Nick Couchman, > > * You can set up the database extensions to auto-create users when they > are successfully authenticated by another module: > https://guacamole.apache.org/doc/gug/jdbc-auth.html#auto-creating-database-users
Have no idea how I missed this š± It seems to answer my question completely. I'm not sure exactly what you mean when you say that "connection > provisioning is not supported" > You are correct. I chose the wrong word. I was thinking about (grafana, clickhouse postgres)-like provisioning, when the xml (yaml/json) is put in a specific directory of a pod and changes are monitored by the application. This basically allows git to use the source of config files and easily mount them via a common helm mechanism. But thank you very much. Indeed REST API and DB operations are pretty simple alternative options. GUACAMOLE-926 sounds tempting. ŠæŃ, 13 ŃŠµŠ½Ń. 2024āÆŠ³. Š² 16:53, Nick Couchman <vn...@apache.org>: > On Fri, Sep 13, 2024 at 9:36āÆAM Richard Hawkins < > richard.hawk...@medctrbarbour.org> wrote: > >> And on further notice. You don't want to use the database internally in >> guacamole. I don't know if that's possible it might be. Sorry I couldn't >> help on that. >> >> ------------------------------ >> >> You can definitely apply it to active directories. You can even set up >> groups at one time I had this working and it worked really well, but I >> wanted MFA authentication so I removed all the active directories and went >> strictly with MFA. I think I read somewhere I couldnāt use active directory >> and MFA at the same time. Thereās probably better solutions now that was a >> couple of years ago. Iāve been using guacamole for about five years or so. >> It works really well once you got going good. >> == >> I am testing Apache Guacamole with the purpose to deploy it in k8s. >> Deploying it locally and reading the manual I was not able to answer the >> questions arised. >> Here: >> https://guacamole.apache.org/doc/gug/configuring-guacamole.html >> Is said something like you have to look into a specific auth plugin on >> how to manage users. >> In auth plugin guides I can't find any information which would point how >> it creates (or not creates the users). >> This is the reason why I am forced to ask community/maintainers for help >> to understand the best way to go. We have two requirements: >> 1. We don't want to maintain the user list on the guacamole side. We use >> Active Directory. We have Pomerium in k8s which is able to proxy HTTP >> header with user name to Apache Guacamole. Or we can use OpenID. But the >> biggest issue is if Guacamole still needs the list of users on it's side? >> Or will it login any user? Pomerium has AD Groups based access. So, if >> Pomerium allows proxy request to Guacamole, then this user should have the >> ability to sign in. In simple words, the question is: What auth we can use, >> so Apache Guacamole would be able to login the user without having the list >> of users in its own filesystem/db. >> > > The answer is kind of - if you're using a database to store connections, > you'll also need to store information on permissions, which means storing > users and groups. HOWEVER, we have a couple of things that should make this > much easier to manage so that you don't have to worry as much about > maintaining the authentication information in the database: > * You can set up the database extensions to auto-create users when they > are successfully authenticated by another module: > https://guacamole.apache.org/doc/gug/jdbc-auth.html#auto-creating-database-users > * You can use group membership in your authentication mechanism (LDAP, > OpenID, SAML, etc.), and match up those groups on the Guacamole DB side. > This is specifically documented for LDAP + Database integration, but the > overall principles apply to Database + SAML/OpenID/RADIUS/CAS/etc.: > https://guacamole.apache.org/doc/gug/ldap-auth.html#associating-ldap-with-a-database > . > > Using those two items, you should be able to do things like create a group > in Guacamole and assign it permissions, and then any users who are members > of that same group in AD will get those permissions without having to > specifically create them or assign them individual permissions. Hopefully > this makes sense, but feel free to post back if you have further questions. > > >> 2. The connection provisioning is not supported as far as I can see. We >> could create a k8s job which will be retrieving the list of targets from >> our internal systems. Then creating connections via REST API. Is this the >> only possible solution in our case? >> >> > I'm not sure exactly what you mean when you say that "connection > provisioning is not supported" - it certainly is supported, through the > following methods: > * Manually enter connections on the Guacamole interface. Obviously if you > have a lot of connections, this could take a long time. > * Use the REST API (sorry, we don't have very good documentation for that > at the moment) and script or automate the provisioning of connections from > some system into the Guacamole REST API. > * If you're using the database for storing connection information, you can > also insert the data directly into the database, so you can automate that > from some other system of record, as well, and just manually put the > information into the underlying DB: > https://guacamole.apache.org/doc/gug/jdbc-auth.html#modifying-data-manually > . > * The JSON authentication extension lets you do some cool stuff with > authenticating users from another system and providing their connections > via encrypted JSON at the time of authentication, allowing you to use > Guacamole as a remote access system without having to maintain any > connection, user, group, etc. information within Guacamole: > https://guacamole.apache.org/doc/gug/json-auth.html. > * If you're adept at Java coding, or like a good challenge, you can also > write a custom extension that queries your system of record and presents > connections to users based on that. > * Finally, version 1.6.0 of Guacamole, when it is released, will include a > bulk import function that allows importing connections from a CSV, JSON, > and/or YAML file. This will be available both via the management GUI and > the REST API: https://issues.apache.org/jira/browse/GUACAMOLE-926. > > -Nick >
