Skip to content

Commit

Permalink
Add azure ad auth setup doc
Browse files Browse the repository at this point in the history
Signed-off-by: byronhsu <[email protected]>
  • Loading branch information
ByronHsu committed Apr 27, 2023
1 parent bf6d635 commit 9f6acd7
Show file tree
Hide file tree
Showing 2 changed files with 161 additions and 56 deletions.
49 changes: 23 additions & 26 deletions doc-requirements.txt
Original file line number Diff line number Diff line change
Expand Up @@ -6,19 +6,19 @@
#
alabaster==0.7.13
# via sphinx
astroid==2.14.1
astroid==2.15.4
# via sphinx-autoapi
babel==2.11.0
babel==2.12.1
# via sphinx
beautifulsoup4==4.11.2
beautifulsoup4==4.12.2
# via
# furo
# sphinx-code-include
certifi==2022.12.7
# via requests
cfgv==3.3.1
# via pre-commit
charset-normalizer==3.0.1
charset-normalizer==3.1.0
# via requests
distlib==0.3.6
# via virtualenv
Expand All @@ -27,25 +27,25 @@ docutils==0.17.1
# sphinx
# sphinx-panels
# sphinx-tabs
filelock==3.9.0
filelock==3.12.0
# via virtualenv
furo @ git+https://github.com/flyteorg/furo@main
# via -r doc-requirements.in
googleapis-common-protos==1.58.0
googleapis-common-protos==1.59.0
# via grpcio-status
grpcio==1.48.2
# via
# -r doc-requirements.in
# grpcio-status
grpcio-status==1.48.2
# via -r doc-requirements.in
identify==2.5.17
identify==2.5.23
# via pre-commit
idna==3.4
# via requests
imagesize==1.4.1
# via sphinx
importlib-metadata==6.0.0
importlib-metadata==6.6.0
# via sphinx
jinja2==3.0.3
# via
Expand All @@ -58,26 +58,22 @@ markupsafe==2.1.2
# via jinja2
nodeenv==1.7.0
# via pre-commit
packaging==23.0
packaging==23.1
# via sphinx
pbr==5.11.1
# via sphinxcontrib-video
platformdirs==2.6.2
platformdirs==3.3.0
# via virtualenv
pre-commit==3.0.4
pre-commit==3.2.2
# via sphinx-tags
protobuf==4.21.12
protobuf==4.22.3
# via
# googleapis-common-protos
# grpcio-status
pygments==2.14.0
pygments==2.15.1
# via
# furo
# sphinx
# sphinx-prompt
# sphinx-tabs
pytz==2022.7.1
# via babel
pyyaml==6.0
# via
# pre-commit
Expand All @@ -91,7 +87,7 @@ six==1.16.0
# sphinxext-remoteliteralinclude
snowballstemmer==2.2.0
# via sphinx
soupsieve==2.3.2.post1
soupsieve==2.4.1
# via beautifulsoup4
sphinx==4.5.0
# via
Expand All @@ -107,14 +103,15 @@ sphinx==4.5.0
# sphinx-prompt
# sphinx-tabs
# sphinx-tags
# sphinxcontrib-video
# sphinxcontrib-yt
sphinx-autoapi==2.0.1
# via -r doc-requirements.in
sphinx-basic-ng==1.0.0b1
# via furo
sphinx-code-include==1.1.1
# via -r doc-requirements.in
sphinx-copybutton==0.5.1
sphinx-copybutton==0.5.2
# via -r doc-requirements.in
sphinx-fontawesome==0.0.6
# via -r doc-requirements.in
Expand All @@ -136,29 +133,29 @@ sphinxcontrib-htmlhelp==2.0.1
# via sphinx
sphinxcontrib-jsmath==1.0.1
# via sphinx
sphinxcontrib-mermaid==0.7.1
sphinxcontrib-mermaid==0.8.1
# via -r doc-requirements.in
sphinxcontrib-qthelp==1.0.3
# via sphinx
sphinxcontrib-serializinghtml==1.1.5
# via sphinx
sphinxcontrib-video==0.0.1.dev3
sphinxcontrib-video==0.1.1
# via -r doc-requirements.in
sphinxcontrib-yt==0.2.2
# via -r doc-requirements.in
sphinxext-remoteliteralinclude==0.4.0
# via -r doc-requirements.in
typing-extensions==4.4.0
typing-extensions==4.5.0
# via astroid
unidecode==1.3.6
# via sphinx-autoapi
urllib3==1.26.14
urllib3==1.26.15
# via requests
virtualenv==20.17.1
virtualenv==20.22.0
# via pre-commit
wrapt==1.14.1
wrapt==1.15.0
# via astroid
zipp==3.12.0
zipp==3.15.0
# via importlib-metadata

# The following packages are considered to be unsafe in a requirements file:
Expand Down
168 changes: 138 additions & 30 deletions rsts/deployment/configuration/auth_setup.rst
Original file line number Diff line number Diff line change
Expand Up @@ -271,45 +271,153 @@ To set up an external OAuth2 Authorization Server, follow the instructions below
5. Flytectl should be created with `Access Type Public` and standard flow enabled.
6. FlytePropeller should be created as an `Access Type Confidential`, standard flow enabled, and note the client ID and client Secrets provided.

