diff --git a/Makefile b/Makefile index 505281c..3d44172 100644 --- a/Makefile +++ b/Makefile @@ -2,7 +2,7 @@ TARGET = ./cc-backend VAR = ./var CFG = config.json .env FRONTEND = ./web/frontend -VERSION = 1.1.0 +VERSION = 1.2.0 GIT_HASH := $(shell git rev-parse --short HEAD || echo 'development') CURRENT_TIME = $(shell date +"%Y-%m-%d:T%H:%M:%S") LD_FLAGS = '-s -X main.date=${CURRENT_TIME} -X main.version=${VERSION} -X main.commit=${GIT_HASH}' diff --git a/ReleaseNotes.md b/ReleaseNotes.md index d66a27f..c10ecd5 100644 --- a/ReleaseNotes.md +++ b/ReleaseNotes.md @@ -7,12 +7,12 @@ implementation of ClusterCockpit. ** Breaking changes ** -The LDAP configuration option user_filter was changed and now should not include -the wildcard. Example: -* Old: `"user_filter": "(&(objectclass=posixAccount)(uid=*))"` -* New: `"user_filter": "&(objectclass=posixAccount)"` +* The LDAP configuration option user_filter was changed and now should not include +the uid wildcard. Example: + - Old: `"user_filter": "(&(objectclass=posixAccount)(uid=*))"` + - New: `"user_filter": "(&(objectclass=posixAccount))"` -The aggregate job statistic core hours is now computed using the job table +* The aggregate job statistic core hours is now computed using the job table column `num_hwthreads`. In a future release this column will be renamed to `num_cores`. For correct display of core hours `num_hwthreads` must be correctly filled on job start. If your existing jobs do not provide the correct value in @@ -21,6 +21,10 @@ if you have exclusive jobs, only. Please be aware that we treat this column as it is the number of cores. In case you have SMT enabled and `num_hwthreads` is not the number of cores the core hours will be too high by a factor! +* The jwts key is now mandatory in config.json. It has to set max-age for + validity. Some key names have changed, please refer to + [config documentation](./configs/README.md) for details. + ** NOTE ** If you are using the sqlite3 backend the `PRAGMA` option `foreign_keys` must be explicitly set to ON. If using the sqlite3 console it is per default set to diff --git a/configs/README.md b/configs/README.md index 944d0d3..76029d1 100644 --- a/configs/README.md +++ b/configs/README.md @@ -16,26 +16,41 @@ It is supported to set these by means of a `.env` file in the project root. * `static-files`: Type string. Folder where static assets can be found, if `embed-static-files` is `false`. No default. * `db-driver`: Type string. 'sqlite3' or 'mysql' (mysql will work for mariadb as well). Default `sqlite3`. * `db`: Type string. For sqlite3 a filename, for mysql a DSN in this format: https://github.com/go-sql-driver/mysql#dsn-data-source-name (Without query parameters!). Default: `./var/job.db`. -* `job-archive`: Type string. Path to the job-archive. Default: `./var/job-archive`. +* `job-archive`: Type object. + - `kind`: Type string. At them moment only file is supported as value. + - `path`: Type string. Path to the job-archive. Default: `./var/job-archive`. + - `compression`: Type integer. Setup automatic compression for jobs older than number of days. + - `retention`: Type object. + - `policy`: Type string (required). Retention policy. Possible values none, delete, + move. + - `includeDB`: Type boolean. Also remove jobs from database. + - `age`: Type integer. Act on jobs with startTime older than age (in days). + - `location`: Type string. The target directory for retention. Only applicable for retention policy move. * `disable-archive`: Type bool. Keep all metric data in the metric data repositories, do not write to the job-archive. Default `false`. * `validate`: Type bool. Validate all input json documents against json schema. * `session-max-age`: Type string. Specifies for how long a session shall be valid as a string parsable by time.ParseDuration(). If 0 or empty, the session/token does not expire! Default `168h`. -* `jwt-max-age`: Type string. Specifies for how long a JWT token shall be valid as a string parsable by time.ParseDuration(). If 0 or empty, the session/token does not expire! Default `0`. * `https-cert-file` and `https-key-file`: Type string. If both those options are not empty, use HTTPS using those certificates. * `redirect-http-to`: Type string. If not the empty string and `addr` does not end in ":80", redirect every request incoming at port 80 to that url. * `machine-state-dir`: Type string. Where to store MachineState files. TODO: Explain in more detail! * `stop-jobs-exceeding-walltime`: Type int. If not zero, automatically mark jobs as stopped running X seconds longer than their walltime. Only applies if walltime is set for job. Default `0`. * `short-running-jobs-duration`: Type int. Do not show running jobs shorter than X seconds. Default `300`. +* `jwts`: Type object (required). For JWT Authentication. + - `max-age`: Type string (required). Configure how long a token is valid. As string parsable by time.ParseDuration(). + - `cookieName`: Type string. Cookie that should be checked for a JWT token. + - `vaidateUser`: Type boolean. Deny login for users not in database (but defined in JWT). Overwrite roles in JWT with database roles. + - `trustedIssuer`: Type string. Issuer that should be accepted when validating external JWTs. + - `syncUserOnLogin`: Type boolean. Add non-existent user to DB at login attempt with values provided in JWT. * `ldap`: Type object. For LDAP Authentication and user synchronisation. Default `nil`. - - `url`: Type string. URL of LDAP directory server. - - `user_base`: Type string. Base DN of user tree root. - - `search_dn`: Type string. DN for authenticating LDAP admin account with general read rights. - - `user_bind`: Type string. Expression used to authenticate users via LDAP bind. Must contain `uid={username}`. - - `user_filter`: Type string. Filter to extract users for syncing. + - `url`: Type string (required). URL of LDAP directory server. + - `user_base`: Type string (required). Base DN of user tree root. + - `search_dn`: Type string (required). DN for authenticating LDAP admin account with general read rights. + - `user_bind`: Type string (required). Expression used to authenticate users via LDAP bind. Must contain `uid={username}`. + - `user_filter`: Type string (required). Filter to extract users for syncing. - `username_attr`: Type string. Attribute with full user name. Defaults to `gecos` if not provided. - `sync_interval`: Type string. Interval used for syncing local user table with LDAP directory. Parsed using time.ParseDuration. - - `sync_del_old_users`: Type bool. Delete obsolete users in database. -* `clusters`: Type array of objects + - `sync_del_old_users`: Type boolean. Delete obsolete users in database. + - `syncUserOnLogin`: Type boolean. Add non-existent user to DB at login attempt if user exists in Ldap directory. +* `clusters`: Type array of objects (required) - `name`: Type string. The name of the cluster. - `metricDataRepository`: Type object with properties: `kind` (Type string, can be one of `cc-metric-store`, `influxdb` ), `url` (Type string), `token` (Type string) - `filterRanges` Type object. This option controls the slider ranges for the UI controls of numNodes, duration, and startTime. Example: diff --git a/configs/config.json b/configs/config.json index 3a2c64b..fbc3343 100644 --- a/configs/config.json +++ b/configs/config.json @@ -5,7 +5,7 @@ "user_base": "ou=people,ou=hpc,dc=test,dc=de", "search_dn": "cn=hpcmonitoring,ou=roadm,ou=profile,ou=hpc,dc=test,dc=de", "user_bind": "uid={username},ou=people,ou=hpc,dc=test,dc=de", - "user_filter": "(&(objectclass=posixAccount)(uid=*))" + "user_filter": "(&(objectclass=posixAccount))" }, "https-cert-file": "/etc/letsencrypt/live/url/fullchain.pem", "https-key-file": "/etc/letsencrypt/live/url/privkey.pem",