said proxy to be compatible with our SSO _and_ have a mechanism to share sessions between different hosts

To this end, we have at least a couple of solutions:

  1. Keep mod_auth_cas and find a way to make it share its sessions, as of March 2023 the module supports filesystem storage only. In other words some form of shared filesystem between all backends would be needed.
  2. Find an authenticating/authorizing proxy (including an apache module) that can talk SAML or OIDC (or CAS really!) and supports sharing sessions among hosts natively (e.g. with memcached)

Details

SubjectRepoBranchLines +/-
oauth2_proxy: update probe definitionoperations/puppetproduction+9 -4
oauth2_proxy: skip provider buttonoperations/puppetproduction+1 -0
profile: adjust oidc probe nameoperations/puppetproduction+1 -1
oauth2_proxy: add blackbox checksoperations/puppetproduction+37 -1
thanos: disable auth_cas when running in OIDC SSO modeoperations/puppetproduction+6 -0
hieradata: enable Thanos OIDC SSOoperations/puppetproduction+2 -0
thanos: add oidc support via oauth2-proxyoperations/puppetproduction+93 -15
oauth2_proxy: new moduleoperations/puppetproduction+64 -0
hieradata: add thanos_oidc to idpoperations/puppetproduction+10 -1
hieradata: idp_test entry for thanos OIDCoperations/puppetproduction+8 -0
Customize query in gerrit

Related Objects

Event Timeline

fgiunchedi created this task.Mar 8 2023, 9:26 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 8 2023, 9:26 AM
lmata subscribed.Mar 8 2023, 9:13 PM
fgiunchedi added a comment.Mar 13 2023, 4:43 PM

Something I came across that works (on paper! I haven't tried it yet) is this: https://oauth2-proxy.github.io/oauth2-proxy i.e. an OIDC RP authenticating reverse proxy. Session data is stored in cookies by default, so that would solve the problem

fgiunchedi mentioned this in T326657: Add prometheus-https load balancer.Aug 16 2023, 7:06 AM
herron subscribed.Aug 21 2023, 2:58 PM

I'm curious if the recent maglev hashing 'mh' inclusion/migration in T263797 provides any improvement here. On paper using 'mh' scheduler should address session stickiness better than 'sh' did.

Has pooling multiple backends been tested since thanos-web was migrated to the 'mh' scheduler?

fgiunchedi added a comment.Aug 22 2023, 9:47 AM
In T331512#9106479, @herron wrote:

I'm curious if the recent maglev hashing 'mh' inclusion/migration in T263797 provides any improvement here. On paper using 'mh' scheduler should address session stickiness better than 'sh' did.

Has pooling multiple backends been tested since thanos-web was migrated to the 'mh' scheduler?

IIRC I tried and even mh didn't work because varnish -> ats backend selection is random, therefore the source IP that LVS sees on ats -> backend connection is random too.

fgiunchedi added a subscriber: Vgutierrez.Aug 28 2023, 9:22 AM
In T331512#9108753, @fgiunchedi wrote:
In T331512#9106479, @herron wrote:

I'm curious if the recent maglev hashing 'mh' inclusion/migration in T263797 provides any improvement here. On paper using 'mh' scheduler should address session stickiness better than 'sh' did.

Has pooling multiple backends been tested since thanos-web was migrated to the 'mh' scheduler?

IIRC I tried and even mh didn't work because varnish -> ats backend selection is random, therefore the source IP that LVS sees on ats -> backend connection is random too.

This isn't true anymore for ~half of our sites as pointed out by @Vgutierrez. Specifically, once T288106: Experiment with single backend CDN nodes is fully rolled out then the same client IP (external) will result in the same backend IP (internal) making backend requests. With that in place then I believe we could get away with a client-ip based hashing and SSO working to a decent extent.

The proper solution / nail in the coffin is of course to go stateless for sessions (cfr my comment at https://phabricator.wikimedia.org/T331512#8688330)

fgiunchedi added a project: User-fgiunchedi.Oct 27 2023, 6:49 AM
fgiunchedi moved this task from Backlog to Up next on the User-fgiunchedi board.Oct 27 2023, 6:54 AM
fgiunchedi added a comment.Oct 27 2023, 3:07 PM

Fixing this would also help with T320555: cas-sso idp for jaeger-ui on k8s

fgiunchedi moved this task from Up next to Doing on the User-fgiunchedi board.Oct 31 2023, 8:11 AM
fgiunchedi added a comment.EditedNov 2 2023, 10:16 AM

I've been looking at the oauth2-proxy docs and my understanding is the following:

./oauth2-proxy \
  --provider oidc \
  --provider-display-name "Wikimedia SSO" \
  --client-id thanos_test \
  --client-secret REDACTED \
  --redirect-url https://thanos.monitoring.wmflabs.org/oauth2/callback \
  --code-challenge-method plain \
  --oidc-issuer-url https://idp-test.wikimedia.org/oidc \
  --cookie-secure true \
  --cookie-secret REDACTED \
  --cookie-domain monitoring.wmflabs.org \
  --email-domain wikimedia.org \
  --upstream http://localhost:16902
  • Configure the oidc client on the cas side
  • Configure apache on the thanos side to reverse proxy requests to oauth2-proxy, which then forwards to thanos itself
gerritbot added a comment.Nov 8 2023, 9:58 AM

Change 972701 had a related patch set uploaded (by Filippo Giunchedi; author: Filippo Giunchedi):

[operations/puppet@production] hieradata: idp_test entry for thanos OIDC

https://gerrit.wikimedia.org/r/972701

gerritbot added a project: Patch-For-Review.Nov 8 2023, 9:58 AM
gerritbot added a comment.Nov 8 2023, 10:25 AM

Change 972701 merged by Filippo Giunchedi:

[operations/puppet@production] hieradata: idp_test entry for thanos OIDC

https://gerrit.wikimedia.org/r/972701

Maintenance_bot removed a project: Patch-For-Review.Nov 8 2023, 10:30 AM
fgiunchedi added a comment.Nov 8 2023, 10:49 AM

I did a test on the o11y Pontoon stack (no puppetization yet) though things seems to work as expected: I can login on https://thanos.monitoring.wmflabs.org which will do the OIDC challenge/redirect to idp-test.w.o and issue me a _oauth2_proxy cookie with my session.

fgiunchedi added a comment.Nov 13 2023, 9:43 AM

Debian package for oauth2-proxy now lives at https://gitlab.wikimedia.org/repos/sre/oauth2-proxy (debian-wikimedia branch)

gerritbot added a comment.Nov 13 2023, 11:01 AM

Change 973739 had a related patch set uploaded (by Filippo Giunchedi; author: Filippo Giunchedi):

[operations/puppet@production] hieradata: add thanos_oidc to idp

https://gerrit.wikimedia.org/r/973739

gerritbot added a project: Patch-For-Review.Nov 13 2023, 11:01 AM

Change 973740 had a related patch set uploaded (by Filippo Giunchedi; author: Filippo Giunchedi):

[operations/puppet@production] oauth2_proxy: new module

https://gerrit.wikimedia.org/r/973740

gerritbot added a comment.Nov 13 2023, 11:01 AM

Change 973741 had a related patch set uploaded (by Filippo Giunchedi; author: Filippo Giunchedi):

[operations/puppet@production] thanos: add oidc support via oauth2-proxy

https://gerrit.wikimedia.org/r/973741

gerritbot added a comment.Nov 14 2023, 2:39 PM

Change 973739 merged by Filippo Giunchedi:

[operations/puppet@production] hieradata: add thanos_oidc to idp

https://gerrit.wikimedia.org/r/973739

gerritbot added a comment.Nov 15 2023, 8:02 AM

Change 973740 merged by Filippo Giunchedi:

[operations/puppet@production] oauth2_proxy: new module

https://gerrit.wikimedia.org/r/973740

gerritbot added a comment.Nov 15 2023, 8:02 AM

Change 973741 merged by Filippo Giunchedi:

[operations/puppet@production] thanos: add oidc support via oauth2-proxy

https://gerrit.wikimedia.org/r/973741

Maintenance_bot removed a project: Patch-For-Review.Nov 15 2023, 8:10 AM
gerritbot added a comment.Nov 15 2023, 8:10 AM

Change 974477 had a related patch set uploaded (by Filippo Giunchedi; author: Filippo Giunchedi):