.. group-tab:: Azure AD

1. Navigate to tab **Overview**, obtain ``<client id>`` and ``<tenant id>``

.. image:: ../../images/azure-ad-auth/overview.png

2. Navigate to tab **Authentication**, click ``+Add a platform``
3. Add **Web** for flyteconsole and flytepropeller, **Mobile and desktop applications** for flytectl.
4. Add URL ``https://<console-url>/callback`` as the callback for Web
5. Add URL ``http://localhost:53593/callback`` as the callback for flytectl

.. image:: ../../images/azure-ad-auth/auth-1.png

6. In **Advanced settings**, set ``Enable the following mobile and desktop flows`` to **Yes** to enable deviceflow

.. image:: ../../images/azure-ad-auth/auth-2.png

7. Navigate to tab **Certificates & secrets**, click ``+New client secret`` to create ``<client secret>``

.. image:: ../../images/azure-ad-auth/cert.png

8. Navigate to tab **Token configuration**, click ``+Add optional claim`` and create email claims for both ID and Access Token

.. image:: ../../images/azure-ad-auth/token.png

9. Navigate to tab **API permissions**, add ``email``, ``offline_access``, ``openid``, ``profile``, ``User.Read``

.. image:: ../../images/azure-ad-auth/perm.png

10. Navigate to tab **Expose an API**, Click ``+Add a scope`` and ``+Add a client application`` to create ``<custom scope>``

.. image:: ../../images/azure-ad-auth/scope.png

Apply Configuration
^^^^^^^^^^^^^^^^^^^

It is possible to direct FlyteAdmin to use an external authorization server. To do so, edit the same config map once
more and follow these changes:

.. code-block:: yaml
.. tabs::
.. group-tab:: Okta
.. code-block:: yaml
auth:
appAuth:
# 1. Choose External if you will use an external Authorization Server (e.g. a Custom Authorization server in Okta)
# Choose Self (or omit the value) to use FlyteAdmin's internal (albeit limited) Authorization Server.
authServerType: External
# 2. Optional: Set external auth server baseUrl if different from OpenId baseUrl.
externalAuthServer:
baseUrl: https://dev-14186422.okta.com/oauth2/auskngnn7uBViQq6b5d6
thirdPartyConfig:
flyteClient:
# 3. Replace with a new Native/Public Client ID provisioned in the custom authorization server.
clientId: flytectl
# This should not change
redirectUri: http://localhost:53593/callback
# 4. "all" is a required scope and must be configured in the custom authorization server.
scopes:
- offline
- all
userAuth:
openId:
baseUrl: https://dev-14186422.okta.com/oauth2/auskngnn7uBViQq6b5d6 # Okta with a custom Authorization Server
scopes:
- profile
- openid
# - offline_access # Uncomment if OIdC supports issuing refresh tokens.
clientId: <client id>
.. group-tab:: Keycloak
.. code-block:: yaml
auth:
appAuth:
# 1. Choose External if you will use an external Authorization Server (e.g. a Custom Authorization server in Okta)
# Choose Self (or omit the value) to use FlyteAdmin's internal (albeit limited) Authorization Server.
authServerType: External
# 2. Optional: Set external auth server baseUrl if different from OpenId baseUrl.
externalAuthServer:
baseUrl: https://<keycloak-url>/auth/realms/<keycloak-realm>
metadataUrl: .well-known/openid-configuration
thirdPartyConfig:
flyteClient:
# 3. Replace with a new Native/Public Client ID provisioned in the custom authorization server.
clientId: flytectl
# This should not change
redirectUri: http://localhost:53593/callback
# 4. "all" is a required scope and must be configured in the custom authorization server.
scopes:
- offline
- all
userAuth:
openId:
baseUrl: https://dev-14186422.okta.com/oauth2/auskngnn7uBViQq6b5d6 # Okta with a custom Authorization Server
scopes:
- profile
- openid
# - offline_access # Uncomment if OIdC supports issuing refresh tokens.
clientId: <client id>
.. group-tab:: Azure AD
.. code-block:: yaml
auth:
appAuth:
# 1. Choose External if you will use an external Authorization Server (e.g. a Custom Authorization server in Okta)
# Choose Self (or omit the value) to use FlyteAdmin's internal (albeit limited) Authorization Server.
authServerType: External
# 2. Optional: Set external auth server baseUrl if different from OpenId baseUrl.
externalAuthServer:
baseUrl: https://dev-14186422.okta.com/oauth2/auskngnn7uBViQq6b5d6
#baseUrl: https://<keycloak-url>/auth/realms/<keycloak-realm> # Uncomment for keycloak
#metadataUrl: .well-known/openid-configuration #Uncomment for keycloak
thirdPartyConfig:
flyteClient:
# 3. Replace with a new Native/Public Client ID provisioned in the custom authorization server.
clientId: flytectl
# This should not change
secrets:
adminOauthClientCredentials:
enabled: true
clientSecret: <client secret>
clientId: <client id>
---
configmap:
admin:
admin:
endpoint: <admin endpoint>
insecure: true
clientId: <client id>
clientSecretLocation: /etc/secrets/client_secret
scopes:
- api://<client id>/.default
useAudienceFromAdmin: true
---
auth:
appAuth:
authServerType: External
externalAuthServer:
baseUrl: https://login.microsoftonline.com/<tenant id>/v2.0/
metadataUrl: .well-known/openid-configuration
AllowedAudience:
- api://<client id>
thirdPartyConfig:
flyteClient:
clientId: <client id>
redirectUri: http://localhost:53593/callback
# 4. "all" is a required scope and must be configured in the custom authorization server.
scopes:
- offline
- all
userAuth:
openId:
baseUrl: https://dev-14186422.okta.com/oauth2/auskngnn7uBViQq6b5d6 # Okta with a custom Authorization Server
scopes:
- profile
- openid
# - offline_access # Uncomment if OIdC supports issuing refresh tokens.
clientId: 0oakkheteNjCMERst5d6
- api://<client id>/<custom-scope>
userAuth:
openId:
baseUrl: https://login.microsoftonline.com/<tenant id>/v2.0
scopes:
- openid
- profile
clientId: <client id>
.. tabs::

Expand Down

0 comments on commit 9f6acd7

Please sign in to comment.