Set Up Users for Rok

Rok authenticates users using OIDC. We use Dex as our default OIDC Provider and AuthService as our OIDC Client (authenticating proxy). This guide will walk you through setting up authentication for Rok, using Dex and the AuthService.

More specifically you will need to

  • Change password for the default user.
  • Change credentials for the OIDC client.

Important

If you are planning to integrate Rok with another OIDC Provider other than Dex, e.g., GitLab, you will need to edit your installation after completing it with Dex. To do so, follow the Identity Providers (OIDC) guide.

Choose one of the following options to set up users for Rok:

Option 1: Set Up Users Automatically (preferred)

Set up users for Rok by following the on-screen instructions on the rok-deploy user interface.

If rok-deploy is not already running, start it with:

root@rok-tools:~# rok-deploy --run-from users
../../_images/users.png

Proceed to the Summary section.

Option 2: Set Up Users Manually

If you want to set up users for Rok manually, follow the instructions below.

Procedure

The default installation of Dex comes with a single static user. To change the default user password or create new users, you have to modify the Dex ConfigMap.

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:~# cd ~/ops/deployments
  2. Pick a password for the default user and hash it using bcrypt:

    root@rok-tools:~/ops/deployments# export DEX_DEFAULT_USER_PWHASH=$(python3 -c \ > 'from passlib.hash import bcrypt; import getpass; \ > print(bcrypt.using(rounds=12, ident="2y").hash(getpass.getpass()))')
  3. Configure Dex to use the password you specified in the previous step for the default user with handle user@example.com:

    root@rok-tools:~/ops/deployments# j2 \ > kubeflow/manifests/common/dex/overlays/deploy/patches/config-map.yaml.j2 \ > -o kubeflow/manifests/common/dex/overlays/deploy/patches/config-map.yaml
  4. Generate OIDC Client credentials for the AuthService:

    root@rok-tools:~/ops/deployments# export OIDC_CLIENT_ID="authservice"
    root@rok-tools:~/ops/deployments# export OIDC_CLIENT_SECRET="$(openssl rand -base64 32)"

    Note

    AuthService uses these credentials to authenticate with Dex.

  5. Configure AuthService to use the credentials you generated in the previous step:

    root@rok-tools:~/ops/deployments# j2 \ > kubeflow/manifests/common/oidc-authservice/overlays/deploy/secret_params.env.j2 \ > -o kubeflow/manifests/common/oidc-authservice/overlays/deploy/secret_params.env
  6. Configure Dex to use the credentials you generated at step 4:

    root@rok-tools:~/ops/deployments# j2 \ > kubeflow/manifests/common/dex/overlays/deploy/secret_params.env.j2 \ > -o kubeflow/manifests/common/dex/overlays/deploy/secret_params.env
  7. Save your state:

    root@rok-tools:~/ops/deployments# rok-j2 deploy/env.users.j2 -o deploy/env.users
  8. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit -am "Set Up Users for Rok"

Verify

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:~# cd ~/ops/deployments
  2. Restore the required context from previous sections:

    root@rok-tools:~/ops/deployments# source <(cat deploy/env.users)
    root@rok-tools:~/ops/deployments# export DEX_DEFAULT_USER_PWHASH \ > OIDC_CLIENT_ID OIDC_CLIENT_SECRET
  3. Calculate the hash of the OIDC client credentials:

    root@rok-tools:~/ops/deployments# export OIDC_CLIENT_ID_BASE64=$(echo -n \ > ${OIDC_CLIENT_ID?} | base64)
    root@rok-tools:~/ops/deployments# export OIDC_CLIENT_SECRET_BASE64=$(echo -n \ > ${OIDC_CLIENT_SECRET?} | base64)
  4. Verify you have properly configured the password for the default user in Dex:

    root@rok-tools:~/ops/deployments# kustomize build \ > kubeflow/manifests/common/dex/overlays/deploy \ > | grep -q "hash: ${DEX_DEFAULT_USER_PWHASH?}" && echo OK OK
  5. Verify you have properly configured the OIDC client credentials for Dex:

    root@rok-tools:~/ops/deployments# kustomize build \ > kubeflow/manifests/common/dex/overlays/deploy \ > | grep -q "OIDC_CLIENT_ID: ${OIDC_CLIENT_ID_BASE64?}" && echo OK OK
    root@rok-tools:~/ops/deployments# kustomize build \ > kubeflow/manifests/common/dex/overlays/deploy \ > | grep -q "OIDC_CLIENT_SECRET: ${OIDC_CLIENT_SECRET_BASE64?}" && echo OK OK
  6. Verify you have properly configured the OIDC client credentials for AuthService:

    root@rok-tools:~/ops/deployments# kustomize build \ > kubeflow/manifests/common/oidc-authservice/overlays/deploy \ > | grep -q "CLIENT_ID: ${OIDC_CLIENT_ID_BASE64?}" && echo OK OK
    root@rok-tools:~/ops/deployments# kustomize build \ > kubeflow/manifests/common/oidc-authservice/overlays/deploy \ > | grep -q "CLIENT_SECRET: ${OIDC_CLIENT_SECRET_BASE64?}" && echo OK OK

Summary

You have successfully set up users for Rok using Dex and the AuthService.

What’s Next

The next step is to configure account management.