Continental Innovates with Rancher and Kubernetes
Available as of v2.3.0
If your organization uses G Suite for user authentication, you can configure Rancher to allow your users to log in using their G Suite credentials.
Only admins of the G Suite domain have access to the Admin SDK. Therefore, only G Suite admins can configure Google OAuth for Rancher.
Within Rancher, only administrators or users with the Manage Authentication global role can configure authentication.
After the Admin SDK API is enabled, your G Suite domain’s API screen should look like this:
Before you can set up Google OAuth in Rancher, you need to log in to your G Suite account and do the following:
Result: Rancher has been added as an authorized domain for the Admin SDK API.
verify-auth
https://rancherServer
https://rancherServer/verify-auth
Result: Your OAuth credentials have been successfully created.
Since the Google Admin SDK is available only to admins, regular users cannot use it to retrieve profiles of other users or their groups. Regular users cannot even retrieve their own groups.
Since Rancher provides group-based membership access, we require the users to be able to get their own groups, and look up other users and groups when needed.
As a workaround to get this capability, G Suite recommends creating a service account and delegating authority of your G Suite domain to that service account.
This section describes how to:
Result: Your service account is created.
You will need to grant some permissions to the service account you created in the last step. Rancher requires you to grant only read-only permissions for users and groups.
Using the Unique ID of the service account key, register it as an Oauth Client using the following steps:
Get the Unique ID of the key you just created. If it’s not displayed in the list of keys right next to the one you created, you will have to enable it. To enable it, click Unique ID and click OK. This will add a Unique ID column to the list of service account keys. Save the one listed for the service account you created. NOTE: This is a numeric key, not to be confused with the alphanumeric field Key ID.
Go to the Manage OAuth Client Access page.
Add the Unique ID obtained in the previous step in the Client Name field.
In the One or More API Scopes field, add the following scopes:
openid,profile,email,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly
Click Authorize.
Result: The service account is registered as an OAuth client in your G Suite account.
Result: Google authentication is successfully configured.