OpenObserve Support for Single Sign-On and Self-Hosting

TLDR Gabriel inquired about OpenObserve supporting single sign-on, but Prabhat clarified it wasn't available for self-hosted versions yet and suggested creating new orgs as a workaround for managing access. Karan agreed to monitor the roadmap for future updates.

Photo of Gabriel
Gabriel
Tue, 10 Oct 2023 18:55:39 UTC

Does open observe support single sign-on in some way? Can I use a 3rd-party identity server to control authentication/authorization, like KeyCloak?

Photo of Prabhat
Prabhat
Tue, 10 Oct 2023 18:59:41 UTC

For cloud service yes. For self hosted, not yet. It's on the roadmap. What kind of SSO are you looking for saml, openID? Any specific product or service that your want to integrate with specifically?

Photo of Gabriel
Gabriel
Tue, 10 Oct 2023 19:03:59 UTC

yeah it's self hosted. I haven't chosen the auth service yet, but it's probably going to be authelia. It uses OpenID Connect.

Photo of Gabriel
Gabriel
Tue, 10 Oct 2023 19:06:38 UTC

I noticed that Open Observe stores user credentials into browser's local storage. If I had Open Observe and my webapp running on the same domain (as different subdomains) I could create the local storage entries for Open Observe and the user would then be logged in. But the password is stored inside Open Observe and there's no API for generating the credentials.

Photo of Gabriel
Gabriel
Tue, 10 Oct 2023 19:07:13 UTC

of course that would be a hack-y solution, but until there's no proper oauth2 integration that could be an option...

Photo of Prabhat
Prabhat
Tue, 10 Oct 2023 19:17:54 UTC

We have many things that are much more basic to be implemented before we start working on SSO. Doing SSO on cloud was much easier as we could just pick up an external service provider.

Photo of Karan
Karan
Wed, 11 Oct 2023 08:30:45 UTC

+1. Prabhat What would you suggest for users of a self hosted solution to deploy this within their org? I can tell a couple of usecases we have: • Teams/Groups: Users can be added to specific groups. Permissions to access certain stream (and actions like Edit/Delete/Create) can be scoped to stream level • Authentication: I have a reverse proxy which authenticates users via a Google OAuth. It sends a header `X-PROXY-HEADER` which has user's email ID. Can that be somehow mapped to a user session in openobserve? I get that RBAC/OIDC is on roadmap but as of date, what would you suggest for self hosted users, where atleast I can limit/restrict viewing all log streams under a single org? That seems to be a blocker for my current org's deployment.

Photo of Prabhat
Prabhat
Wed, 11 Oct 2023 10:59:23 UTC

authn and authz are not easy. We understand its importance. However without further development on this I do not see a practical way of achieving RBAC and fine grained access and external auth being available in OpenObserve though.

Photo of Karan
Karan
Wed, 11 Oct 2023 11:18:42 UTC

Thanks, that makes sense :slightly_smiling_face: will keep an eye on the roadmap. Sidenote: As a hack, can I create a new org and then add users to it? So, basically I have different product teams ingesting logs to same instance. I can scope streams+users under an org right?

Photo of Prabhat
Prabhat
Wed, 11 Oct 2023 11:20:31 UTC

Yes, that is definitely doable