Is the update_ood_portal script able to parse out storage option or only support sqlite? I like to use mysql based on recommendations from dex:
verstion: ood 1.8
…
type: mysql
config:
database: dex_db
user: dex_user
password: password;)
…
edit: version packaged is 2.24, only supports sqlite & postgresql. Like use pgsql if possible
# Storage options
Dex requires persisting state to perform various tasks such as track refresh tokens, preventing replays, and rotating keys. This document is a summary of the storage configurations supported by dex.
Storage breaches are serious as they can affect applications that rely on dex. Dex saves sensitive data in its backing storage, including signing keys and bcrypt'd passwords. As such, transport security and database ACLs should both be used, no matter which storage option is chosen.
## Etcd
Dex supports persisting state to [etcd v3](https://github.com/coreos/etcd).
An example etcd configuration is using these values:
```
storage:
type: etcd
config:
# list of etcd endpoints we should connect to
endpoints:
- http://localhost:2379
namespace: my-etcd-namespace/
This file has been truncated. show original
ref: Dex
Best regards,
Jesse Waters
Corvid Technologies
mario
(Mario Squeo)
May 17, 2021, 5:29pm
2
@jesse.waters I looked into this and right now there’s only support for the SQLite adapter in the portal generator for Dex. It’s a good idea that we don’t restrict this and I’ve opened up a ticket on GitHub here Add support for overriding storage connector in Dex · Issue #1140 · OSC/ondemand · GitHub to track progress on adding upstream support for this:
Here’s exactly where the storage config is generated:
A quick solution to get this working now is to manually modify the Dex generator at /opt/ood/ood-portal-generator/lib/ood_portal_generator/dex.rb
with something like this:
@dex_config[:storage] = {
type: 'postgres',
config: {
database: 'dex_db',
user: 'dex',
password: 'hunter2',
ssl: {
mode: 'verify-ca',
caFile: '/etc/dex/postgres.ca'
}
}
}
mario:
hunter2
Thanks for the quick response. As a side question are most people using sqlite as dex’s storage? How has its performance been for multiple concurrent sessions? Any best practice suggestions?
Thanks again,
Jesse
mario
(Mario Squeo)
May 17, 2021, 8:33pm
4
@jesse.waters We don’t use Dex at OSC, I’m not sure about the usage metrics out there! Maybe @jeff.ohrstrom or @tdockendorf can answer? Dex was a nice upgrade from the previous default we provided (Basic HTTP Authentication)
But SQLite is awesome, battle tested and used around OnDemand for managing application state https://osc.github.io/ood-documentation/master/architecture.html#container-context
The health of any system running OnDemand is almost always going to be a function of disk throughput / availability. Be that NFS or local SSDs.
What are you guys using at OSC for authentication? Basic Auth with Pam and or sssd? I want to hit our internal IDM (ipa), and am not interested in any federated services like google, microsoft.
Thanks for your time and best regards,
Jesse
mario
(Mario Squeo)
May 19, 2021, 4:58pm
6
@jesse.waters We use Keycloak at OSC. Though, Dex is a great IDP and you can go as simple or as complex with the configuration as you want.
Also to give you an update on overriding the Dex storage config, it’s possible now. Support changing Dex storage by treydock · Pull Request #1143 · OSC/ondemand · GitHub was merged into master
and will be available in the next patch release!
system
(system)
Closed
May 17, 2022, 6:43pm
7
This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.