Datalore 2024.4 Help

Enable SSO for Kubernetes deployment

You can use JetBrains Hub (further in the article referred to as Hub) for user authentication and user management in Datalore. Hub supports most popular auth modules.

This procedure explains how to enable Hub for Datalore On-Premises installed using Kubernetes.

Install Hub

  1. Create a hub.values.yaml file and add there the configuration of your volumes. Refer to the examples below.

    HostPath volumes example

    • Create directories:

      mkdir -p /data/hub/{data,conf,logs,backups} chown -R 0:0 /data/hub
    • Add the following code to hub.values.yaml:

      volumes: - name: data hostPath: path: /opt/hub/data type: Directory - name: conf hostPath: path: /opt/hub/conf type: Directory - name: logs hostPath: path: /opt/hub/logs type: Directory - name: backups hostPath: path: /opt/hub/backups type: Directory volumeMounts: - name: data mountPath: /opt/hub/data - name: conf mountPath: /opt/hub/conf - name: logs mountPath: /opt/hub/logs - name: backups mountPath: /opt/hub/backups

    volumeClaimTemplates example

    • Add the following code to hub.values.yaml:

      volumeClaimTemplates: - metadata: name: hub spec: accessModes: - ReadWriteOnce resources: requests: storage: 10Gi volumeMounts: - name: hub mountPath: /opt/hub/data subPath: data - name: hub mountPath: /opt/hub/conf subPath: conf - name: hub mountPath: /opt/hub/logs subPath: logs - name: hub mountPath: /opt/hub/backups subPath: backups
  2. Install the Hub Helm chart using the helm install -f hub.values.yaml hub datalore/hub --version 0.2.18 command.

  3. Check the container output (using the kubectl logs service/hub command) for a wizard_token. The output should have a line like this:

    JetBrains Hub 2022.3 Configuration Wizard will listen inside container on {0.0.0.0:8080}/ after start and can be accessed by this URL: [http://<put-your-docker-HOST-name-here>:<put-host-port-mapped-to-container-port-8080-here>/?wizard_token=pPXTShp4NXceXqGYzeAq].

    Copy the wizard_token value to the clipboard.

  4. For further configuration, forward a Hub port from kubernetes to your local machine:

    kubectl port-forward --address 0.0.0.0 service/hub 8082
  5. Go to http://localhost:8082/ and insert the wizard_token into the Token field.

  6. Click the Log in button.

  7. Click the Set Up link.

  8. Generate a URL (referred to as HUB_ROOT_URL later) to access Hub from Datalore. Consider the following:

    • The URL must be accessible from both the cluster pods and the browser (by the end users of your Datalore installation).

    • The URL must point to the / path of your Hub installation, i.e. http://127.0.0.1:8080/ inside the container where Hub is launched (by default, the hub-0 pod).

    • How you set up your cluster to serve such a URL depends on the specifics of your cluster configuration.

  9. In Base URL, enter HUB_ROOT_URL. Do not change the Application Listen Port setting.

  10. Click the Next button.

  11. Configure the admin account by setting the admin password.

  12. Click the Next button.

  13. Click the Finish button and wait for Hub to start.

Configure Hub

Go to HUB_ROOT_URL and log into Hub via admin account.

Configure the Datalore service

  1. Generate one more URL (referred to as DATALORE_ROOT_URL later) to access Datalore. Consider the following:

    • The URL must be accessible from the browser (by the end users of your Datalore installation).

    • The URL must point to the / path of your Datalore installation, i.e. http://127.0.0.1:8080/ inside the container where Datalore will be launched (by default, it is pod datalore-on-premise-0).

    • How you set up your cluster to serve such a URL depends on the specifics of your cluster configuration.

  2. Go to Services (${HUB_ROOT_URL}/hub/services) and click the New service button. Use the name datalore and enter DATALORE_ROOT_URL in Home URL.

  3. Copy the ID field value and save it somewhere: it is used when configuring Datalore ($HUB_DATALORE_SERVICE_ID property).

  4. Click the Change... button next to the Secret label.

  5. Copy the generated secret and save it somewhere: it will be used when configuring Datalore ($HUB_DATALORE_SERVICE_SECRET property).

  6. Click the Change secret button.

  7. Enter DATALORE_ROOT_URL in the Base URLs field.

  8. Enter the line /api/hub/openid/login in the Redirect URIs field.

  9. Click the Trust Service button in the upper right corner.

  10. Click the Save button.

Create a Hub token

  1. Go to Users (${HUB_ROOT_URL}/hub/users).

  2. Click your admin username.

  3. Switch to the Account Security tab.

  4. Click the New token... button.

  5. Add Hub and Datalore into Scope. You can use any Name. Click the Create button. Copy the token (with the perm: prefix) and save it somewhere. It will be used when configuring Datalore ($HUB_PERM_TOKEN property).

(Optional) Force email verification

Datalore uses user emails from Hub; so it is recommended to force email verification in Hub. When this option is enabled, users with unverified emails will not be able to use Datalore.

  1. Configure the SMTP server:

    • Go to SMTP (${HUB_ROOT_URL}/hub/smtp-settings).

    • Click the Configure SMTP server... button.

    • Configure your SMTP server parameters.

    • Click the Save button.

    • Click the Enable notifications button.

    • (Optional) To make sure your configuration is working, click the Send Test message button.

  2. Enable email verification:

    • Go to Auth Modules (${HUB_ROOT_URL}/hub/authmodules).

    • Open the Common settings page.

    • Enable the Email verification option.

    • Click the Save button.

  3. Set and verify an admin user email:

    • Go to Users (${HUB_ROOT_URL}/hub/users).

    • Click your admin username.

    • Set an email in the Email field.

    • Click the Save button.

    • Click the Send verification email link.

    • Find the verification email in your inbox and click the Verify email address button.

(Optional) Enable auth modules

  1. Go to Auth Modules (${HUB_ROOT_URL}/hub/authmodules).

  2. Add or remove auth modules (for example, Google Auth, GitHub Auth, LDAP, and so on). Find more details here.

Configure the Datalore service

Edit the values under the dataloreEnv key in the datalore.values.yaml file.

Define the following environment values:

HUB_PUBLIC_BASE_URL

Base public (accessible via browser) URL of your Hub installation (${HUB_ROOT_URL}/hub from the Install Hub section, for example, https://hub.your.domain/hub).

HUB_INTERNAL_BASE_URL

URL to access Hub used when Hub and Datalore are installed in different namespaces.

HUB_DATALORE_SERVICE_ID

ID of the Datalore service in Hub (see Configure the Datalore service).

HUB_DATALORE_SERVICE_SECRET

Token of the Datalore service in Hub (see Configure the Datalore service).

HUB_PERM_TOKEN

Token for accessing Datalore and Hub scopes (see Create a Hub token).

HUB_FORCE_EMAIL_VERIFICATION

Used to specify whether email verification is required from the Datalore user. Set the parameter to false if you didn't configure an SMTP server (see Force email verification).

Example

dataloreEnv: ... HUB_PUBLIC_BASE_URL: "http://127.0.0.1:8082/hub" HUB_INTERNAL_BASE_URL: "http://hub:8082/hub" HUB_DATALORE_SERVICE_ID: "9030674b-2679-495a-b606-c554384f42a3" HUB_DATALORE_SERVICE_SECRET: "sHCpaPQfPWco" HUB_PERM_TOKEN: "perm:YWRtaW4=.NDUtMA==.MBJEauHYuzg9nSXS6d1FkJ93zZcZvT" HUB_FORCE_EMAIL_VERIFICATION: "false"
Last modified: 18 September 2024