Monday, March 23, 2020

Free SSO with AWS SAML on Prem

Hello Guys,

I started working with a start up and they have about 7 to 8 AWS account and user management in all the AWS account is becoming a problem as well as the users who are leaving the company or in the company also using there programmatic access here and there,
     If we delete or inactive the users then some application is going to stop working so my manager want to came up with plan we have gone through many options and we also have budget issue as its a start up company.so we came up with a plan of using keycloak as our SSO SAML provider backed with postgress and i also want to demonstrate the capability of kubernetes so i deployed it in the kubernetes cluster
   I have use help to install keycloak on the kubernetes cluster which a got from codecentric repo.
https://codecentric.github.io/helm-charts i am also using kubeapps to deploy it in my kubernetes environement.

once install i have started configuring the keycloak
1) First step you need to do is — get saml-metadata.xml from Amazon AWS.
2) After you saved saml-metadata.xml file, go to your Keycloak server, go to “Clients” section and create new client:


your_realm_name — is the name of the keycloak realm, for which you configure SAML client
The only fields you need to fill are:
“Base URL” and “IDP Initiated SSO URL Name”
Set your “Base URL” to:  /auth/realms/<your_realm_name>/protocol/saml/clients/amazon-aws
and “IDP Initiated SSO URL Name” to  amazon-aws
5) Press “Save”
After you saved client settings, go to “Installation” tab, select “Mode Auth Mellon files” and press “Download”  zip file will get downloaded you need to extract the same  and file name idp-metadata.xml

Amazon AWS Service Provider setup

1) After you downloaded idp-metadata.xml file, go to your Amazon AWS account
2) Go to “IAM” section, select “Identity providers” and press “Create Provider” button.
3) Choose “SAML” as the provider type, set provider name and upload idp-metadata.xml file downloaded  and extracted from Keycloak server.

4) Press “Next Step” and then “Create”.
5) After you created your SAML Identity Provider, you need to create IAM role for this provider.
6) Go to “IAM” section, select “Roles”.
7) Press “Create New Role”, set role name.
For “Select Role Type” choose
“SAML 2.0 fedration”
and select your Saml provider which we have created earlier

PART 2: Keycloak Identity Provider setup

1) After IAM SAML role in AWS has been created, go to role summary and copy Role ARN, it should look like this:
arn:aws:iam::aws_acct_id:role/aws_iam_saml_role,arn:aws:iam:aws_acct_id:saml-provider/aws_iam_saml_idp
Go back to your Keycloak server, go to your realm in which you created AWS SAML client, go to “Roles” tab and press “Add Role”:
aws_acct_id — your AWS account ID, aws_iam_saml_role — AWS IAM SAML role, aws_iam_saml_idp — AWS IAM SAML Identity Provider
aws_acct_id — your AWS account ID, aws_iam_saml_role — AWS IAM SAML role, aws_iam_saml_idp — AWS IAM SAML Identity Provider
2) After that, go to “Mappers” section and create mappers for “Session Role”“Session Duration” and “Session Name”
“Session Role” mapper:
“Session Name” mapper:
“Session Duration” mapper:
These mappers are required as per Amazon AWS SAML documentation.
3) After “Mappers”, go to Keycloak realm “Manage” section, select “Users” or “Groups” and choose, which group or user will be assigned to AWS SAML role, and assign it:
aws_acct_id — your AWS account ID, aws_iam_saml_role — AWS IAM SAML role, aws_iam_saml_idp — AWS IAM SAML Identity Provideraws_acct_id — your AWS account ID, aws_iam_saml_role — AWS IAM SAML role, aws_iam_saml_idp — AWS IAM SAML Identity Provider
5) And, finally, go back to your defined AWS client, and press “Base URL” link:
your_realm_name — is the name of the keycloak realm, for which you configure SAML clientyour_realm_name — is the name of the keycloak realm, for which you configure SAML client
6) After you press “Base URL” link, it should redirect you to Keycloak login page, where you’ll need to enter user name and password for the user, who is member of a group, which has been assigned to AWS IAM SAML role, defined in Keycloak.
And after you enter your credentials, hopefully, you’ll be redirected to Amazon AWS console.
You can integrate the Keycloak with  Azure AD well.

Click on identity provider select microsoft  and fill the retails as requested Application ID and Application secret and you will be able to authenticate in keycloak using azure AD.

For the CLI/Programatic  access i will get bacl to you in my next blog 


Saturday, October 12, 2019

MongoDB Getting Started and Setup Cluster

In the past couple of days. I have change my job started working on server less model.so all of there data they don't store in the traditional way in RDBMS in fact thay store all of there application logs in the DB.

So We have started using MongoDB As a document database few of the advantages of mongodb.
  • Document Oriented Storage − Data is stored in the form of JSON style documents.
  • Index on any attribute
  • Replication and high availability
  • Auto-sharding
  • Rich queries
  • Fast in-place update
  • Professional support by MongoDB.

