[jira] [Commented] (GUACAMOLE-658) Launch Kubernetes (X)RDP pods with OpenID Connect injected credentials

Sat, 10 Nov 2018 09:41:09 -0800 


    [ 
https://issues.apache.org/jira/browse/GUACAMOLE-658?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16682525#comment-16682525
 ] 

Michael Jumper commented on GUACAMOLE-658:
------------------------------------------

You should already be able to achieve this using an extension. If you leverage 
the existing OpenID Connect support, the username of the user authenticated via 
OpenID will be exposed to all other extensions through the 
{{AuthenticatedUser}} object. You can then do with those credentials as you see 
fit, start/stop pods as dynamically as you desire, and inject whatever data you 
need however you wish.

Outside of an extension, I don't think an implementation of this would fit the 
general scope of the mainline webapp. The manner in which the Pod is started, 
the way credentials are injected, etc. would all be specific to your particular 
use case, but the extension API exists so you can do exactly this sort of thing.

If you have any further questions on how to approach writing such an extension, 
please hop over to the d...@guacamole.apache.org list: 
http://guacamole.apache.org/support/#mailing-lists.

> Launch Kubernetes (X)RDP pods with OpenID Connect injected credentials
> ----------------------------------------------------------------------
>
>                 Key: GUACAMOLE-658
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-658
>             Project: Guacamole
>          Issue Type: New Feature
>            Reporter: Bolke de Bruin
>            Priority: Minor
>
> Hi,
> We would like to leverage Gaucamole to launch secure isolated XRDP pods on 
> k8s / openshift.
> So imagine a user logs in into gaucamole with OpenID connect and is then able 
> to launch his personal Pod that has his user configured in the Pod. Upon 
> logout the Pod will be destroyed (configurable).
> Configuring the user could happen similary to "cloudinit" where in this case 
> guacamole would function as a metadata server or by injecting the oauth token 
> directly into the Pod and then having the pod update itself.
> It would require gaucamole to be able to launch, destroy and monitor pods and 
> maybe function as a metadata server.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to