[Merged by Bors] - Add support for LDAP authentication

deny.toml

@@ -37,7 +37,7 @@ exceptions = [
     { name = "stackable-superset-crd", allow = ["OSL-3.0"] },
     { name = "stackable-superset-operator", allow = ["OSL-3.0"] },
     { name = "stackable-superset-operator-binary", allow = ["OSL-3.0"] },
-    ]
+]
 
 [[licenses.clarify]]
 name = "ring"

deploy/crd/supersetcluster.crd.yaml

@@ -22,6 +22,42 @@ spec:
           properties:
             spec:
               properties:
+                authenticationConfig:
+                  nullable: true
+                  properties:
+                    methods:
+                      items:
+                        properties:
+                          authenticationClass:
+                            description: Name of the AuthenticationClass used to authenticate the users
+                            type: string
+                          ldapExtras:
+                            description: "Additional LDAP settings. Can only be specified when the specified AuthenticationClass uses the LDAP protocol See [Flask LDAP documentation](https://flask-appbuilder.readthedocs.io/en/latest/security.html#authentication-ldap)"
+                            nullable: true
+                            properties:
+                              syncRolesAt:
+                                default: Registration
+                                description: "If we should replace ALL the user's roles each login, or only on registration. Gets mapped to `AUTH_ROLES_SYNC_AT_LOGIN`"
+                                enum:
+                                  - Registration
+                                  - Login
+                                type: string
+                              userRegistration:
+                                default: true
+                                description: "Allow users who are not already in the FAB DB. Gets mapped to `AUTH_USER_REGISTRATION`"
+                                type: boolean
+                              userRegistrationRole:
+                                default: Public
+                                description: "This role will be given in addition to any AUTH_ROLES_MAPPING. Gets mapped to `AUTH_USER_REGISTRATION_ROLE`"
+                                type: string
+                            type: object
+                        required:
+                          - authenticationClass
+                        type: object
+                      type: array
+                  required:
+                    - methods
+                  type: object
                 credentialsSecret:
                   type: string
                 loadExamplesOnInit:

deploy/helm/superset-operator/crds/crds.yaml

@@ -24,6 +24,42 @@ spec:
           properties:
             spec:
               properties:
+                authenticationConfig:
+                  nullable: true
+                  properties:
+                    methods:
+                      items:
+                        properties:
+                          authenticationClass:
+                            description: Name of the AuthenticationClass used to authenticate the users
+                            type: string
+                          ldapExtras:
+                            description: "Additional LDAP settings. Can only be specified when the specified AuthenticationClass uses the LDAP protocol See [Flask LDAP documentation](https://flask-appbuilder.readthedocs.io/en/latest/security.html#authentication-ldap)"
+                            nullable: true
+                            properties:
+                              syncRolesAt:
+                                default: Registration
+                                description: "If we should replace ALL the user's roles each login, or only on registration. Gets mapped to `AUTH_ROLES_SYNC_AT_LOGIN`"
+                                enum:
+                                  - Registration
+                                  - Login
+                                type: string
+                              userRegistration:
+                                default: true
+                                description: "Allow users who are not already in the FAB DB. Gets mapped to `AUTH_USER_REGISTRATION`"
+                                type: boolean
+                              userRegistrationRole:
+                                default: Public
+                                description: "This role will be given in addition to any AUTH_ROLES_MAPPING. Gets mapped to `AUTH_USER_REGISTRATION_ROLE`"
+                                type: string
+                            type: object
+                        required:
+                          - authenticationClass
+                        type: object
+                      type: array
+                  required:
+                    - methods
+                  type: object
                 credentialsSecret:
                   type: string
                 loadExamplesOnInit:

deploy/helm/superset-operator/templates/roles.yaml

@@ -101,3 +101,11 @@ rules:
       - supersetdbs
     verbs:
       - create
+  - apiGroups:
+      - authentication.stackable.tech
+    resources:
+      - authenticationclasses
+    verbs:
+      - get
+      - list
+      - watch

deploy/manifests/crds.yaml

@@ -25,6 +25,42 @@ spec:
           properties:
             spec:
               properties:
+                authenticationConfig:
+                  nullable: true
+                  properties:
+                    methods:
+                      items:
+                        properties:
+                          authenticationClass:
+                            description: Name of the AuthenticationClass used to authenticate the users
+                            type: string
+                          ldapExtras:
+                            description: "Additional LDAP settings. Can only be specified when the specified AuthenticationClass uses the LDAP protocol See [Flask LDAP documentation](https://flask-appbuilder.readthedocs.io/en/latest/security.html#authentication-ldap)"
+                            nullable: true
+                            properties:
+                              syncRolesAt:
+                                default: Registration
+                                description: "If we should replace ALL the user's roles each login, or only on registration. Gets mapped to `AUTH_ROLES_SYNC_AT_LOGIN`"
+                                enum:
+                                  - Registration
+                                  - Login
+                                type: string
+                              userRegistration:
+                                default: true
+                                description: "Allow users who are not already in the FAB DB. Gets mapped to `AUTH_USER_REGISTRATION`"
+                                type: boolean
+                              userRegistrationRole:
+                                default: Public
+                                description: "This role will be given in addition to any AUTH_ROLES_MAPPING. Gets mapped to `AUTH_USER_REGISTRATION_ROLE`"
+                                type: string
+                            type: object
+                        required:
+                          - authenticationClass
+                        type: object
+                      type: array
+                  required:
+                    - methods
+                  type: object
                 credentialsSecret:
                   type: string
                 loadExamplesOnInit:

deploy/manifests/roles.yaml

@@ -101,3 +101,11 @@ rules:
       - supersetdbs
     verbs:
       - create
+  - apiGroups:
+      - authentication.stackable.tech
+    resources:
+      - authenticationclasses
+    verbs:
+      - get
+      - list
+      - watch

docs/modules/ROOT/pages/installation.adoc

@@ -17,6 +17,13 @@ installation method. First ensure that you have installed the Stackable Operator
 $ helm repo add stackable https://repo.stackable.tech/repository/helm-stable/
 ----
 
+We also need some addition components of the Stackable Data Platform (if not installed already)
+[source,bash]
+----
+$ helm install commons-operator stackable/commons-operator
+$ helm install secret-operator stackable/secret-operator
+----
+
 Then install the Stackable Operator for Apache Superset
 [source,bash]
 ----

docs/modules/ROOT/pages/usage.adoc

@@ -108,6 +108,10 @@ If the examples were loaded then some dashboards are already available:
 
 image::superset-dashboard.png[Superset dashboard showing birth names]
 
+== Authenticate users using LDAP
+Superset supports authentication users against an LDAP server.
+Have a look at https://github.com/stackabletech/superset-operator/blob/main/examples/superset-with-ldap.yaml[the LDAP example] and the general xref:commons-operator::authenticationclass.adoc[Stackable Authentication] documentation.
+
 == Connecting Apache Druid Clusters
 
 The operator can automatically connect superset clusters to Apache Druid clusters managed by the https://docs.stackable.tech/druid/index.html[Stackable Druid Cluster].

