Skip to content

Add DEX support to openondemand role #862

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
sjpb wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Add DEX support to openondemand role #862

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a5ed715
add DEX support for ondemand
sjpb Dec 9, 2025
79ccb54
fix merge conflicts
sjpb Dec 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 31 additions & 5 deletions ansible/roles/openondemand/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,8 @@ This uses the [osc.ood](https://github.com/OSC/ood-ansible) Ansible role to prov
- The `openondemand` node, i.e. the node which will host the Open Ondemand server/portal must:
- Have the slurm packages (e.g. `sinfo` etc) installed and be able to contact the Slurm controller (e.g. add this node to the `login` group).
- Have access to any cluster shared filesystems.
- Open Ondemand's authentication maps authenticated users (e.g. via OIDC) to local users on the `openondemand` node (see `openondemand_mapping_users`). You must therefore ensure that whatever is providing users for the cluster covers the `openondemand` node, e.g. if using `basic_users` role ensure the group for this includes the `openondemand` group.
- Open Ondemand's authentication maps authenticated users (e.g. via OIDC) to local users on the `openondemand` node.
Therefore whatever mechanism provides cluster users (e.g. `basic_users`, `freeipa`, `ldap` via sssd) must cover the `openondemand` node.

## Role Variables

Expand All @@ -27,10 +28,8 @@ This uses the [osc.ood](https://github.com/OSC/ood-ansible) Ansible role to prov

See the Open Ondemand [Authentication docs](https://osc.github.io/ood-documentation/latest/authentication/overview.html) for an overview of the authentication process.

- `openondemand_auth`: Required. Authentication method, either `'oidc'` or `'basic_pam'`. See relevant subsection below.
- `openondemand_mapping_users`: Required for `openondemand_auth=='oidc'`. A list of dicts defining mappings between remote authenticated usernames and local system usernames - see the Open Ondemand [user mapping docs](https://osc.github.io/ood-documentation/latest/authentication/overview/map-user.html). Each dict should have the following keys:
- `name`: A local (existing) user account
- `openondemand_username`: The remote authenticated username. See also `openondemand_oidc_remote_user_claim` if using OIDC authentication.
- `openondemand_auth`: Required. Authentication method, either `'oidc'`, `dex`
or `'basic_pam'`. See relevant subsection below.

#### OIDC authentication

Expand All @@ -45,6 +44,33 @@ The following variables are active when `openondemand_auth` is `oidc`. This role

The OIDC provider should be configured to redirect to `https://{{ openondemand_servername }}/oidc` with scopes as appropriate for `openondemand_oidc_scope`.

When using OIDC the remote user must be mapped to a local Linux user. The default
is to map the entire remote user claim string to the local username. See the
Open Ondemand [user mapping docs](https://osc.github.io/ood-documentation/latest/authentication/overview/map-user.html)
for more. The [osc.ood role](https://github.com/OSC/ood-ansible) variables such
as `user_map_match` may be set directly if necessary.

#### DEX authentication
This runs DEX on the Open Ondemand host to provide an OIDC endpoint which federates
from some other identity provider. Generally no OIDC configuration is required.
Dex configuration can be provided using the `dex_settings` [osc.ood role](https://github.com/OSC/ood-ansible)
variable.

**IMPORTANT** This takes a string of yaml, not actual yaml. E.g.:

```yaml
dex_settings: |
dex:
connectors:
- type: ldap
id: ldap
name: LDAP
...
```

See comments above for OIDC regarding remote user mapping. For LDAP the default
mapping is likely to be sufficent.

#### Basic/PAM authentication

This option uses HTTP Basic Authentication (i.e. browser prompt) to get a username and password. This is then checked against an existing local user using PAM. Note that HTTPS is configured by default, so the password is protected in transit, although there are [other](https://security.stackexchange.com/a/990) security concerns with Basic Authentication.
Expand Down
37 changes: 19 additions & 18 deletions ansible/roles/openondemand/defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
---

# Authentication:
openondemand_auth: # "oidc" or "basic_pam"
openondemand_mapping_users: []
openondemand_auth: # "oidc", "dex" or "basic_pam"

## Variables for `openondemand_auth=oidc` :
openondemand_oidc_client_id:
openondemand_oidc_client_secret:
Expand Down Expand Up @@ -52,23 +52,28 @@
OIDCScope: "{{ openondemand_oidc_scope }}"
OIDCRemoteUserClaim: "{{ openondemand_oidc_remote_user_claim }}"
httpd_auth: # ood_portal.yml.j2
- "AuthType openid-connect"
- "Require valid-user"
- "ProxyPreserveHost On" # see under https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/
user_map_cmd: /opt/ood/ood_auth_map/bin/ood_auth_map.mapfile
user_map_match: none
- 'AuthType openid-connect'
- 'Require valid-user'
- 'ProxyPreserveHost On' # see under https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/