    Now Lets start Building the Mongo cluster with 1 master 1 stave 1 Arbiter

    Pre-requisites.
  • 3 Centos machines (in cloud or on premises)
mongo0 192.168.56.131
mongo1 192.168.56.132
mongo2 192.168.56.133
  1. 1 Windows Host for testing using studio 3T
Login on all 3 vms,
  1. Disable the firewalld service
# systemctl disable firewalld
  1. Stop the firewalld service
# systemctl stop firewalld
  1. Disable SeLinux
To permanently disable SELinux, use your favorite text editor to open the file /etc/sysconfig/selinux 
Then change the directive SELinux=enforcing to SELinux=disabled 
  1. Update the all packages and Install EPEL release repo
# yum update -y && yum insall epel-release
  1. Edit hostname file and change the hostname mongo0,mongo1,mongo2… /etc/hostanme


  1. Add the below entry in the /etc/hosts
mongo0 192.168.56.131
mongo1 192.168.56.132
mongo2 192.168.56.133


  1. reboot the system
# reboot now


Configure the package management system (yum).
Create a /etc/yum.repos.d/mongodb-org-4.2.repo file so that you can install MongoDB directly using yum:
[mongodb-org-4.2]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/4.2/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.2.asc
Install the MongoDB packages.
To install the latest stable version of MongoDB, issue the following command:
sudo yum install -y mongodb-org
Alternatively, to install a specific release of MongoDB, specify each component package individually and append the version number to the package name, as in the following example:
sudo yum install -y mongodb-org-4.2.0 mongodb-org-server-4.2.0 mongodb-org-shell-4.2.0 mongodb-org-mongos-4.2.0 mongodb-org-tools-4.2.0
You can specify any available version of MongoDB. However yum upgrades the packages when a newer version becomes available. To prevent unintended upgrades, pin the package. To pin a package, add the following exclude directive to your /etc/yum.conf file:
exclude=mongodb-org,mongodb-org-server,mongodb-org-shell,mongodb-org-mongos,mongodb-org-tools

Start one member (master) of the replica set.

This mongod should not enable auth.

Create administrative users.

The following operations will create two users: a user administrator that will be able to create and modify users (siteUserAdmin), and a root user (siteRootAdmin) that you will use to complete the remainder of the tutorial:
use admin
db.createuser( {
user: "siteUserAdmin",
pwd: "",
roles: [ "userAdminAnyDatabase" ]
});
db.createuser( {
user: "siteRootAdmin",
pwd: "",
roles: [ "userAdminAnyDatabase",
"readWriteAnyDatabase",
"dbAdminAnyDatabase",
"clusterAdmin" ]
});

Stop the mongod instance.

Create the key file to be used by each member of the replica set.

Create the key file your deployment will use to authenticate servers to each other.
To generate pseudo-random data to use for a keyfile, issue the following openssl command:
mkdir -p /etc/mongod
openssl rand -base64 741 > /etc/mongod/mongodb-keyfile
chown -R mongod:mongod /etc/mongod
chmod 600 /etc/mongod/mongodb-keyfile
You may generate a key file using any method you choose. Always ensure that the password stored in the key file is both long and contains a high amount of entropy. Using openssl in this manner helps generate such a key.

Copy the key file to each member of the replica set.

Copy the mongodb-keyfile to all hosts where components of a MongoDB deployment run. Set the permissions of these files to 600 so that only the owner of the file can read or write this file to prevent other users on the system from accessing the shared secret.
mkdir -p /etc/mongod
chown -R mongod:mongod /etc/mongod
chmod 600 /etc/mongod/mongodb-keyfile
on master
Execute the scp command for all the slaves one by one.
scp /etc/mongod/mongodb-keyfile user@slave: /etc/mongod/mongodb-keyfile

Sample mongod.conf file is looks something like this



# mongod.conf
# for documentation of all options, see:
# http://docs.mongodb.org/manual/reference/configuration-options/
# where to write logging data.
systemLog:
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log


# Where and how to store data.
storage:
dbPath: /var/lib/mongo
journal:
enabled: true
# engine:
# wiredTiger:
# how the process runs
processManagement:
fork: true # fork and run in background
pidFilePath: /var/run/mongodb/mongod.pid # location of pidfile
timeZoneInfo: /usr/share/zoneinfo
# network interfaces
net:
port: 27017
bindIp: 0.0.0.0 # Enter 0.0.0.0,:: to bind to all IPv4 and IPv6 addresses or, alternatively, use the net.bindIpAll setting.
replication:
replSetName: "rs0"
security:
keyFile: /etc/mongod/mongodb-keyfile
#operationProfiling:
#replication:
#sharding:
## Enterprise-Only Options
#auditLog:
#snmp:

Make sure the changes highlighted in yellow are available in your conf file

Connect to the member of the replica set where you created the administrative users.

Connect to the replica set member you started and authenticate as the siteRootAdmin user. From the mongo shell, use the following operation to authenticate:
use admin
db.auth("siteRootAdmin", "");

Initiate the replica set.

Use rs.initiate() on the replica set member:
rs.initiate()
MongoDB initiates a set that consists of the current member and that uses the default replica set configuration.

Verify the initial replica set configuration.

rs.conf()
The replica set configuration object resembles the following:
{
"_id" : "rs0",
"version" : 1,
"members" : [
{
"_id" : 1,
"host" : "mongo0:27017"
}
]
}

Add the remaining members to the replica set.

Add the remaining members with the rs.add() method.
The following example adds two members:
rs.add("mongo1")
rs.addArb("mongo2")
When complete, you have a fully functional replica set. The new replica set will elect a primary.

Check the status of the replica set.

Use the rs.status() operation:
rs.status()
On secondary (slave) execute
rs.slaveOk()