Friday, August 26, 2011

Google Apps authentication and Splunk SSO

It's no secret, I <3 splunk. But I'm not here to tell you why you NEED splunk (just take my word for it). I'm here to let you know about splunk-auth-proxy. splunk-auth-proxy is a simple node.js web app written in coffeescript which allows you to use Google Apps OpenID authentication to authenticate splunk access. It was written primarily by my co-worker Jonathan Rudenberg with a little help from me. So how do we use it?

I would highly suggest using a systems management system to automate deployment (we prefer chef). However, here I'll provide manual installation instructions for those less fortunate sysadmins.

These instructions were tested on Ubuntu 10.04 LTS.

Start by installing node.js and node package manager (npm):

install node.js and npm

sudo apt-get install python-software-properties

sudo add-apt-repository ppa:chris-lea/node.js
sudo apt-get update
sudo apt-get install nodejs npm



install splunk-auth-proxy

sudo apt-get install git-core

git clone https://github.com/Shopify/splunk-auth-proxy.git

cd splunk-auth-proxy
npm install


configure splunk-auth-proxy

splunk-auth-proxy requires you to specify the location of the SSL private key and certificate you want to use as well as your Google Apps domain name and secret (creating your SSL private key and certificate is outside the scope of this howto).

edit config.json
{
"web": {
"port": "4000"
},
"ssl": {
"key": "./certs/privatekey.pem",
"cert": "./certs/certificate.pem"
},
"splunk": {
"hostname": "localhost",
"port": "8000"
},
"google": {
"domain": "example.com",
"secret": "mygoogleappssupersecret"
}
}

configure splunk

In $SPLUNK_HOME/etc/system/local/ add the following to server.conf and web.conf

server.conf
[general]
trustedIP = 127.0.0.1


web.conf
[settings]
enableSplunkWebSSL = 0
trustedIP = 127.0.0.1
SSOMode = strict
remoteUser = Remote-User

As documented in the splunk SSO docs, you will need to make sure you have already set up splunk users that match your Google Apps users. The quick and dirty solution is to download your Google Apps user list as a .csv and then use a script like useradd-csv2splunk.sh, included with splunk-auth-proxy, to bulk add the users. You will need to update the script with proper splunk admin credentials and have a properly formatted .csv. The format for the .csv file is:

email,firstname,lastname,splunkRole
dale.neufeld@example.com,Dale,Neufeld,admin


chmod +x useradd-csv2splunk.sh
sudo ./useradd-csv2splunk.sh users.csv

processing dale.neufeld@example.com...
User added.
...successfully added dale.neufeld



Test launch splunk-auth-proxy

$./node_modules/coffee-script/bin/coffee server.coffee config.json
Now let's see if that worked. Browse to:

https://localhost:4000
Hopefully you're taken to the Google login page, authenticated and passed right into splunk, fully authenticated and ready to search!

Daemonizing splunk-auth-proxy

We like runit for service start-up and supervision.

$sudo apt-get install runit
cd /etc/sv/
sudo mkdir splunk-auth-proxy
sudo touch run
sudo chmod +x run
sudo vim run


contents of run file
#!/bin/sh

exec 2>&1
cd /path/to/splunk-auth-proxy
export NODE_ENV=production
exec ./node_modules/.bin/coffee server.coffe ./config.json


configure runit logging
sudo mkdir -p log/main
cd log
sudo touch run
sudo chmod +x run
sudo vim run


contents of /etc/sv/splunk-auth-proxy/log/run
#!/bin/sh
exec svlogd -tt ./main


start splunk-auth-proxy service

sudo ln -s /etc/sv/splunk-auth-proxy /etc/service/
sudo sv restart splunk-auth-proxy


And there you have it! You should now have a fully functional SSO proxy sitting in front of splunk allowing your users to forget one more password! As a bonus, you also now have simple two-factor authentication capabilities ready to go if you use Google Apps two-step verification.