You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@guacamole.apache.org by "Michael Jumper (JIRA)" <ji...@apache.org> on 2018/11/10 17:41:00 UTC

[jira] [Commented] (GUACAMOLE-658) Launch Kubernetes (X)RDP pods with OpenID Connect injected credentials

    [ https://issues.apache.org/jira/browse/GUACAMOLE-658?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16682525#comment-16682525 ] 

Michael Jumper commented on GUACAMOLE-658:
------------------------------------------

You should already be able to achieve this using an extension. If you leverage the existing OpenID Connect support, the username of the user authenticated via OpenID will be exposed to all other extensions through the {{AuthenticatedUser}} object. You can then do with those credentials as you see fit, start/stop pods as dynamically as you desire, and inject whatever data you need however you wish.

Outside of an extension, I don't think an implementation of this would fit the general scope of the mainline webapp. The manner in which the Pod is started, the way credentials are injected, etc. would all be specific to your particular use case, but the extension API exists so you can do exactly this sort of thing.

If you have any further questions on how to approach writing such an extension, please hop over to the dev@guacamole.apache.org list: http://guacamole.apache.org/support/#mailing-lists.

> Launch Kubernetes (X)RDP pods with OpenID Connect injected credentials
> ----------------------------------------------------------------------
>
>                 Key: GUACAMOLE-658
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-658
>             Project: Guacamole
>          Issue Type: New Feature
>            Reporter: Bolke de Bruin
>            Priority: Minor
>
> Hi,
> We would like to leverage Gaucamole to launch secure isolated XRDP pods on k8s / openshift.
> So imagine a user logs in into gaucamole with OpenID connect and is then able to launch his personal Pod that has his user configured in the Pod. Upon logout the Pod will be destroyed (configurable).
> Configuring the user could happen similary to "cloudinit" where in this case guacamole would function as a metadata server or by injecting the oauth token directly into the Pod and then having the pod update itself.
> It would require gaucamole to be able to launch, destroy and monitor pods and maybe function as a metadata server.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)