Merge pull request #42 from hasanheroglu/36-other-auth-solutions-for-…

…dashboards

36 other auth solutions for dashboards

.env

@@ -17,9 +17,17 @@ TRAEFIK_DASHBOARD_PORT_OUT=8080
 HOSTNAME="localhost"
 BROKER_URI="test.mosquitto.org"
 
-TRAEFIK_DASHBOARD_USER=
-TRAEFIK_DASHBOARD_PASS=
+# OAUTH & GITHUB FORWARD AUTH
+OAUTH_SECRET=
+GITHUB_AUTH_URL=https://github.com/login/oauth/authorize
+GITHUB_TOKEN_URL=https://github.com/login/oauth/access_token
+GITHUB_USER_URL=https://api.github.com/user
+GITHUB_CLIENT_ID=
+GITHUB_CLIENT_SECRET=
+WHITELISTED_EMAILS=
 
+# SERVICE PORTS
+FORWARD_AUTH_PORT=4181
 PROMETHEUS_PORT=9090
 GRAFANA_PORT=3000
 CADVISOR_PORT=8080

README.md

@@ -101,7 +101,7 @@ See the mashup's [readme](./mashups/smart-home/README.md).
 You can start the devices inside a container, for that running `docker-compose -f docker-compose-infra.yml -f docker-compose-things.yml up` at the root directory builds and runs the containers. For custom configuration, take a look at the `Dockerfile` of each device or [docker-compose-things.yml](./docker-compose-things.yml).
 
 [docker-compose-things.yml](./docker-compose-things.yml) consists of the docker configuration of the things.
-[docker-compose-infra.yml](./docker-compose-infra.yml) consists of the docker configuration of additional tools such as traefik, prometheus, grafana and cadvisor.  
+[docker-compose-infra.yml](./docker-compose-infra.yml) consists of the docker configuration of additional tools such as traefik, prometheus, grafana, cadvisor and portainer.  
 
 After the run, as default, the devices are accessible at:
 
@@ -117,19 +117,17 @@ After the run, as default, the devices are accessible at:
 | modbus-elevator | `modbus+tcp://localhost:3179/1` |
 | http-data-schema-thing | `http://localhost/http-data-schema-thing` |
 
-To be able to access additional tools, the user must have a basic username and password pair. The services are accessible at:
+To be able to access additional tools, the user must login through GitHub. For GitHub authentication to work, environment variables `OAUTH_SECRET` and, `GITHUB_CLIENT_ID` and `GITHUB_CLIENT_SECRET` must be set with the configuration of GitHub OAuth application. Only whitelisted emails can access some of the services. Whitelisted emails can be set using the environment variable `WHITELISTED_EMAILS`. These services are accessible at:
 
 - Traefik dashboard ->  dashboard.localhost
 - Prometheus -> prometheus.localhost
-- Grafana -> grafana.localhost
 - cAdvisor -> cadvisor.localhost
 
-Hostname and ports can be changed from `.env` file in the root directory. Therefore the links for devices would change accordingly.
-A username and password should be generated for running the services. To do so:
+Grafana and Portainer UIs are public access but they run their own authentication and authorization. These services are accessible at:
+- Grafana -> grafana.localhost
+- Portainer -> portainer.localhost
 
-  1. Choose a username, e.g. `myuser`, and run the following command in the command line: `echo $(htpasswd -nB USERNAMECHOICE) | sed -e s/\\$/\\$\\$/g`
-  2. Enter the username and the generated password (hashed) in the `.env` file under `TRAEFIK_DASHBOARD_USER` and `TRAEFIK_DASHBOARD_PASS`, respectively.
-  3. Use the username and the password you have types (not the hashed one) when logging in at any service but Portainer.
+Hostname and ports can be changed from `.env` file in the root directory. Therefore the links for devices would change accordingly.
 
 ### Running separately
 

docker-compose-infra.yml

@@ -4,11 +4,9 @@ services:
     image: traefik:v3.0
     labels:
       - traefik.enable=true
-      - traefik.http.routers.mydashboard.rule=Host(`traefik.localhost`)
+      - traefik.http.routers.mydashboard.rule=Host(`traefik.${HOSTNAME}`)
       - traefik.http.routers.mydashboard.service=api@internal
       - traefik.http.routers.mydashboard.middlewares=test-things-auth
-      - "traefik.http.middlewares.test-things-auth.basicauth.users=${TRAEFIK_DASHBOARD_USER}:${TRAEFIK_DASHBOARD_PASS}"
-      - “traefik.http.middlewares.test-things-auth.basicauth.removeheader=true”
     command:
       - "--log.level=DEBUG"
       - "--api.dashboard=true"
@@ -39,6 +37,24 @@ services:
         reservations:
           cpus: '0.05'
           memory: 50M
+  test-things-auth:
+    image: thomseddon/traefik-forward-auth:2
+    environment:
+      - DEFAULT_PROVIDER=generic-oauth
+      - SECRET=${OAUTH_SECRET}
+      - PROVIDERS_GENERIC_OAUTH_AUTH_URL=${GITHUB_AUTH_URL}
+      - PROVIDERS_GENERIC_OAUTH_TOKEN_URL=${GITHUB_TOKEN_URL}
+      - PROVIDERS_GENERIC_OAUTH_USER_URL=${GITHUB_USER_URL}
+      - PROVIDERS_GENERIC_OAUTH_CLIENT_ID=${GITHUB_CLIENT_ID}
+      - PROVIDERS_GENERIC_OAUTH_CLIENT_SECRET=${GITHUB_CLIENT_SECRET}
+      - PROVIDERS_GENERIC_OAUTH_SCOPE=user,repo
+      - INSECURE_COOKIE=true
+      - LOG_LEVEL=debug
+      - WHITELIST=${WHITELISTED_EMAILS}
+    labels:
+      - "traefik.http.middlewares.test-things-auth.forwardauth.address=http://test-things-auth:${FORWARD_AUTH_PORT}"
+      - "traefik.http.middlewares.test-things-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
+      - "traefik.http.services.test-things-auth.loadbalancer.server.port=${FORWARD_AUTH_PORT}"
   prometheus:
     image: prom/prometheus
     volumes:
@@ -63,14 +79,15 @@ services:
     image: grafana/grafana
     environment:
       - PROMETHEUS_PORT=${PROMETHEUS_PORT}
+      - GF_SERVER_DOMAIN=grafana.${HOSTNAME}
+      - GF_SERVER_ROOT_URL=http://grafana.${HOSTNAME}
     volumes:
       - ./conf/grafana/provisioning:/etc/grafana/provisioning
       - ./conf/grafana/dashboards:/var/lib/grafana/dashboards
       - grafana_data:/var/lib/grafana
     labels:
       - "traefik.http.routers.grafana.rule=Host(`grafana.${HOSTNAME}`)"
       - "traefik.http.routers.grafana.service=grafana"
-      - "traefik.http.routers.grafana.middlewares=test-things-auth"
       - "traefik.http.services.grafana.loadbalancer.server.port=${GRAFANA_PORT}"
     deploy:
       resources: