auth-json lives here last I saw: https://github.com/glyptodon/guacamole-auth-json It works just fine. -Ryan -----Original Message----- From: Nick Couchman <[email protected]> Sent: Tuesday, August 20, 2019 12:27 PM To: [email protected] Subject: Re: OpenID and NoAuth / user-mapping.xml ?
On Tue, Aug 20, 2019 at 12:20 PM Mike Sollanych <[email protected] <mailto:[email protected]> > wrote: Thanks for your response, Nick. > However, I wonder does the Consul service discovery have any sort of API that could be leveraged to dynamically pull connection information? Yes, it's intended for exactly this kind of thing. https://www.consul.io/api/index.html <https://www.consul.io/api/index.html> is the tip of the iceberg. Most likely it would make sense for the user to create a Prepared Query https://www.consul.io/api/query.html and then provide the ID of that to Guacamole or whatever piece of middleware in order to have it run the query and get back the right set of services. This should provide good abstraction and save the middleware from having to implement a lot of logic. Yeah, I started poking at it a bit last night - I had never heard of Consul before, but it looks really cool, and the API looks reasonably easy to use. In your implementation, would you be trying to leverage any sort of access control as provided by Consul, or do you just want any user who logs in with OpenID to see any of the services available from Consul? > Sounds like Consul can spit out formatted output - XML, maybe JSON. An extension could be written to leverage this - I'd lean toward JSON output, myself, but probably doesn't matter that much. This is often done via another complementary product, Consul Template - https://github.com/hashicorp/consul-template <https://github.com/hashicorp/consul-template> - which can read data from Consul and render it out using the Go Template syntax into literally any kind of format. JSON is supported with a built in serializer, so the template would be very succinct. We can source data from service registrations, which have tags that would make it easy to pass data along. Passwords for VNC etc. can be sourced from Hashicorp Vault for the security-conscious or via some other mechanism if that's overkill for the environment in question. > it it actually shouldn't be too bad to write scripts in one of several languages, or even some SQL procedures in your DB of choice that would ease this. I've thought about doing this and am confident it could be done - automation to pre-seed the database when I am reconstructing the entire environment from scratch is pretty straightforward with your SQL script generator, and then it's just a matter of using Consul-Template to spit out a database script that truncates a table and repopulates it. It just seems a little bit hackish / non-idiomatic and I don't want to build something here that I'm going to have to do a lot of maintenance on later. Oh, yes, I agree it is hackish, particularly since Consul provides an API. If there is in fact some JSON-based extension around that I could try for this, I would appreciate a link to it! Mike will have to provide this - he's referenced it, but I'm not entirely sure where it lives at the moment, what it's working state is, or even how to use it. -Nick
