Dex storage - mysql

jesse.waters · May 17, 2021, 4:00pm

Is the update_ood_portal script able to parse out storage option or only support sqlite? I like to use mysql based on recommendations from dex:

verstion: ood 1.8
…
type: mysql
config:
database: dex_db
user: dex_user
password: password;)
…

edit: version packaged is 2.24, only supports sqlite & postgresql. Like use pgsql if possible

github.com

dexidp/dex/blob/v2.24.0/Documentation/storage.md

# Storage options

Dex requires persisting state to perform various tasks such as track refresh tokens, preventing replays, and rotating keys. This document is a summary of the storage configurations supported by dex.

Storage breaches are serious as they can affect applications that rely on dex. Dex saves sensitive data in its backing storage, including signing keys and bcrypt'd passwords. As such, transport security and database ACLs should both be used, no matter which storage option is chosen.

## Etcd

Dex supports persisting state to [etcd v3](https://github.com/coreos/etcd).

An example etcd configuration is using these values:

```
storage:
  type: etcd
  config:
    # list of etcd endpoints we should connect to
    endpoints:
      - http://localhost:2379
    namespace: my-etcd-namespace/

This file has been truncated. show original

ref: Dex

Best regards,
Jesse Waters
Corvid Technologies

mario · May 17, 2021, 5:29pm

@jesse.waters I looked into this and right now there’s only support for the SQLite adapter in the portal generator for Dex. It’s a good idea that we don’t restrict this and I’ve opened up a ticket on GitHub here Add support for overriding storage connector in Dex · Issue #1140 · OSC/ondemand · GitHub to track progress on adding upstream support for this:

Here’s exactly where the storage config is generated:

github.com

OSC/ondemand/blob/master/ood-portal-generator/lib/ood_portal_generator/dex.rb#L23-L26

    
      
          @dex_config[:storage] = {
            type: 'sqlite3',
            config: { file: storage_file },
          }

A quick solution to get this working now is to manually modify the Dex generator at /opt/ood/ood-portal-generator/lib/ood_portal_generator/dex.rb with something like this:

@dex_config[:storage] = {
  type: 'postgres',
  config: {
    database: 'dex_db',
    user: 'dex',
    password: 'hunter2',
    ssl: {
      mode: 'verify-ca',
      caFile: '/etc/dex/postgres.ca'
    }
  }
}

jesse.waters · May 17, 2021, 6:28pm

Thanks for the quick response. As a side question are most people using sqlite as dex’s storage? How has its performance been for multiple concurrent sessions? Any best practice suggestions?

Thanks again,
Jesse

mario · May 17, 2021, 8:33pm

@jesse.waters We don’t use Dex at OSC, I’m not sure about the usage metrics out there! Maybe @jeff.ohrstrom or @tdockendorf can answer? Dex was a nice upgrade from the previous default we provided (Basic HTTP Authentication)

But SQLite is awesome, battle tested and used around OnDemand for managing application state https://osc.github.io/ood-documentation/master/architecture.html#container-context

The health of any system running OnDemand is almost always going to be a function of disk throughput / availability. Be that NFS or local SSDs.

jesse.waters · May 17, 2021, 11:07pm

What are you guys using at OSC for authentication? Basic Auth with Pam and or sssd? I want to hit our internal IDM (ipa), and am not interested in any federated services like google, microsoft.

Thanks for your time and best regards,
Jesse

mario · May 19, 2021, 4:58pm

@jesse.waters We use Keycloak at OSC. Though, Dex is a great IDP and you can go as simple or as complex with the configuration as you want.

Also to give you an update on overriding the Dex storage config, it’s possible now. Support changing Dex storage by treydock · Pull Request #1143 · OSC/ondemand · GitHub was merged into master and will be available in the next patch release!

system · May 17, 2022, 6:43pm

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Dex with Google Authentication Get Help	7	404	July 29, 2023
OOD 2.0.13 update_ood_portal and oidc configuration Get Help ondemand2 , question	8	861	May 26, 2022
OOD 1.8 and Okta SAML2 and ADFS authentication Get Help question	3	720	May 26, 2022
Need help with DEX authentication on Linux Get Help	9	463	March 27, 2023
Security for OOD v1.8 Get Help	2	405	May 26, 2022

Dex storage - mysql

Related Topics