HPCC-26643 Enable pluggable security manager via HELM config

Allow pluggable security managers (authNZ) in values.schema.json
Add yaml configuration for HTPASSWD security manager
Update LDAP README.md to better explain secret mount names

Signed-off-by: Russ Whitehead <william.whitehead@lexisnexisrisk.com>

Signed-off-by: Russ Whitehead <william.whitehead@lexisnexisrisk.com>

esp/applications/eclwatch/CMakeLists.txt

@@ -19,6 +19,7 @@ set ( ESP_APPLICATION_FILES
     ${CMAKE_CURRENT_SOURCE_DIR}/application.yaml
     ${CMAKE_CURRENT_SOURCE_DIR}/eclwatch.yaml
     ${CMAKE_CURRENT_SOURCE_DIR}/ldap_authorization_map.yaml
+    ${CMAKE_CURRENT_SOURCE_DIR}/htpasswd_authorization_map.yaml
     ${CMAKE_CURRENT_SOURCE_DIR}/plugins.yaml
 )
 

esp/applications/eclwatch/htpasswd_authorization_map.yaml

@@ -0,0 +1,12 @@
+authNZ:
+    htpasswdSecMgr:
+        name: "HTPasswdSecMgr"
+        type: "HTPasswdSecurityManager"
+        htpasswdFile: "/opt/HPCCSystems/htpasswd"
+        description: "HTPassword Security Manager"
+        libName: "/opt/HPCCSystems/lib/libhtpasswdSecurity.so"
+        instanceFactoryName: "createInstance"
+        root_access:
+            resource: SmcAccess
+            required: Read
+            description: Base access to EclWatch

esp/platform/application_config.cpp

@@ -115,7 +115,7 @@ bool addLdapSecurity(IPropertyTree *legacyEsp, IPropertyTree *appEsp, StringBuff
     StringAttr workunitsBasedn(appLdap->queryProp("@workunitsBasedn"));
     bindAuth.setf("<Authenticate method='LdapSecurity' config='%s' resourcesBasedn='%s' workunitsBasedn='%s'/>", configname.str(), resourcesBasedn.str(), workunitsBasedn.str());
 
-    VStringBuffer authenticationXml("<Authentication htpasswdFile='/etc/HPCCSystems/.htpasswd' ldapConnections='10' ldapServer='%s' method='ldaps' passwordExpirationWarningDays='10'/>", configname.str());
+    VStringBuffer authenticationXml("<Authentication ldapConnections='10' ldapServer='%s' method='ldaps' passwordExpirationWarningDays='10'/>", configname.str());
     legacyEsp->addPropTree("Authentication", createPTreeFromXMLString(authenticationXml));
     return true;
 }
@@ -131,8 +131,7 @@ bool addAuthNZSecurity(const char *name, IPropertyTree *legacyEsp, IPropertyTree
     IPropertyTree *appSecMgr = authNZ->queryPropTree("SecurityManager");
     if (!appSecMgr)
     {
-        const char *application = appEsp->queryProp("@application");
-        throw MakeStringException(-1, "Can't find SecurityManager settings configuring application '%s'.  To run without security set 'auth: none'", application ? application : "");
+        appSecMgr = authNZ;
     }
     const char *method = appSecMgr->queryProp("@name");
     const char *tag = appSecMgr->queryProp("@type");
@@ -157,7 +156,7 @@ bool addSecurity(IPropertyTree *legacyEsp, IPropertyTree *appEsp, StringBuffer &
 {
     const char *auth = appEsp->queryProp("@auth");
     if (isEmptyString(auth))
-        throw MakeStringException(-1, "'auth' attribute required.  To run without security set ''auth: none''");
+        throw MakeStringException(-1, "'auth' attribute required.  To run without security set 'auth: none'");
     if (streq(auth, "none"))
         return false;
     if (streq(auth, "ldap"))

helm/examples/ldap/README.md

@@ -1,6 +1,6 @@
 # Containerized HPCC LDAP Support
 
-These examples demonstrate how to externalize HPCC LDAP Active Directory Security Manager administrator account credentials using Kubernetes and Hashicorp Vault secrets. To use externalized credentials, you should first run the tutorial on setting up Kubernetes secrets and the Hashicorp Vault, which can be found in the README.md file in the "HPCC-Platform\helm\examples\secrets" folder.
+These examples demonstrate how to externalize HPCC LDAP Active Directory Security Manager administrator account credentials using Kubernetes and Hashicorp Vault secrets. To use externalized credentials, you should first run the tutorial on setting up Kubernetes secrets and the Hashicorp Vault, which can be found in the README.md file in the "HPCC-Platform/helm/examples/secrets" folder.
 
 Note that the LDAP Administrator account performs AD directory searches and modifications, and is the only HPCC user that must have Active Directory administrator rights.  This account should exist in the configured "systemBasedn" branch of the Active Directory, typically set to cn=Users.
 
@@ -9,29 +9,29 @@ Note that the LDAP Administrator account performs AD directory searches and modi
 
 ### Create the k8s secret
    From the CLI, create the LDAP "secret" similar to the following.
-   Make note of the secret name, "myk8sldapadmincreds" in this example.
+   Make note of the secret name, "admincredssecretname" in this example.
    The LDAP Administrator "username" and "password" key/values are required; additional properties are allowed but ignored.
 
 ```bash
-   kubectl create secret generic myk8sldapadmincreds --from-literal=username=hpcc_admin --from-literal=password=t0pS3cr3tP@ssw0rd
-   kubectl get secret myk8sldapadmincreds
+   kubectl create secret generic admincredssecretname --from-literal=username=hpcc_admin --from-literal=password=t0pS3cr3tP@ssw0rd
+   kubectl get secret admincredssecretname
 ```
-For more details on how to create secrets, see the "secrets" examples in the "HPCC-Platform\helm\examples\secrets" folder.
+For more details on how to create secrets, see the "secrets" examples in the "HPCC-Platform/helm/examples/secrets" folder.
 
 ### Deploy the k8s secret to the ECLWatch container
-   Override the HPCC-Platform\helm\hpcc\values.yaml's "secrets:" category as follows.
-   Create a unique key name used to reference the secret, and set it to the secret value ("myk8sldapadmincreds") that you created above. In this example we give the key the name "ldapadmincredskey," and optionally define an additional alternate one "ldapalternateadminkey" which could be used with another Active Directory server.
-   Note that the "ldapadmincredskey" key/value pair already exists as a default in the values.yaml file, and the key is referenced in the component's ldap.yaml file.  You may override these and add additional key/values as needed.
+   Override the HPCC-Platform/helm/hpcc/values.yaml's "secrets:" category as follows.
+   Create a unique key name used to reference the secret (this will be the mounted file system name of the secret), and set it to the secret value ("admincredssecretname") that you created above. In this example we give the key the name "admincredsmountname," and optionally define an additional alternate one "admincredsaltmountname" which could be used with another Active Directory server.
+   Note that the "admincredsmountname" key/value pair already exists as a default in the values.yaml file, and the key is referenced in the component's ldap.yaml file.  You may override these and add additional key/values as needed.
 
 ```bash
    secrets:
      authn:
-       ldapadmincredskey: "myk8sldapadmincreds"
-       ldapalternateadminkey: "myk8sldapalternateadmincreds"
+       admincredsmountname: "admincredssecretname"       #exernalize LDAP Admin creds
+       admincredsaltmountname: "admincredsaltsecretname" #exernalize alternate LDAP Admin creds
 ```
 
 ### Enable LDAP and reference the k8s secret key
-   In the HPCC-Platform\esp\applications\common\ldap\ldap.yaml file, the "ldapAdminSecretKey" is already set to the key name created above. To enable LDAP authentication and to override this value, override the ESP/ECLWatch helm component located in values.yaml as follows.
+   In the HPCC-Platform/esp/applications/common/ldap/ldap.yaml file, the "ldapAdminSecretKey" is already set to the key mount name created above. To enable LDAP authentication and to optionally override this value, override the ESP/ECLWatch helm component located in values.yaml as follows.
 
 ```bash
 esp:
@@ -40,7 +40,7 @@ esp:
   auth: ldap
   ldap:
     ldapAddress: "myldapserver"
-    ldapAdminSecretKey: "ldapalternateadminkey"
+    ldapAdminSecretKey: "admincredsaltmountname"   # use alternate secrets creds
 ```
 
 --------------------------------------------------------------------------------------------------------
@@ -57,9 +57,9 @@ esp:
    vault kv get secret/authn/myvaultadmincreds
 ```
 
-   For more details on how to create vault secrets, see the "secrets" examples in the "HPCC-Platform\helm\examples\secrets" folder.
+   For more details on how to create vault secrets, see the "secrets" examples in the "HPCC-Platform/helm/examples/secrets" folder.
 
-### Note that the vault name, my-authn-vault, was defined in the "secrets" tutorial, in the HPCC-Platform\helm\examples\secrets\values-secrets.yaml file as follows
+### Note that the vault name, my-authn-vault, was defined in the "secrets" tutorial, in the HPCC-Platform/helm/examples/secrets/values-secrets.yaml file as follows
 
 ```bash
   authn:
@@ -81,4 +81,4 @@ esp:
     ldapAddress: "myldapserver"
     ldapAdminSecretKey: "myvaultadmincreds"
     ldapAdminVaultId: "my-authn-vault"
-```
+```

helm/hpcc/values.schema.json

@@ -617,8 +617,11 @@
     },
     "auth": {
       "type": "string",
-      "description": "Authentication method",
-      "enum": ["none", "ldap"]
+      "description": "Authentication method"
+    },
+    "authNZ": {
+      "type": "object",
+      "additionalProperties": { "type": ["object"] }
     },
     "ldap": {
       "type": "object",
@@ -992,6 +995,9 @@
         "auth": {
           "$ref": "#/definitions/auth"
         },
+        "authNZ": {
+          "$ref": "#/definitions/authNZ"
+        },
         "ldap": {
           "$ref": "#/definitions/ldap"
         },

helm/hpcc/values.yaml

@@ -257,7 +257,7 @@ secrets:
 
   authn: {}
     ## Category to deploy authentication secrets to container, and to create a key name alias to reference those secrets
-    #ldapadmincredskey: "myk8sldapadmincreds"  ## Default k/v for LDAP authentication secrets
+    #ldapadmincredskey: "admincredssecretname"  ## Default k/v for LDAP authentication secrets
 
   ecl: {}
     ## Category for secrets published to all components that run ecl