Thanks for your response, Nick. > However, I wonder does the Consul service discovery have any sort of API that > could be leveraged to dynamically pull connection information?
Yes, it's intended for exactly this kind of thing. https://www.consul.io/api/index.html is the tip of the iceberg. Most likely it would make sense for the user to create a Prepared Query https://www.consul.io/api/query.html and then provide the ID of that to Guacamole or whatever piece of middleware in order to have it run the query and get back the right set of services. This should provide good abstraction and save the middleware from having to implement a lot of logic. > Sounds like Consul can spit out formatted output - XML, maybe JSON. An > extension could be written to leverage this - I'd lean toward JSON output, > myself, but probably doesn't matter that much. This is often done via another complementary product, Consul Template - https://github.com/hashicorp/consul-template - which can read data from Consul and render it out using the Go Template syntax into literally any kind of format. JSON is supported with a built in serializer, so the template would be very succinct. We can source data from service registrations, which have tags that would make it easy to pass data along. Passwords for VNC etc. can be sourced from Hashicorp Vault for the security-conscious or via some other mechanism if that's overkill for the environment in question. > it it actually shouldn't be too bad to write scripts in one of several > languages, or even some SQL procedures in your DB of choice that would ease > this. I've thought about doing this and am confident it could be done - automation to pre-seed the database when I am reconstructing the entire environment from scratch is pretty straightforward with your SQL script generator, and then it's just a matter of using Consul-Template to spit out a database script that truncates a table and repopulates it. It just seems a little bit hackish / non-idiomatic and I don't want to build something here that I'm going to have to do a lot of maintenance on later. If there is in fact some JSON-based extension around that I could try for this, I would appreciate a link to it! Mike Sollanych ________________________________ From: Nick Couchman <[email protected]> Sent: Monday, August 19, 2019 5:35 PM To: [email protected] <[email protected]> Subject: Re: OpenID and NoAuth / user-mapping.xml ? On Mon, Aug 19, 2019 at 7:14 PM Mike Sollanych <[email protected]<mailto:[email protected]>> wrote: Apologies if this was posted twice, didn't confirm email properly. I only see it once :-). I'm trying to set up a highly dynamic Guacamole setup, using OpenID for authentication (against IDAptive; this part works well). The actual Guacamole connections need to be sourced from Consul service discovery; my plan had been to use Consul Template to do this and spit out a file like the user-mapping.xml, but it looks like there's no way to use the two of these in concert. Unfortunately the built-in user-mapping.xml doesn't really "stack" with the other modules the same way, so you likely won't have much success getting this to work. However, I wonder does the Consul service discovery have any sort of API that could be leveraged to dynamically pull connection information? The NoAuth extension that appears to have been deprecated looks like it might have handled this for me. QuickConnect works fine but most of the point of Guacamole was to provide my technical end-users a nice list of running VNC sessions inside our environment in a secure fashion with 2FA and so forth. You don't want NoAuth. Really, you don't :-). We deprecated it for a reason. Is there any option for using OpenID without having a database backend to list connection information? I'm sure there is - I can think of three ways: 1) Consul has an API, and an extension could be written to pull from that API. I'd be happy to work through implementation of such an extension, if you can provide insight on how the API works. 2) Sounds like Consul can spit out formatted output - XML, maybe JSON. An extension could be written to leverage this - I'd lean toward JSON output, myself, but probably doesn't matter that much. 3) Mike has mentioned in the past, I think, that he has a JSON extension that might work for this, eh Mike? If I have to maintain a database, that means a lot more work to get this working (i.e. i'd have to write something that could blow away the Guacamole database and repopulate it from whatever we source from Consul). A static configuration maintained using tools outside of the app itself lends itself far more to my process. I wouldn't say you'd have to blow away the database each time and repopulate it - at most you'd blow away the data in one or two of the tables (Connection, maybe Permissions) and repopulate that, but it actually shouldn't be too bad to write scripts in one of several languages, or even some SQL procedures in your DB of choice that would ease this. Not saying this is really the best way to go for you, just that it is a possibility and may not be quite as bad as it seems. Should I just downgrade to the pre-1.0 release and use noauth? This seems to give me no upgrade path, and I'm not sure if the openid extension actually works alongside that anyhow. No, don't use NoAuth. Let's figure something else out that works for you. -Nick
