UI Authentication

[LeHigh75]

Actually puppetbaord UI in unprotected, would it be possible to provide an auth mechanism ? for example SAML, Oauth or LDAP ?

[kenyon]

This can be done with webserver configuration.

[LeHigh75]

you mean directly in puppetboard conf ? is there any doc related to it ?

[smortex]

The WSGI application is typically served by a webserver (e.g. apache + mod_wsgi ; apache + passenger ; etc) or behind a proxy (e.g. apache ; nginx ; etc).

Authentication can rarely be one-size-fit-all: some users wants static user+password with basic HTTP authentication; some wants to authenticate against an LDAP directory and only allow members of a specific group, others wants to authenticate with client TLS certificates, some wants MFA, and so on.

The usual approach here is to setup this authentication yourself in your puppetboard profile. Here is the conf I use with nginx + passenger for certificate based authentication:

# site-modules/profile/manifests/puppetboard.pp
class profile::puppetboard {
  include profile::nginx

  $hostname = 'puppetboard.example.com'

  $puppetboard_path = '/srv/www/puppetboard.example.com'

  dehydrated::certificate { $hostname:
  }

  class { 'puppetboard':
    basedir           => $puppetboard_path,
    offline_mode      => true,
    puppetdb_port     => 8079,
    manage_selinux    => false,
    manage_virtualenv => false,
    python_version    => '3.6',
    unresponsive      => 3,
    extra_settings    => {
      'DAILY_REPORTS_CHART_DAYS' => 14,
      'GRAPH_FACTS'              => [
        'aio_agent_version',
        'apache_version',
        # ...
        'zfs_version',
        'zpool_version',
      ],
      # lint:ignore:140chars
      'INVENTORY_FACTS'          => "[('Hostname', 'fqdn'), ('Customer', 'customer'), ('OS Family', 'osfamily'), ('Kernel Version', 'kernelrelease'), ('Puppet Version', 'puppetversion')]",
      # lint:endignore
    },
    notify            => Service['nginx'],
  }

  file { '/srv/www/puppetboard.example.com/puppetboard/wsgi.py':
    ensure  => file,
    mode    => '0755',
    content => @(WSGI),
      from __future__ import absolute_import
      import os
      from puppetboard.app import app as application
      | WSGI
  }

  nginx::resource::server { $hostname:
    ssl_cert             => "/home/dehydrated/certs/${hostname}/fullchain.pem",
    ssl_key              => "/home/dehydrated/certs/${hostname}/privkey.pem",
    ssl_verify_client    => 'on',                                # <--- Fit my auth needs
    ssl_client_cert      => "${settings::ssldir}/certs/ca.pem",  # <--- Fit my auth needs
    ssl_crl              => "${settings::ssldir}/crl.pem",       # <--- Fit my auth needs
    server_name          => [
      $hostname,
    ],
    use_default_location => false,
    server_cfg_prepend   => {
      passenger_app_root      => "${puppetboard_path}/puppetboard",
      passenger_app_type      => 'wsgi',
      passenger_startup_file  => 'wsgi.py',
      passenger_python        => "${puppetboard_path}/virtenv-puppetboard/bin/python3",
      passenger_user          => 'puppetboard',
      passenger_group         => 'puppetboard',
      passenger_enabled       => 'on',
      passenger_min_instances => 1,
      passenger_env_var       => {
        'PUPPETBOARD_SETTINGS' => "${puppetboard_path}/puppetboard/settings.py",
      },
    },
    www_root             => "${puppetboard_path}/puppetboard/public",
  }

  nginx::resource::location { "${hostname} /static":
    server   => $hostname,
    location => '/static',
    www_root => "${puppetboard_path}/puppetboard/puppetboard",
  }
}

[hemraj43]

I am running it in kubernetes as a pod and I would like to use a static username/password, how can I do it? If anyone have any idea, could you please share?

UPDATE: I have fixed it by adding gatekeeper.