Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add azure ad auth setup doc #3625

Merged
merged 2 commits into from
May 24, 2023
Merged

Add azure ad auth setup doc #3625

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
12f731c
solve conflict
ByronHsu May 11, 2023
21b27fe
fix
ByronHsu May 11, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 24 additions & 27 deletions doc-requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,19 +6,19 @@
#
alabaster==0.7.13
# via sphinx
astroid==2.14.1
astroid==2.15.4
# via sphinx-autoapi
babel==2.11.0
babel==2.12.1
# via sphinx
beautifulsoup4==4.11.2
beautifulsoup4==4.12.2
# via
# furo
# sphinx-code-include
certifi==2022.12.7
# via requests
cfgv==3.3.1
# via pre-commit
charset-normalizer==3.0.1
charset-normalizer==3.1.0
# via requests
distlib==0.3.6
# via virtualenv
Expand All @@ -27,25 +27,25 @@ docutils==0.17.1
# sphinx
# sphinx-panels
# sphinx-tabs
filelock==3.9.0
filelock==3.12.0
# via virtualenv
furo @ git+https://github.com/flyteorg/furo@main
# via -r doc-requirements.in
googleapis-common-protos==1.58.0
googleapis-common-protos==1.59.0
# via grpcio-status
grpcio==1.48.2
# via
# -r doc-requirements.in
# grpcio-status
grpcio-status==1.48.2
# via -r doc-requirements.in
identify==2.5.17
identify==2.5.23
# via pre-commit
idna==3.4
# via requests
imagesize==1.4.1
# via sphinx
importlib-metadata==6.0.0
importlib-metadata==6.6.0
# via sphinx
jinja2==3.0.3
# via
Expand All @@ -58,26 +58,22 @@ markupsafe==2.1.2
# via jinja2
nodeenv==1.7.0
# via pre-commit
packaging==23.0
packaging==23.1
# via sphinx
pbr==5.11.1
# via sphinxcontrib-video
platformdirs==2.6.2
platformdirs==3.3.0
# via virtualenv
pre-commit==3.0.4
pre-commit==3.2.2
# via sphinx-tags
protobuf==4.21.12
protobuf==4.22.3
# via
# googleapis-common-protos
# grpcio-status
pygments==2.14.0
pygments==2.15.1
# via
# furo
# sphinx
# sphinx-prompt
# sphinx-tabs
pytz==2022.7.1
# via babel
pyyaml==6.0
# via
# pre-commit
Expand All @@ -93,7 +89,7 @@ six==1.16.0
# sphinxext-remoteliteralinclude
snowballstemmer==2.2.0
# via sphinx
soupsieve==2.3.2.post1
soupsieve==2.4.1
# via beautifulsoup4
sphinx==4.5.0
# via
Expand All @@ -109,14 +105,15 @@ sphinx==4.5.0
# sphinx-prompt
# sphinx-tabs
# sphinx-tags
# sphinxcontrib-youtube
# sphinxcontrib-video
# sphinxcontrib-yt
sphinx-autoapi==2.0.1
# via -r doc-requirements.in
sphinx-basic-ng==1.0.0b1
# via furo
sphinx-code-include==1.1.1
# via -r doc-requirements.in
sphinx-copybutton==0.5.1
sphinx-copybutton==0.5.2
# via -r doc-requirements.in
sphinx-fontawesome==0.0.6
# via -r doc-requirements.in
Expand All @@ -138,29 +135,29 @@ sphinxcontrib-htmlhelp==2.0.1
# via sphinx
sphinxcontrib-jsmath==1.0.1
# via sphinx
sphinxcontrib-mermaid==0.7.1
sphinxcontrib-mermaid==0.8.1
# via -r doc-requirements.in
sphinxcontrib-qthelp==1.0.3
# via sphinx
sphinxcontrib-serializinghtml==1.1.5
# via sphinx
sphinxcontrib-video==0.0.1.dev3
sphinxcontrib-video==0.1.1
# via -r doc-requirements.in
sphinxcontrib-youtube==1.2.0
# via -r doc-requirements.in
sphinxext-remoteliteralinclude==0.4.0
# via -r doc-requirements.in
typing-extensions==4.4.0
typing-extensions==4.5.0
# via astroid
unidecode==1.3.6
# via sphinx-autoapi
urllib3==1.26.14
urllib3==1.26.15
# via requests
virtualenv==20.17.1
virtualenv==20.22.0
# via pre-commit
wrapt==1.14.1
wrapt==1.15.0
# via astroid
zipp==3.12.0
zipp==3.15.0
# via importlib-metadata

# The following packages are considered to be unsafe in a requirements file:
Expand Down
149 changes: 119 additions & 30 deletions rsts/deployment/configuration/auth_setup.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -271,45 +271,134 @@ To set up an external OAuth2 Authorization Server, follow the instructions below
5. Flytectl should be created with `Access Type Public` and standard flow enabled.
6. FlytePropeller should be created as an `Access Type Confidential`, standard flow enabled, and note the client ID and client Secrets provided.

.. group-tab:: Azure AD

1. Navigate to tab **Overview**, obtain ``<client id>`` and ``<tenant id>``
2. Navigate to tab **Authentication**, click ``+Add a platform``
3. Add **Web** for flyteconsole and flytepropeller, **Mobile and desktop applications** for flytectl.
4. Add URL ``https://<console-url>/callback`` as the callback for Web
5. Add URL ``http://localhost:53593/callback`` as the callback for flytectl
6. In **Advanced settings**, set ``Enable the following mobile and desktop flows`` to **Yes** to enable deviceflow
7. Navigate to tab **Certificates & secrets**, click ``+New client secret`` to create ``<client secret>``
8. Navigate to tab **Token configuration**, click ``+Add optional claim`` and create email claims for both ID and Access Token
9. Navigate to tab **API permissions**, add ``email``, ``offline_access``, ``openid``, ``profile``, ``User.Read``
10. Navigate to tab **Expose an API**, Click ``+Add a scope`` and ``+Add a client application`` to create ``<custom scope>``


Apply Configuration
^^^^^^^^^^^^^^^^^^^

It is possible to direct FlyteAdmin to use an external authorization server. To do so, edit the same config map once
more and follow these changes:

.. code-block:: yaml
.. tabs::
.. group-tab:: Okta
.. code-block:: yaml

auth:
appAuth:
# 1. Choose External if you will use an external Authorization Server (e.g. a Custom Authorization server in Okta)
# Choose Self (or omit the value) to use FlyteAdmin's internal (albeit limited) Authorization Server.
authServerType: External

# 2. Optional: Set external auth server baseUrl if different from OpenId baseUrl.
externalAuthServer:
baseUrl: https://dev-14186422.okta.com/oauth2/auskngnn7uBViQq6b5d6
#baseUrl: https://<keycloak-url>/auth/realms/<keycloak-realm> # Uncomment for keycloak
#metadataUrl: .well-known/openid-configuration #Uncomment for keycloak

thirdPartyConfig:
flyteClient:
# 3. Replace with a new Native/Public Client ID provisioned in the custom authorization server.
clientId: flytectl
# This should not change
auth:
appAuth:
# 1. Choose External if you will use an external Authorization Server (e.g. a Custom Authorization server in Okta)
# Choose Self (or omit the value) to use FlyteAdmin's internal (albeit limited) Authorization Server.
authServerType: External

# 2. Optional: Set external auth server baseUrl if different from OpenId baseUrl.
externalAuthServer:
baseUrl: https://dev-14186422.okta.com/oauth2/auskngnn7uBViQq6b5d6

thirdPartyConfig:
flyteClient:
# 3. Replace with a new Native/Public Client ID provisioned in the custom authorization server.
clientId: flytectl
# This should not change
redirectUri: http://localhost:53593/callback
# 4. "all" is a required scope and must be configured in the custom authorization server.
scopes:
- offline
- all

userAuth:
openId:
baseUrl: https://dev-14186422.okta.com/oauth2/auskngnn7uBViQq6b5d6 # Okta with a custom Authorization Server
scopes:
- profile
- openid
# - offline_access # Uncomment if OIdC supports issuing refresh tokens.
clientId: <client id>
.. group-tab:: Keycloak
.. code-block:: yaml

auth:
appAuth:
# 1. Choose External if you will use an external Authorization Server (e.g. a Custom Authorization server in Okta)
# Choose Self (or omit the value) to use FlyteAdmin's internal (albeit limited) Authorization Server.
authServerType: External

# 2. Optional: Set external auth server baseUrl if different from OpenId baseUrl.
externalAuthServer:
baseUrl: https://<keycloak-url>/auth/realms/<keycloak-realm>
metadataUrl: .well-known/openid-configuration

thirdPartyConfig:
flyteClient:
# 3. Replace with a new Native/Public Client ID provisioned in the custom authorization server.
clientId: flytectl
# This should not change
redirectUri: http://localhost:53593/callback
# 4. "all" is a required scope and must be configured in the custom authorization server.
scopes:
- offline
- all

userAuth:
openId:
baseUrl: https://dev-14186422.okta.com/oauth2/auskngnn7uBViQq6b5d6 # Okta with a custom Authorization Server
scopes:
- profile
- openid
# - offline_access # Uncomment if OIdC supports issuing refresh tokens.
clientId: <client id>
.. group-tab:: Azure AD
.. code-block:: yaml

secrets:
adminOauthClientCredentials:
enabled: true
clientSecret: <client secret>
clientId: <client id>
---
configmap:
admin:
admin:
endpoint: <admin endpoint>
insecure: true
clientId: <client id>
clientSecretLocation: /etc/secrets/client_secret
scopes:
- api://<client id>/.default
useAudienceFromAdmin: true
---
auth:
appAuth:
authServerType: External
externalAuthServer:
baseUrl: https://login.microsoftonline.com/<tenant id>/v2.0/
metadataUrl: .well-known/openid-configuration
AllowedAudience:
- api://<client id>
thirdPartyConfig:
flyteClient:
clientId: <client id>
redirectUri: http://localhost:53593/callback
# 4. "all" is a required scope and must be configured in the custom authorization server.
scopes:
- offline
- all

userAuth:
openId:
baseUrl: https://dev-14186422.okta.com/oauth2/auskngnn7uBViQq6b5d6 # Okta with a custom Authorization Server
scopes:
- profile
- openid
# - offline_access # Uncomment if OIdC supports issuing refresh tokens.
clientId: 0oakkheteNjCMERst5d6
- api://<client id>/<custom-scope>

userAuth:
openId:
baseUrl: https://login.microsoftonline.com/<tenant id>/v2.0
scopes:
- openid
- profile
clientId: <client id>

.. tabs::

Expand Down