[operations/puppet@production] hieradata: enable Thanos OIDC SSO

https://gerrit.wikimedia.org/r/974477

gerritbot added a project: Patch-For-Review.Nov 15 2023, 8:11 AM
gerritbot added a comment.Nov 15 2023, 10:14 AM

Change 974477 merged by Filippo Giunchedi:

[operations/puppet@production] hieradata: enable Thanos OIDC SSO

https://gerrit.wikimedia.org/r/974477

Maintenance_bot removed a project: Patch-For-Review.Nov 15 2023, 10:30 AM
gerritbot added a comment.Nov 15 2023, 10:40 AM

Change 974498 had a related patch set uploaded (by Filippo Giunchedi; author: Filippo Giunchedi):

[operations/puppet@production] thanos: disable auth_cas when running in OIDC SSO mode

https://gerrit.wikimedia.org/r/974498

gerritbot added a project: Patch-For-Review.Nov 15 2023, 10:40 AM
gerritbot added a comment.Nov 20 2023, 9:33 AM

Change 974498 merged by Filippo Giunchedi:

[operations/puppet@production] thanos: disable auth_cas when running in OIDC SSO mode

https://gerrit.wikimedia.org/r/974498

Maintenance_bot removed a project: Patch-For-Review.Nov 20 2023, 10:10 AM
gerritbot added a comment.Nov 20 2023, 10:14 AM

Change 975770 had a related patch set uploaded (by Filippo Giunchedi; author: Filippo Giunchedi):

[operations/puppet@production] oauth2_proxy: add blackbox checks

https://gerrit.wikimedia.org/r/975770

gerritbot added a project: Patch-For-Review.Nov 20 2023, 10:14 AM
gerritbot added a comment.Nov 20 2023, 1:10 PM

Change 975770 merged by Filippo Giunchedi:

[operations/puppet@production] oauth2_proxy: add blackbox checks

https://gerrit.wikimedia.org/r/975770

Maintenance_bot removed a project: Patch-For-Review.Nov 20 2023, 1:30 PM
gerritbot added a comment.Nov 20 2023, 1:35 PM

Change 975812 had a related patch set uploaded (by Filippo Giunchedi; author: Filippo Giunchedi):

[operations/puppet@production] profile: adjust oidc probe name

https://gerrit.wikimedia.org/r/975812

gerritbot added a project: Patch-For-Review.Nov 20 2023, 1:35 PM
gerritbot added a comment.Nov 20 2023, 1:42 PM

Change 975812 merged by Filippo Giunchedi:

[operations/puppet@production] profile: adjust oidc probe name

https://gerrit.wikimedia.org/r/975812

Maintenance_bot removed a project: Patch-For-Review.Nov 20 2023, 2:10 PM
fgiunchedi closed this task as Resolved.Nov 21 2023, 1:20 PM
fgiunchedi claimed this task.

With the probes in place I'm calling this done!

gerritbot added a comment.Dec 19 2023, 11:59 AM

Change 984146 had a related patch set uploaded (by Filippo Giunchedi; author: Filippo Giunchedi):

[operations/puppet@production] oauth2_proxy: skip provider button

https://gerrit.wikimedia.org/r/984146

gerritbot added a project: Patch-For-Review.Dec 19 2023, 11:59 AM
gerritbot added a comment.Dec 20 2023, 10:44 AM

Change 984146 merged by Filippo Giunchedi:

[operations/puppet@production] oauth2_proxy: skip provider button

https://gerrit.wikimedia.org/r/984146

Maintenance_bot removed a project: Patch-For-Review.Dec 20 2023, 11:30 AM
gerritbot added a comment.Dec 20 2023, 12:01 PM

Change 984515 had a related patch set uploaded (by Filippo Giunchedi; author: Filippo Giunchedi):

[operations/puppet@production] oauth2_proxy: update probe definition

https://gerrit.wikimedia.org/r/984515

gerritbot added a project: Patch-For-Review.Dec 20 2023, 12:01 PM
gerritbot added a comment.Dec 20 2023, 12:04 PM

Change 984515 merged by Filippo Giunchedi:

[operations/puppet@production] oauth2_proxy: update probe definition

https://gerrit.wikimedia.org/r/984515

Maintenance_bot removed a project: Patch-For-Review.Dec 20 2023, 12:30 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits