Enabling Google Auth for Apcera CE

By default, Apcera Platform Community Edition is configured to use HTTP basic authentication with (at least) a single admin user and password that you specify. If you are deploying the platform for others to use, for secure authentication Apcera recommends that you enable Google Auth and add policy to grant user access.

The Apcera Web Console is updated for the Apcera Platform version 2.2.0 release. If you are upgrading an existing cluster to this release and using Google Auth, you may need to update your Google Auth project to ensure that you have the correct redirect URLs. See Configuring Google Auth for details.

Enabling Google Auth

To enable Google Auth, you first need to create a Google project and enable the necessary Google Auth APIs.

Once you've completed the Google project setup, you will have two OAuth2 client IDs: one for the web console and one for the APC command-line tool. You will also need the OAuth2 client secret for the APC client ID.

During the apcera-setup config process, you are given the option to enable Google Auth for your cluster:

Enable Google OAuth2 integration (optional)? 
This requires you to first create a Google project to obtain OAuth2 client IDs. [y/N] y

In apcera-setup, when prompted for the Google OAuth2 client id and Google OAuth2 client secret, provide your Google project's APC client ID and client secret, respectively; when prompted for the Google OAuth2 web client ID, provide the web console client ID.

You can optionally provide the email addresses of Google users you want to provide admin access to your cluster, as shown below. After you've deployed your cluster, you can add more Google users using policy. See Adding Apcera policy for Google authenticated users.

For example:

Enable Google OAuth2 integration (optional)? This requires you to first create a Google project to obtain OAuth2 client IDs. [y/N] y
Enter Google OAuth2 client id []: <client-id>
Enter Google OAuth2 client secret []: <client-secret>
Enter Google OAuth2 web client id []: <web-client-id>
Would you like to add Google users? [y/N] y
Enter Google user sign in email address: []: user@example.com
Enter Google user sign in email address: []: another@example.com
Enter Google user sign in email address: []: <enter>

When you are done adding Google users, press the enter key without entering any value to continue to the next step.

Adding policy for Google auth users

As described in Enabling Google Auth you can provide the Google sign-in emails for those users you want to have admin access. Once the cluster is deployed, you can allow additional Google users by adding policy to your cluster.

Alternatively, you could run apcera-setup config to add the users and then redeploy your cluster with apcera-setup deploy. But that will take longer than updating policy.

You can add policy to your cluster using the web console's policy editor or the apc policy import command.

To add Apcera policy for Google authenticated users:

  1. Log in to APC or the web console as an admin user.
  2. Create a new policy document named googleusers.pol.
  3. For each Google user you want to authorize as an additional admin user, add the following to the policy document, replacing the placeholder email addresses with the users' actual email addresses:

     // Allowing Google users to get issued a token
     on auth::/oauth2/http {
      if (Google->email == "admin-email-address@gmail.com") {
        name "admin-email-address@gmail.com"
        permit issue
      }
      if (Google->email == "another-admin-email-address@acme.com") {
        name "another-admin-email-address@acme.com"
        permit issue
      }
     }
    

    Repeat the if { } block for each Google user you want to add. This policy allows the designated users to login to the cluster with their Google account and assigns each one a unique name.

  4. Add policy to grant each Google user the desired permissions on cluster resources. The following gives the new users full permissions on all cluster resources:

     on audit::/ {
       if (auth_server@apcera.me->name == "admin-email-address@gmail.com") { role admin }
       if (auth_server@apcera.me->name == "another-admin-email-address@acme.com") { role admin }
     }
     on cluster::/ {
       if (auth_server@apcera.me->name == "admin-email-address@gmail.com") { role admin }
       if (auth_server@apcera.me->name == "another-admin-email-address@acme.com") { role admin }
     }
     on gateway::/ {
       if (auth_server@apcera.me->name == "admin-email-address@gmail.com") { role admin }
       if (auth_server@apcera.me->name == "another-admin-email-address@acme.com") { role admin }
     }
     on job::/ {
       if (auth_server@apcera.me->name == "admin-email-address@gmail.com") { role admin }
       if (auth_server@apcera.me->name == "another-admin-email-address@acme.com") { role admin }
     }
     on package::/ {
       if (auth_server@apcera.me->name == "admin-email-address@gmail.com") { role admin }
       if (auth_server@apcera.me->name == "another-admin-email-address@acme.com") { role admin }
     }
     on policy::/ {
       if (auth_server@apcera.me->name == "admin-email-address@gmail.com") { role admin }
       if (auth_server@apcera.me->name == "another-admin-email-address@acme.com") { role admin }
     }
     on principal::/ {
       if (auth_server@apcera.me->name == "admin-email-address@gmail.com") { role admin }
       if (auth_server@apcera.me->name == "another-admin-email-address@acme.com") { role admin }
     }
     on provider::/ {
       if (auth_server@apcera.me->name == "admin-email-address@gmail.com") { role admin }
       if (auth_server@apcera.me->name == "another-admin-email-address@acme.com") { role admin }
     }
     on route::/ {
       if (auth_server@apcera.me->name == "admin-email-address@gmail.com") { role admin }
       if (auth_server@apcera.me->name == "another-admin-email-address@acme.com") { role admin }
     }
     on sempiperule::/ {
       if (auth_server@apcera.me->name == "admin-email-address@gmail.com") { role admin }
       if (auth_server@apcera.me->name == "another-admin-email-address@acme.com") { role admin }
     }
     on service::/ {
       if (auth_server@apcera.me->name == "admin-email-address@gmail.com") { role admin }
       if (auth_server@apcera.me->name == "another-admin-email-address@acme.com") { role admin }
     }
     on stagpipe::/ {
       if (auth_server@apcera.me->name == "admin-email-address@gmail.com") { role admin }
       if (auth_server@apcera.me->name == "another-admin-email-address@acme.com") { role admin }
     }
     on network::/ {
       if (auth_server@apcera.me->name == "admin-email-address@gmail.com") { role admin }
       if (auth_server@apcera.me->name == "another-admin-email-address@acme.com") { role admin }
     }
    
  5. Save your changes to the policy document and import it to your cluster using APC or the web console:

    • Using APC, run apc policy import googleusers.pol.
    • Using the console:
      1. Click Policy.
      2. Click Upload File and select googleusers.pol.
      3. Click Create Document.

    The user should now be able to perform any task in the web console or APC.