X-Git-Url: https://piware.de/gitweb/?p=talk-cockpit-auth-anywhere.git;a=blobdiff_plain;f=cockpit-auth-anywhere.md;h=bc8783d7f8c4e8b4e86425826f6c7f29e0bff1af;hp=b5a53c27f70e77f33144550773449f7da814dff4;hb=e52f6b0fe3eaa8638c13d482f20a2e4c7c98e4a4;hpb=a32ed785e042fc3b9030f8664f1feb1f582e98b6 diff --git a/cockpit-auth-anywhere.md b/cockpit-auth-anywhere.md index b5a53c2..bc8783d 100644 --- a/cockpit-auth-anywhere.md +++ b/cockpit-auth-anywhere.md @@ -7,7 +7,6 @@ date: DevConv.CZ 2020 theme: Singapore header-includes: - \setbeameroption{show notes} - - \newcommand{\fullsizeimg}[1]{\makebox[\linewidth]{\includegraphics[width=\paperwidth]{#1}}} ... # Cockpit what? @@ -52,8 +51,10 @@ resize2fs /dev/vg0/data1 - Quit virt-viewer - Move to local browser, enable mobile mode (Ctrl+Shift+M) - Zero configuration so far, other than possibly installing cockpit pkg and enabling cockpit.socket +- But wait, you say -- want to admin that server over there, but not allowed to + open new port and system service? - In larger environments it's impractical to install cockpit server on hundreds - of machines and using the login web page + of machines and using the login web page; better solution: piggyback on ssh - Glimpse of how to customize how cockpit runs and how to authenticate to it ::: @@ -139,7 +140,7 @@ RequireHost=true - SSO/Kerberos in Identity Management domains - smart card/client certificate authentication -- OAuth (Kubernetes) +- OAuth (external embedding) - Foreman: included cockpit-ws with dynamic configuration TODO: foreman screenshot @@ -150,17 +151,72 @@ TODO: foreman screenshot without the login page - browsers can ask for TLS client certificates, commonly with smart cards, and present them to the web server; latest Cockpit versions supports that -- Foreman has a "Web Console" button; already has ssh to all maintained - machines +- Foreman has a "Web Console" button; interesting case for seamless transition + between Foreman and Cockpit +- already has ssh to all maintained machines - runs a single cockpit-ws process on its server, and dynamically configures it - for selected target machine, seamless transition between Foreman and Cockpit + for selected target machine +- custom cockpit session helper to do OAuth between Foreman session and + cockpit-ws, and wrap cockpit-ssh session starter - not enough time to demo and explain all of this; just keep in mind that it's possible ::: -# Custom authentication example +# Embedding into existing session + +![local-session-unsafe](local-session-unsafe.pdf){height=60%}\ + +\footnotesize \verb!cockpit-ws -p 9999 --no-tls --local-session=/usr/bin/cockpit-bridge! + +`firefox http://localhost:9999` + +:::notes +- what I do want to show: opposite direction; "replace cockpit-session" can + also mean "by nothing" +- due to common JSON protocol, we can connect ws directly to a cockpit-bridge +- take a step back: if I want to admin this very machine, it's in a running + Linux session, it knows who I am +- put the whole auth structure inside out and instead run cockpit-ws as my user + inside my session +- open localhost:9999 in firefox +- alarm bells: exposes my session to a TCP port without any auth +::: + + +# Embedding into existing session: once more with safety! + +![local-session-unsafe](local-session.pdf){height=60%}\ + +\footnotesize \verb! ! + +`/usr/libexec/cockpit-desktop [page]` + +:::notes +- need to hide that port; put browser and cockpit-ws into network namespace, + then they live in a completely isolated world +- do some work to hide browser chrome, use webkit if available +- cockpit-desktop / +- wants to run priv bridge, can accept or decline +- decline, R/O view +- can show an individual iframe, "page" +- suddenly you end up with a halfway decent desktop app +- just the storage page, replacement for gnome-disks +- cockpit-desktop podman +::: + +# Conclusion + +- Authentication is very flexible +- Works with zero configuration +- Can be arbitrarily embedded + +:::notes +- Cockpit provides a set of standard auth protocols that are being used in + today's modern deployments +- Once you know about the structure, you can combine ssh, web servers, reverse + proxies, and custom auth helpers to embed Cockpit anywhere you want +::: -TODO # Q & A