Sentry should have unified login via LDAP (getsentry-ldap-auth) or Oauth (python-social-auth?).
Description
Details
Subject | Repo | Branch | Lines +/- | |
---|---|---|---|---|
[WIP] LDAP auth for Sentry via REMOTE_USER | operations/puppet | production | +26 -0 | |
LDAP support | operations/software/sentry | master | +3 K -5 |
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Open | None | T106913 Use Sentry on non-production Wikimedia wikis, Toolforge and other sites/tools | |||
Declined | None | T106915 Use Sentry in production | |||
Declined | None | T106920 Integrate Sentry with beta cluster | |||
Open | None | T97133 Login integration for Sentry |
Event Timeline
They seem to be in the process of moving away from python/django-social-auth and implemented their own generic auth system in src/sentry/auth, see issue:1372. I'm not sure what the status of that is, I still see plenty of social-auth references.
Sentry just opensourced their own login modules: http://blog.getsentry.com/2015/09/29/sso-for-all.html
Ori recommended a simpler approach: use some Apache authn module (probably LDAP) and Django's built-in REMOTE_USER-based authentication.
Specifically, the approach we ended up taking with Grafana -- having a public, read-only vhost and a private RW one: see T109723#1759237
The task is private.
The current Sentry role used nginx (that was recommended in the Sentry docs, presumably because it scales better). Nginx does not have native LDAP support. On the internets people usually recommend compiling in nginx-auth-ldap, which does not inspire confidence.
Maybe I can run both apache and nginx, on different ports/vhosts? The user interface does not need to scale and the logging interface does not need auth. I am not sure I can set separate base URLs for them though. Or just discard nginx completely and how apache will be fine under load. Or go back to django_ldap_auth...
You could, but that is a bit inelegant. Apache should scale just fine.
Or just discard nginx completely and how apache will be fine under load.
That's what I would do, I think.
Thanks, I'll do that.
I'm not sure I understand the point of having two vhosts. Can't you just configure mod_authnz to ask for credentials but then not require valid-user, or use mod_authn_anon?
Change 240949 abandoned by Gergő Tisza:
LDAP support
Reason:
Abandoning Sentry patches; there are no short-term plans for using Sentry, and they are now too stale to be useful anyway.
Change 250374 abandoned by Gergő Tisza:
[operations/puppet@production] [WIP] LDAP auth for Sentry via REMOTE_USER
Reason:
We abandoned the idea of using Sentry in production. See T106915.