README
¶
Splice App
Splice App runs in your Google Cloud Platform (GCP) project. It serves as the intermediary for the transport of Domain Join metadata between the CLI and your SpliceD server inside your perimeter.
Project Selection
Splice can run in your existing GCP organization, either in its own project, or within a project you already run.
- Go to https://console.cloud.google.com
- Select your project, or create a new one if necessary.
Account Setup
- Go to
IAM & Admin - In the IAM section
- set your project owner
- Project > Owner
- set your project owner
- Go to Service Accounts
- Create a service account to be used by SpliceD.
- Assign the role Datastore > Cloud Datastore Owner
- Create a service account to be used by SpliceD.
Account Credentials
Cloud console will provide a JSON encoded credential file for service accounts, which can be used to authenticate an application from Windows.
WARNING: The credential file is sensitive, and allows anyone to impersonate the role account. Never store the credential file anywhere it can be accessed by non-administrators.
- From the IAM & Admin panel, go to Service Accounts.
- Select the more options menu for the SpliceD service account and select Create Key. Leave type as JSON.
Service account keys can be deleted by clicking the small trash can icon next to the Key ID string. This will invalidate previously issued keys, requiring new keys to be distributed.
Pub/Sub Setup
Pub/Sub notifies SpliceD of waiting join requests. In pull mode, this does not require AppEngine to have any inbound access to the network perimeter.
- Go to Pub/Sub
- Click Create Topic
- Name:
requests
- Name:
- Select the topic and create a New Subscription
- Name:
spliced - Type:
pull
- Name:
- Select the subscription and open Permissions
- Add the role user created during Account Setup to:
- Pub/Sub Viewer
- Pub/Sub Subscriber
- Add the role user created during Account Setup to:
Datastore Setup
The datastore maintains all state for active requests.
- Go to Datastore
- Create Entity
- Create an Entity
- Kind: "
RequestList" - Key identifier:
Custom name: "default"
- Kind: "
Deployment
Splice App is written in Go. See "Deploying a Go App" for information on how to deploy splice to App Engine in your project.
Project Allowlist
When used with the -gce flag, the Splice CLI will submit GCE identity metadata with its request to Splice App for validation. This allows splice to restrict incoming requests to a verifiable list of authorized App Engine projects.
The project allowlist is contained in app.yaml.
Documentation
¶
Overview ¶
Package appengine is an web-application that provides a public API for cloud based offline Active Directory domain joins for Windows clients. It interacts with a client to process domain join requests and provides a result to the clients.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
Package endpoints contains all request handler functions for Splice.
|
Package endpoints contains all request handler functions for Splice. |
|
Package server contains shared data and structures used across splice packages
|
Package server contains shared data and structures used across splice packages |
|
Package validators provides basic validation for splice requests and exposes an interface for additional validators.
|
Package validators provides basic validation for splice requests and exposes an interface for additional validators. |