How do I set up TLS authentication for FeatureBase Community?
Secure your FeatureBase server with TLS authentication.
Table of contents
Before you begin
- Learn about TLS (Transport Layer Security)
- Install FeatureBase Community
- Generate a
secret-key - Add FeatureBase as an Azure AD application
- Set up FeatureBase Group permissions
FeatureBase configuration file location
Authentication is added to the featurebase.conf file which can be found in different locations depending on the application and software version you have installed.
| Application | Version | Directory path |
|---|---|---|
| FeatureBase | 1.0+ | /featurebase-install-directory/opt/featurebse.conf |
| Molecula | 2.0+ | /etc/featurebase.conf |
| Pilosa | 2.0+ | /etc/featurebase.conf |
Authentication syntax
[auth]
enable = true
{client-id = "<SAML IdP value>"}
{client-secret = "<SAML IdP value>"}
{authorize-url = "<SAML IdP value>"}
{token-url = "<SAML IdP value>"}
{group-endpoint-url = "<SAML IdP value>"}
{redirect-base-url = "<SAML IdP value>"}
{logout-url = "<SAML IdP value>"}
{scopes = <SAML IdP value>}
{secret-key = "<featurebase-auth-key>"}
{permissions = "/featurebase-directory/permissions.yaml"}
[query-log-path = "/log/directory/"]
[configured-ips = []]
Keys
| Key | Description | Required | Further information |
|---|---|---|---|
enable=true | Activate IdP authentication for FeatureBase | ||
client-id | SAML 2.0 Identity Provider (IdP) obtained from Azure AD Applications Overview | Yes | |
client-secret | As for client-id. | Yes | Obtain from the IdP |
authorize-url | IdP obtained from Applications Overview > Endpoints. | Yes | Use v2 links if there are two versions available. |
token-url | As for authorize-url | Yes | |
group-endpoint-url | SAML IdP API value | Yes | SAML 2.0 IdP API documentation |
redirect-base-url | IdP URL that corresponds to your primary FeatureBase node. | Yes | Example: https://featurebase-hostname-or-ip:10101 |
logout-url | SAML IdP API value | Yes | [Single sign-out SAML protocol] documentation](https://learn.microsoft.com/en-us/azure/active-directory/develop/single-sign-out-saml-protocol){:target=”_blank”} |
scopes | SAML IdP API value | Yes | SAML 2.0 scopes and permissions |
secret-key | Secret key used to secure inter-node communication in a FeatureBase cluster. | Yes | Generate a secret key |
permissions | Path for group permissions file that maps group IDs to index-level access. | Yes | Add group permissions |
query-log-path | Set path for query audit log | Optional | |
configured-ips | Admin permissions are granted for any IP or subnet in this list. If not included or not set, no IPs are allow-listed. | Optional | Domain names and 0.0.0.0/0 are not allowed. |
Additional information
- When TLS is enabled, the scheme must be explicitly defined as
httpsinfeaturebase.confand in the command-line. /featurebase.confand/featurebase-install-directory/opt/parameters.yamlmust be duplicated on all nodes of a FeatureBase cluster.
Examples
Azure Active Directory configuration
[auth]
enable = true
{client-id = "<SAML IdP value>"}
{client-secret = "<SAML IdP value>"}
{authorize-url = "<SAML IdP value>"}
{token-url = "<SAML IdP value>"}
group-endpoint-url = "https://graph.microsoft.com/v1.0/me/transitiveMemberOf/"
{redirect-base-url = "<SAML IdP value>"}
logout-url = "https://login.microsoftonline.com/common/oauth2/v2.0/logout"
scopes = ["https://graph.microsoft.com/.default", "offline_access"]
{secret-key = "<AZURE-AD-SECRET-KEY"}
{permissions = "/featurebase-directory/permissions.yaml"}