Enabling the OAuth2 Proxy service

Enable the OAuth2 Proxy service for SSO access to the Dashboard and the Ceph cluster. Enabling the oauth2-proxy service either with the cephadm CLI commands or by using a service specification file.

Before you begin

Before you begin, make sure that you have the following prerequisites in place:

Ceph Management gateway (mgmt-gateway) service is enabled and --enable-auth is set to true. For more information, see Enabling the Ceph Management gateway.
You should either have an admin account with Red Hat Single-Sign-On 7.6.0 with OAuth2 protocol running or IBM Security Verify with OAuth2 protocol running. For more information, see Configuring IBM Security Verify as the identity provider using OAuth2 protocol.

About this task

Find the oauth2-proxy container image by running the ceph config get command.

ceph config get mgr mgr/cephadm/container_image_oauth2_proxy

Storage administrators can specify a custom image by changing the container_image_oauth2_proxy cephadm module option. If other daemons were running, you must redeploy the daemons to use the new image.

ceph config set mgr mgr/cephadm/container_image_oauth2_proxy NEW_OAUTH2_PROXY_IMAGE
ceph orch redeploy oauth2_proxy

Enabling the OAuth2 Proxy service with the command-line interface

Procedure

Deploy the oauth2-proxy service.

ceph orch apply oauth2-proxy [--placement=DESTINATION_HOST]

For example,

[ceph: root@host01 /]# ceph orch apply oauth2-proxy [--placement=host01]

Verify that the service was correctly deployed.

Enabling the OAuth2 Proxy service with a service specification file

Before you begin

Before enabling the OAuth2 Proxy service, make sure that the following are on each Ceph node that the oauth2-proxy service will run on.

Your client ID.
The OIDC issuer URL.
Client secret.
The relevant domain addresses to allow.
Note: The domain can be the same or different from the oidc_issuer_url.
A running IBM Storage Ceph cluster.
(Optional) The host HTTPS address and host port.
(Optional) Cookie secret.
(Optional) SSL certificates and certificate keys.

For more information about SSL protocols, ciphers, certificates, and certificate keys, see the Deploying web servers and reverse proxies section in the Red Hat Enterprise Linux documentation.

Procedure

Create a YAML file for the oauth2-proxy service.
For example,
```
[root@host01 ~]# touch oauth2-proxy.yaml
```

Edit the YAML file to include the following details.

service_type: oauth2-proxy
service_id: auth-proxy
placement:
  hosts:
    - <target-node>
spec:
 https_address: HTTPS_ADDRESS:PORT
 provider_display_name: MY OIDC PROVIDER
 client_id: CLIENT_ID
 oidc_issuer_url: OIDC ISSUER URL
 allowlist_domains:
    - HTTPS_ADDRESS:PORT
 client_secret: CLIENT_SECRET
 cookie_secret: COOKIE_SECRET
 ssl_cert: |
   -----BEGIN CERTIFICATE-----
   < YOU CERT DATA HERE >
   -----END CERTIFICATE-----
 ssl_key: |
  -----BEGIN RSA PRIVATE KEY-----
   < YOU PRIV KEY DATA HERE >
  -----END RSA PRIVATE KEY-----

For example,

service_type: oauth2-proxy
service_id: auth-proxy
placement:
  hosts:
    - ceph0
spec:
 https_address: "0.0.0.0:4180"
 provider_display_name: "My OIDC Provider"
 client_id: "your-client-id"
 oidc_issuer_url: "http://192.168.100.1:5556/realms/ceph"
 allowlist_domains:
    - 192.168.100.1:8080
    - 192.168.200.1:5000
 client_secret: "your-client-secret"
 cookie_secret: "your-cookie-secret"
 ssl_cert: |
   -----BEGIN CERTIFICATE-----
   MIIDtTCCAp2gAwIBAgIYMC4xNzc1NDQxNjEzMzc2MjMyXzxvQ7EcMA0GCSqGSIb3
   DQEBCwUAMG0xCzAJBgNVBAYTAlVTMQ0wCwYDVQQIDARVdGFoMRcwFQYDVQQHDA5T
   [...]
   -----END CERTIFICATE-----
ssl_key: |
   -----BEGIN PRIVATE KEY-----
   MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC5jdYbjtNTAKW4
   /CwQr/7wOiLGzVxChn3mmCIF3DwbL/qvTFTX2d8bDf6LjGwLYloXHscRfxszX/4h
   [...]
   -----END PRIVATE KEY-----

Table 1 lists fields that are specific to the oauth2-proxy service section of the spec file (ceph.deployment.service_spec.OAuth2ProxySpec).

Table 1. `oauth2-proxy` specific fields in the spec file
Field	Description
`allowlist_domains`	List of allowed domains for safe redirection after login or logout, preventing unauthorized redirects. This can be the same or different from the oidc_issuer_url.
`client_id`	The client ID for authenticating with the identity provider.
`client_secret`	The client secret for authenticating with the identity provider.
`cookie_secret`	The secret key is used for signing cookies. Its length must be 16 bytes, 24 bytes, or 32 bytes to create an AES cipher.
`https_address`	The address for HTTPS connections, which are formatted as `host:port`.
`networks`	A list of network identities that instruct the daemons to only bind on the particular networks in that list. You can add multiple networks if the cluster is distributed across multiple networks.
`oidc_issuer_url`	The URL of the OpenID Connect (OIDC) issuer.
`placement`	For the orchestrator to deploy a service, it needs to know where to deploy daemons, and how many to deploy. This is the role of a placement specification. Placement specifications can either be passed as command line arguments or in a YAML files. For more information, see Managing services.
`provider_display_name`	The display name for the identity provider (IdP) in the UI.
`redirect_url`	Optional. The URL oauth2-proxy will redirect to after a successful login. If not provided, the`cephadm`automatically calculates the value of this URL.
`ssl_cert`	Optional. The multi-line SSL certificate for encrypting communications.
`ssl_key`	Optional. The multi-line SSL certificate private key for decrypting communications.

Apply the specification file.

[root@host01 ~]# ceph orch apply -i oauth2-proxy.yaml