diff --git a/auth/customers.rst b/auth/customers.rst new file mode 100644 index 00000000..e69de29b diff --git a/auth/introduction.rst b/auth/introduction.rst new file mode 100644 index 00000000..139597f9 --- /dev/null +++ b/auth/introduction.rst @@ -0,0 +1,2 @@ + + diff --git a/auth/ldap.rst b/auth/ldap.rst new file mode 100644 index 00000000..e69de29b diff --git a/auth/openid.rst b/auth/openid.rst new file mode 100644 index 00000000..e69de29b diff --git a/auth/proxy.rst b/auth/proxy.rst new file mode 100644 index 00000000..e69de29b diff --git a/auth/roles.rst b/auth/roles.rst new file mode 100644 index 00000000..e69de29b diff --git a/authentication.rst b/authentication.rst index efb30b7d..1d0d3397 100644 --- a/authentication.rst +++ b/authentication.rst @@ -46,7 +46,7 @@ configuration settings file:: random string on Linux:: $ LC_CTYPE=C tr -dc A-Za-z0-9_\!\@\#\$\%\^\&\*\(\)-+= < /dev/urandom | head -c 32 && echo - + or Mac OSX:: $ date | md5 | base64 @@ -127,7 +127,7 @@ You can fetch ldap groups dynamically from LDAP server and use them as customer name by using ``LDAP_DOMAINS_GROUP`` configuration. Either of ``{username}``, ``{userdn}`` or ``{email}`` can be used for the same. -All users are initially assigned the "user" role by default. +All users are initially assigned the "user" role by default. .. note:: User sign-up, email verfication and password reset through the Alerta web UI or CLI is not supported. Self-service user management @@ -546,7 +546,7 @@ Now go to *Installation* and generate it by selecting 'Keycloak OIDC JSON'. You { "realm": "master", - "auth-server-url": "https://keycloak.example.org/auth", + "auth-server-url": "https://keycloak.example.org", "ssl-required": "external", "resource": "alerta-ui", "credentials": { @@ -564,13 +564,17 @@ the values shown below with the values generated by Keycloak):: OAUTH2_CLIENT_ID = 'alerta-ui' OAUTH2_CLIENT_SECRET = '418bbf31-aef-33d1-a471-322a60276879' +.. note:: The ``/auth`` context path was removed as a default in Keycloak ``18.0.0``. You might need the add the context path ``KEYCLOAK_URL = https://keycloak.example.org/auth`` to your configuration. See the `Keycloak migration guide`_ for further details. + +.. _`Keycloak migration guide`: https://www.keycloak.org/migration/migrating-to-quarkus + .. _allowed_keycloak_roles: To restrict access to users who are associated with a particular `Keycloak role`_ use:: ALLOWED_KEYCLOAK_ROLES = ['role1', 'role2'] -.. _`Keycloak role`: https://keycloak.gitbooks.io/documentation/server_admin/topics/roles.html +.. _`Keycloak role`: https://www.keycloak.org/docs/latest/server_admin/#con-client-roles_server_administration_guide .. note:: ``ALLOWED_KEYCLOAK_ROLES`` can be an asterisk (``*``) to force login but *not* restrict who can login. @@ -605,7 +609,7 @@ HTTP header or a query parameter. Using an HTTP header is the preferred method so that API keys are not exposed even when using HTTPS or inadvertently captured in log - files. + files. **Example using HTTP header** diff --git a/configuration.rst b/configuration.rst index 2e205ccd..aa5d05ca 100644 --- a/configuration.rst +++ b/configuration.rst @@ -500,7 +500,7 @@ HMAC Auth Settings ``HMAC_AUTH_CREDENTIALS`` HMAC credentials -.. _Audit Log config: +.. _Audit Log settings: Audit Log Settings ~~~~~~~~~~~~~~~~~~ @@ -532,7 +532,7 @@ using a POST. ``AUDIT_URL`` forward audit logs to HTTP POST URL (no default) -.. _CORS config: +.. _CORS settings: CORS Settings ~~~~~~~~~~~~~ @@ -552,7 +552,7 @@ CORS Settings ``CORS_ORIGINS`` URL origins that can access the API for Cross-Origin Resource Sharing (CORS) -.. _severity config: +.. _severity settings: Severity Settings ~~~~~~~~~~~~~~~~~ @@ -598,7 +598,7 @@ in which Alerta is deployed. ``COLOR_MAP`` dictionary of severity colors, text and highlight color -.. _timeout config: +.. _timeout settings: Timeout Settings ~~~~~~~~~~~~~~~~ @@ -627,7 +627,7 @@ are important for generating alerts from stale heartbeats. ``SHELVE_TIMEOUT`` timeout period for unshelving alerts in shelved status (default is ``7200`` seconds, ``0`` = do not auto-unshelve) -.. _housekeeping config: +.. _housekeeping settings: Housekeeping Settings ~~~~~~~~~~~~~~~~~~~~~ @@ -648,7 +648,7 @@ Housekeeping Settings .. note:: Ensure to set ``DEFAULT_INFORM_SEVERITY`` to the "informational" severity that should be deleted. -.. _email config: +.. _email settings: Email Settings ~~~~~~~~~~~~~~ @@ -692,7 +692,7 @@ email address before they can login. ``SMTP_PASSWORD`` application-specific password for ``MAIL_FROM`` or ``SMTP_USERNAME`` (no default) -.. _webui config: +.. _webui settings: Web UI Settings ~~~~~~~~~~~~~~~ @@ -773,7 +773,7 @@ Alert Status Indicator Settings ``ASI_QUERIES`` list of alert queries applied to filter status indicators (see example for default) -.. _plugin config: +.. _plugin settings: Plugin Settings ~~~~~~~~~~~~~~~~ @@ -887,7 +887,7 @@ Alerts and actions can be forwarded to other Alerta servers to create a $ date | md5 | base64 <= create HMAC "secret" MzVlMzQ5NWYzYWE2YTgxYTUyYmIyNDY0ZWE2ZWJlYTMK -.. _webhook config: +.. _webhook settings: Webhook Settings ~~~~~~~~~~~~~~~~ diff --git a/faq.rst b/faq.rst index 09b33871..72ada428 100644 --- a/faq.rst +++ b/faq.rst @@ -22,7 +22,7 @@ To fix this you can either serve the web UI from the `same origin`_ as the API using a web server to :ref:`reverse proxy ` the web UI or ensure that the API server `allows the origin`_ where the web UI is hosted by adding it to the :envvar:`CORS_ORIGINS` :ref:`server -configuration ` setting. +configuration ` setting. .. _CORS: https://en.wikipedia.org/wiki/Cross-origin_resource_sharing .. _same origin: https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy diff --git a/webui/configuration.rst b/webui/configuration.rst index 0ea44fdc..a5b80693 100644 --- a/webui/configuration.rst +++ b/webui/configuration.rst @@ -113,37 +113,8 @@ shown below that. Client Settings ~~~~~~~~~~~~~~~ -Full list of API server settings that can be used to configure clients. - -``AUTH_REQUIRED`` - -``CUSTOMER_VIEWS`` - -``AUTH_PROVIDER`` - -``SIGNUP_ENABLED`` - -``OAUTH2_CLIENT_ID`` - -``GITHUB_URL`` - -``GITLAB_URL`` - -``KEYCLOAK_URL`` - -``KEYCLOAK_REALM`` - -``PINGFEDERATE_URL`` - -``COLOR_MAP`` - -``SEVERITY_MAP`` - -``GOOGLE_TRACKING_ID`` - -``AUTO_REFRESH_INTERVAL`` - -.. note:: It is not currently possible to configure dates or audio. +Full list of API server settings that can be used to configure clients can be found +at :ref:`webui settings`. .. raw:: html