examples/superset-with-ldap.yaml

@@ -0,0 +1,160 @@
+# helm install --repo https://repo.stackable.tech/repository/helm-stable/ secret-operator secret-operator
+# helm install --repo https://repo.stackable.tech/repository/helm-stable/ commons-operator commons-operator
+# Until commons-operator is available officially: helm install --version 0.1.0-pr11 --repo https://repo.stackable.tech/repository/helm-test/ commons-operator commons-operator
+# helm install --repo https://charts.bitnami.com/bitnami --set auth.username=superset --set auth.password=superset --set auth.database=superset postgresql-superset postgresql
+
+# Log in with user01/user01 or user02/user02
+---
+apiVersion: secrets.stackable.tech/v1alpha1
+kind: SecretClass
+metadata:
+  name: openldap-tls
+spec:
+  backend:
+    autoTls:
+      ca:
+        # autoGenerate: true # Needed in a future secret-operator version
+        secret:
+          name: openldap-tls-ca
+          namespace: default
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: openldap
+  labels:
+    app.kubernetes.io/name: openldap
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: openldap
+  serviceName: openldap
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: openldap
+    spec:
+      containers:
+        - name: openldap
+          image: docker.io/bitnami/openldap:2.5
+          env:
+            - name: LDAP_ADMIN_USERNAME
+              value: admin
+            - name: LDAP_ADMIN_PASSWORD
+              value: admin
+            - name: LDAP_USERS
+              value: user01,user02
+            - name: LDAP_PASSWORDS
+              value: user01,user02
+            - name: LDAP_ENABLE_TLS
+              value: "yes"
+            - name: LDAP_TLS_CERT_FILE
+              value: /tls/tls.crt
+            - name: LDAP_TLS_KEY_FILE
+              value: /tls/tls.key
+            - name: LDAP_TLS_CA_FILE
+              value: /tls/ca.crt
+          ports:
+            # - name: ldap
+            #   containerPort: 1389
+            - name: tls-ldap
+              containerPort: 1636
+          volumeMounts:
+            - name: tls
+              mountPath: /tls
+      volumes:
+        - name: tls
+          csi:
+            driver: secrets.stackable.tech
+            volumeAttributes:
+              secrets.stackable.tech/class: openldap-tls
+              secrets.stackable.tech/scope: pod
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openldap
+  labels:
+    app.kubernetes.io/name: openldap
+spec:
+  type: ClusterIP
+  ports:
+    # - name: ldap
+    #   port: 389
+    #   targetPort: ldap
+    - name: tls-ldap
+      port: 636
+      targetPort: tls-ldap
+  selector:
+    app.kubernetes.io/name: openldap
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: superset-with-ldap-server-veri-tls-credentials
+type: Opaque
+stringData:
+  adminUser.username: admin
+  adminUser.firstname: Superset
+  adminUser.lastname: Admin
+  adminUser.email: admin@superset.com
+  adminUser.password: admin
+  connections.secretKey: thisISaSECRET_1234
+  connections.sqlalchemyDatabaseUri: postgresql://superset:superset@postgresql-superset.default.svc.cluster.local/superset
+---
+apiVersion: authentication.stackable.tech/v1alpha1
+kind: AuthenticationClass
+metadata:
+  name: superset-with-ldap-server-veri-tls-ldap
+spec:
+  provider:
+    ldap:
+      hostname: openldap.default.svc.cluster.local
+      port: 636
+      searchBase: ou=users,dc=example,dc=org
+      ldapFieldNames:
+        uid: uid
+      bindCredentials:
+        secretClass: superset-with-ldap-server-veri-tls-ldap-bind
+      tls:
+        verification:
+          server:
+            caCert:
+              secretClass: openldap-tls
+---
+apiVersion: secrets.stackable.tech/v1alpha1
+kind: SecretClass
+metadata:
+  name: superset-with-ldap-server-veri-tls-ldap-bind
+spec:
+  backend:
+    k8sSearch:
+      searchNamespace:
+        pod: {}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: superset-with-ldap-server-veri-tls-ldap-bind
+  labels:
+    secrets.stackable.tech/class: superset-with-ldap-server-veri-tls-ldap-bind
+stringData:
+  user: cn=admin,dc=example,dc=org
+  password: admin
+---
+apiVersion: superset.stackable.tech/v1alpha1
+kind: SupersetCluster
+metadata:
+  name: superset-with-ldap-server-veri-tls
+spec:
+  version: 1.4.1
+  statsdExporterVersion: v0.22.4
+  credentialsSecret: superset-with-ldap-server-veri-tls-credentials
+  nodes:
+    roleGroups:
+      default:
+        config:
+  authenticationConfig:
+    methods:
+      - authenticationClass: superset-with-ldap-server-veri-tls-ldap