Users authentication with OpenID and GitLab
If you are going to implement this type of authentication this action implies you clearly understand what you are doing.
Prerequisites
- You need to have administrative access to GitLab instance or an admin near you.
- You need to have the access to Allure Testops configuration files.
- You need to be able to apply the changes in the configuration, which could require some downtime.
- Allure Testops needs to work behind HTTPS, i.e. there must be something like reverse proxy between Allure Testops and GitLab servers. Please consult your network administrator or DevOps to ensure proper configuration on the network side.
Integration of Allure Testops and GitLab as IAM
Given
- Allure Testops is deployed and accessible on
http://allure.local
(your real URLs will be different). - GitLab URL for your organization is deployed and accessible on
https://<gitlab>
(your URLs will be different).
Creation of the new application in GitLab
- In your GitLab instance jump to Admin section
- Jump to Applications > System OAuth applications and click Add new application
- Fill the fields as follows:
- Name: Allure Testops
- Redirect URI:
https://<allure>/login/oauth2/code/gitlab
- Trusted: true
- Confidential: true
- Expire access tokens: true
- Scopes:
- openid
- profile
- Save the changes.
Results
On the previous steps we've got this:
To proceed with Allure Testops settings we need these:
- Application ID
- Secret
Copy these two attributes.
Configuring Allure Testops
To integrate Allure Testops with GitLab you need to pass the environment variables to gateway service.
See below for the deployment specific examples.
Deployment in Kubernetes
For k8s deployment you need to add the parameters to environment of gateway service of values.yaml
file used to pass user's configuration to Helm.
<snip>
services:
<snip>
gateway:
<snip>
environment:
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_GITLAB_CLIENTNAME: GitLab
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_GITLAB_CLIENTID: <Applicatoin ID>
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_GITLAB_CLIENTSECRET: <Secret>
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_GITLAB_REDIRECTURI: https://<allure>/login/oauth2/code/gitlab
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_GITLAB_AUTHORIZATIONGRANTTYPE: authorization_code
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_GITLAB_SCOPE: openid,profile
SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_GITLAB_USERNAMEATTRIBUTE: nickname
SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_GITLAB_TOKENURI: https://<gitlab>/oauth/token
SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_GITLAB_AUTHORIZATIONURI: https://<gitlab>/oauth/authorize
SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_GITLAB_USERINFOURI: https://<gitlab>/oauth/userinfo
SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_GITLAB_JWKSETURI: https://<gitlab>/oauth/discovery/keys
<snip>
Now, you need to update your Allure Testops configuration as usual for Kubernetes deployment using Helm's commands.
After application deployment has completed, you need to check if the authentication is working:
- Proceed to the following URL:
https://<allure>/login/openid
. - Check if the authentication is working for you.
Setting GitLab authentication as default way
This should be done only in the case, if previous check has been completed successfully.
Update uaa service settings as follows:
- add
ALLURE_LOGIN_PRIMARY: openid
services:
<snip>
uaa:
<snip>
environment:
ALLURE_LOGIN_PRIMARY: openid
<snip>
After this action will be completed, to log-in as a local Allure Testops user (e.g. admin
), you need to access the following URL: https://<allure>/login/system
.
Deployment via docker-compose
For the deployment done via docker-compose you need to update docker-compose.yml
configuration file by adding the parameters to gateway service.
Updating of the configuration requires downtime to properly stop and run the application.
gateway:
image: allure/allure-gateway:${VERSION}
environment:
# settings
<snip>
gateway:
env:
secret:
# security
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_GITLAB_CLIENTNAME: GitLab
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_GITLAB_CLIENTID: <Applicatoin ID>
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_GITLAB_CLIENTSECRET: <Secret>
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_GITLAB_REDIRECTURI: https://<allure>/login/oauth2/code/gitlab
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_GITLAB_AUTHORIZATIONGRANTTYPE: authorization_code
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_GITLAB_SCOPE: openid,profile
SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_GITLAB_USERNAMEATTRIBUTE: nickname
SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_GITLAB_TOKENURI: https://<gitlab>/oauth/token
SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_GITLAB_AUTHORIZATIONURI: https://<gitlab>/oauth/authorize
SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_GITLAB_USERINFOURI: https://<gitlab>/oauth/userinfo
SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_GITLAB_JWKSETURI: https://<gitlab>/oauth/discovery/keys
<snip>
Now, we need to apply the changes and check these were applied successfully. By restarting the applications using docker-compose commands.
- Stop docker-compose deployment using
docker-compose down
- Start docker-compose deployment using
docker-compose up -d
After application has started, you need to check if the authentication is working:
- Proceed to the following URL:
https://<allure>/login/openid
. - Check if the authentication is working for you.
Setting GitLab authentication as the default way
This should be done only in the case, if previous check has been completed successfully.
Update uaa service settings as follows:
- add
ALLURE_LOGIN_PRIMARY: openid
uaa:
env:
open:
ALLURE_LOGIN_PRIMARY: openid
<snip>
After this action will be completed, to log-in as a local Allure Testops user (e.g. admin
), you need to access the following URL: https://<allure>/login/system
.
Deployment via packages
To use GitLab as identity provider for the packages installation, you need to update properties file /opt/allure-ee/gateway/conf/allure-gateway.properties
with the following strings:
registration.gitlab.clientName=GitLab
spring.security.oauth2.client.registration.gitlab.clientId=<Applicatoin ID>
spring.security.oauth2.client.registration.gitlab.clientSecret=<Secret>
spring.security.oauth2.client.registration.gitlab.redirectUri=ttps://<allure>/login/oauth2/code/gitlab
spring.security.oauth2.client.registration.gitlab.scope=openid,profile
spring.security.oauth2.client.provider.gitlab.usernameAttribute=nickname
spring.security.oauth2.client.provider.gitlab.authorizationUri=https://<gitlab>/oauth/authorize
spring.security.oauth2.client.provider.gitlab.tokenUri=https://<gitlab>/oauth/token
spring.security.oauth2.client.provider.gitlab.userInfoUri=https://<gitlab>/oauth/userinfo
spring.security.oauth2.client.provider.gitlab.jwkSetUri=https://<gitlab>/oauth/discovery/keys
Now, we need to apply the changes and check these were applied successfully. Please restart all the applications related to Allure Testops (report, gateway, uaa).
After application has started, you need to check if the authentication is working:
- Proceed to the following URL:
https://<allure>/login/openid
. - Check if the authentication is working for you.
Setting GitLab authentication as the default way
This should be done only in the case, if previous check has been completed successfully.
Update uaa service settings as follows:
- add
allure.login.primary: openid
to the uaa properties file/opt/allure-ee/uaa/conf/allure-uaa.properties
<snip>
allure.login.primary=openid
<snip>
Applications need to be restarted to apply the changes.
After this action will be completed, to log-in as a local Allure Testops user (e.g. admin
), you need to access the following URL: https://<allure>/login/system
.
Setting the default role for new user registering via OpenID/gitlab
Why
If no additional setting made all new users will have ROLE_USER
by default and will consume 1 license.
What
To prevent new users consuming the licenses you need to define the default role for them, when they register in the system using OpenID/gitlab
How
The following parameter should be set for UAA service: ALLURE_LOGIN_OPENID_DEFAULTROLE
For docker-compose and Kubernetes deployment
ALLURE_LOGIN_OPENID_DEFAULTROLE: ROLE_GUEST
For the deployment using packages
allure.login.openid.defaultRole: ROLE_GUEST