github.com/pachyderm/pachyderm@v1.13.4/doc/docs/1.11.x/enterprise/auth/oidc/configure-google-oidc.md (about) 1 # Configure Google OpenID Connect 2 3 You can use Google® OAuth 2.0 authentication system as an identity 4 provider for Pachyderm. Google takes care of verifying the identity of 5 users accessing your Pachyderm cluster. 6 7 ## Prerequisites 8 9 Before you can configure Pachyderm to work with Keycloak, you need to 10 have the following components up and running: 11 12 * Pachyderm Enterprise 1.11.x or later. The enterprise token must be 13 activated by running `pachctl enterprise activate`. 14 Check the status of your license by running: 15 16 ```shell 17 pachctl enterprise get-state 18 ``` 19 20 For more information, see [Activate Pachyderm Enterprise Edition](../../../deployment/#activate-pachyderm-enterprise-edition). 21 22 * A Google account, such as a Gmail account. You need to have access to 23 the Google API Console and have a project there. For more information, 24 see [Google OpenID Connect documentation](https://developers.google.com/identity/protocols/oauth2/openid-connect#sendauthrequest). 25 26 ## Configure Google OAuth 2.0 27 28 You need to create a project in the Google API Console within an 29 organization. Some of the IAM features that are discussed in this section 30 are no available to individual users. This section outlines Pachyderm 31 specifics for setting up authentication with Google. For more specific 32 details about the configuration, see [Google OpenID Connect documentation](https://developers.google.com/identity/protocols/oauth2/openid-connect#sendauthrequest). 33 34 To set up Google OAuth 2.0, complete the following steps: 35 36 1. Go to your project in Google API Console. 37 1. Click **Credentials**. 38 1. Click **Configure Consent Screen**. 39 1. Select a user type as needed for your project. 40 1. Type the **Application name**. 41 42 This action creates a client within Google OAuth 2.0 authentication system. 43 You can fill out other fields as needed, but to authorize with Pachyderm, 44 only the application name is required. 45 46 1. Save the settings. 47 1. Go back to **Credentials**. 48 1. Under **OAuth 2.0 Client IDs**, edit the client that you have created in the 49 previous step. 50 1. In the **Authorized redirect URIs** section, add the Pachyderm callback link 51 in the following format: 52 53 ```shell 54 https://<hostname>:30657/authorization-code/callback 55 ``` 56 57 This is your `redirect_uri`. 58 The path cannot include an IP address and must have the OIDC protocol. 59 60 1. Click **Save**. 61 1. Go to [Configure Pachyderm](#configure-pachyderm). 62 63 ## Configure Pachyderm 64 65 After you have completed the steps in [Configure Google OAuth 2.0](#configure-google-oauth-2.0), 66 you need to create a Pachyderm authentication config and login as a Google user 67 to your Pachyderm cluster. 68 69 To configure Pachyderm, complete the following steps: 70 71 1. Go to the terminal and forward the `pachd` pod to the OIDC port: 72 73 1. Get the `pachd` pod ID: 74 75 ```shell 76 kubectl get pod 77 ``` 78 79 **Example system response:** 80 81 ```shell 82 dash-5768cb7d98-j6cgt 2/2 Running 0 4h2m 83 etcd-56d897697-xzsqr 1/1 Running 0 4h2m 84 keycloak-857c59449b-htg99 1/1 Running 0 4h6m 85 pachd-79f7f68c65-9qs8g 1/1 Running 0 4h2m 86 ``` 87 88 1. Forward the `pachd` pod to the OIDC port: 89 90 **Example:** 91 92 ```shell 93 kubectl port-forward pachd-79f7f68c65-9qs8g 30657 94 ``` 95 96 1. Enable Pachyderm authentication: 97 98 ```shell 99 pachctl auth activate --initial-admin=robot:admin 100 ``` 101 102 Pachyderm returns a token. 103 104 **WARNING!** You must save the token to a secure location 105 to avoid being locked out of your cluster. 106 107 1. Log in as the admin user with the token you received in the previous 108 step: 109 110 ```shell 111 pachctl auth use-auth-token 112 ``` 113 114 1. Set up the authentication config: 115 116 ```shell 117 pachctl auth set-config <<EOF 118 { 119 "live_config_version": 2, 120 "id_providers": [{ 121 "name": "google-oauth", 122 "description": "oidc-based authentication with Google OAuth 2.0", 123 "oidc":{ 124 "issuer": "https://accounts.google.com", 125 "client_id": "<client-id>", 126 "client_secret": "<client-secret>", 127 "redirect_uri": "http://<hostname>:30657/authorization-code/callback" 128 } 129 }] 130 } 131 EOF 132 ``` 133 134 You need to replace the following placeholders with relevant values: 135 136 - `issuer` — In ase of Google OAuth 2.0, this will always be 137 `https://accounts.google.com`. 138 139 - `client_id` — The Pachyderm **Client ID** in the Google OAuth 140 2.0 Credentials page. 141 142 - `client_secret` - The Pachyderm client secret in in the Google OAuth 143 2.0 Credentials page. 144 - `redirect_uri` - This parameter should match what you have added 145 to **Authorized redirect URIs** in the previous section. 146 147 1. Log in as the user you have created in the Pachyderm application 148 or sing in with Google: 149 150 1. Run: 151 152 ```shell 153 pachctl auth login 154 ``` 155 156 You should be prompted to a web-browser. Sign in with your 157 Google account. 158 159 You should see the following message printed out in your browser: 160 161 ``` 162 You are now logged in. Go back to the terminal to use Pachyderm! 163 ``` 164 165 1. In the terminal, check that you are logged in as the Auth0 user: 166 167 ```shell 168 pachctl auth whoami 169 ``` 170 171 **Example of System Response:** 172 173 ```shell 174 You are "google-oauth:test@pachyderm.com" 175 session expires: 07 Aug 20 16:27 PDT 176 ```