# Defaults for dex
dex:
oidc_uri: /oidc # has to be set separately to trigger oidc integration!
# *DON'T* set ood_auth_openidc - that will be provided automatically
httpd_auth:
- 'AuthType openid-connect'
- 'Require valid-user'
- 'ProxyPreserveHost On' # see under https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/

Check failure on line 67 in ansible/roles/openondemand/defaults/main.yml

View workflow job for this annotation

GitHub Actions / Lint / Lint

yaml[trailing-spaces] 

Trailing spaces
# Defaults for basic/PAM auth - see https://osc.github.io/ood-documentation/latest/authentication/pam.html
basic_pam:
httpd_auth: # ood_portal.yml.j2
- "AuthType Basic"
- 'AuthName "Open OnDemand"'
- "AuthBasicProvider PAM"
- "AuthPAMService ood"
- "Require valid-user"
- "ProxyPreserveHost On" # see under https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/
user_map_cmd: null
user_map_match: ".*"
- 'AuthBasicProvider PAM'
- 'AuthPAMService ood'
- 'Require valid-user'
- 'ProxyPreserveHost On' # see under https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/

# The below mapping is used to override osc.ood defaults. Keys are osc.ood variable names.
# If you need to override *these* defaults (i.e. this role's vars are not sufficent) just set the corresponding osc.ood var as normal.
Expand All @@ -93,12 +98,8 @@
- SSLCompression off
- SSLSessionTickets Off

# User mapping:
user_map_cmd: "{{ openondemand_auth_defaults[openondemand_auth | lower].user_map_cmd }}"
user_map_match: "{{ openondemand_auth_defaults[openondemand_auth | lower].user_map_match }}"

# Auth:
oidc_uri: "{{ openondemand_auth_defaults.oidc.oidc_uri if (openondemand_auth | lower) == 'oidc' else none }}"
oidc_uri: "{{ openondemand_auth_defaults.oidc.oidc_uri if (openondemand_auth | lower) in ['oidc', 'dex'] else none }}"
ood_auth_openidc: "{{ openondemand_auth_defaults.oidc.ood_auth_openidc if (openondemand_auth | lower) == 'oidc' else none }}"
httpd_auth: "{{ openondemand_auth_defaults[openondemand_auth | lower].httpd_auth }}"

Expand Down
32 changes: 8 additions & 24 deletions ansible/roles/openondemand/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
---
- name: Set osc.ood variables from this role's defaults if no overriding inventory var
ansible.builtin.set_fact:
# NB: When condition is important - some configurations require undefined vars
"{{ item.key }}": "{{ lookup('vars', item.key, default=item.value) }}"
loop: "{{ openondemand_osc_ood_defaults | dict2items }}"
when: (item.key in hostvars[inventory_hostname]) or (item.value)
Expand Down Expand Up @@ -98,24 +99,6 @@
dest: /etc/ood/config/pun/html/missing_home_directory.html
mode: "0644"

- name: Create mapping directory
ansible.builtin.file:
path: /etc/grid-security
state: directory
owner: root
group: apache
mode: u=rwX,g=rX,o=
when: openondemand_mapping_users

- name: Create mapping file
ansible.builtin.template:
dest: /etc/grid-security/grid-mapfile
src: grid-mapfile.j2
owner: root
group: apache
mode: u=rw,g=r,o=
when: openondemand_mapping_users

- name: Create app directories for dashboard links
ansible.builtin.file:
path: /var/www/ood/apps/sys/{{ item.app_name | default(item.name) }}
Expand All @@ -130,12 +113,13 @@
mode: "0644"
loop: "{{ openondemand_dashboard_links }}"

# - name: Ensure ondemand-dex is running and active
# service:
# name: ondemand-dex
# enabled: yes
# state: stopped
# when: false
- name: Ensure ondemand-dex is running/enabled/restarted for config changes
# Can be dropped once on a version including https://github.com/OSC/ood-ansible/pull/272
ansible.builtin.systemd:
name: ondemand-dex
enabled: yes

Check failure on line 120 in ansible/roles/openondemand/tasks/main.yml

View workflow job for this annotation

GitHub Actions / Lint / Lint

yaml[truthy] 

Truthy value should be one of [false, true]
state: restarted
when: openondemand_auth | lower == "dex"

# - name: Copy site images
# copy:
Expand Down
Loading