Steve Linabery
2008-Aug-14 07:45 UTC
[Ovirt-devel] [PATCH] Add username/password authentication for browsing from non-kerberized hosts
Once again, apologies for the attachment. Also, apologies for the comments in wui-devel.ks which wrap past 80 chars. Please help me test this. Build a new appliance with this patch, ssh to the appliance, set a new ipa password for ovirtadmin, and then kdestroy. If you launch browser after that, you should get authorization requested dialog from firefox, and (following entry of correct username/password) get redirected back to dashboard. Goodnight! Steve -------------- next part -------------->From 49410330dd46413b30c1ed29ec86cc73c6cf2f41 Mon Sep 17 00:00:00 2001From: Steve Linabery <slinabery at redhat.com> Date: Thu, 14 Aug 2008 02:41:17 -0500 Subject: [PATCH] Add username/password authentication for browsing from non-kerberized hosts Add cookie-based session support and migration file. New login controller. --- wui-appliance/wui-devel.ks | 7 +++++ wui/conf/ovirt-wui.conf | 6 ++-- wui/src/app/controllers/application.rb | 15 +++++----- wui/src/app/controllers/login_controller.rb | 39 +++++++++++++++++++++++++++ wui/src/config/environment.rb | 2 +- wui/src/db/migrate/013_create_sessions.rb | 35 ++++++++++++++++++++++++ 6 files changed, 92 insertions(+), 12 deletions(-) create mode 100644 wui/src/app/controllers/login_controller.rb create mode 100644 wui/src/db/migrate/013_create_sessions.rb diff --git a/wui-appliance/wui-devel.ks b/wui-appliance/wui-devel.ks index e36f3a7..5c334d1 100644 --- a/wui-appliance/wui-devel.ks +++ b/wui-appliance/wui-devel.ks @@ -152,6 +152,13 @@ start() { ipa-server-install -r PRIV.OVIRT.ORG -p @password@ -P @password@ -a @password@ \ --hostname management.priv.ovirt.org -u dirsrv -U + # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=459061 + # note: this has to happen after ipa-server-install or the templating feature + # in ipa-server-install chokes on the characters in the regexp we add here. + sed -i -e 's#<Proxy \*>#<ProxyMatch ^.*/ipa/ui.*$>#' /etc/httpd/conf.d/ipa.conf + sed -i -e 's#</Proxy>#</ProxyMatch>#' /etc/httpd/conf.d/ipa.conf + sed -i -e 's/^/#/' /etc/httpd/conf.d/ipa-rewrite.conf + /usr/sbin/apachectl restart # now create the ovirtadmin user echo @password@|kinit admin # change max username length policy diff --git a/wui/conf/ovirt-wui.conf b/wui/conf/ovirt-wui.conf index f56ce81..63e1dc4 100644 --- a/wui/conf/ovirt-wui.conf +++ b/wui/conf/ovirt-wui.conf @@ -2,11 +2,11 @@ NameVirtualHost *:80 <VirtualHost *:80> ProxyRequests Off -<Proxy *> +<ProxyMatch ^.*/ovirt/login.*$> AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate on - KrbMethodK5Passwd off + KrbMethodK5Passwd on KrbServiceName HTTP Krb5KeyTab /etc/httpd/conf/ipa.keytab KrbSaveCredentials on @@ -26,7 +26,7 @@ ProxyRequests Off RequestHeader set X-Forwarded-Keytab %{KRB5CCNAME}e # RequestHeader unset Authorization -</Proxy> +</ProxyMatch> Alias /ovirt/stylesheets "/usr/share/ovirt-wui/public/stylesheets" Alias /ovirt/images "/usr/share/ovirt-wui/public/images" diff --git a/wui/src/app/controllers/application.rb b/wui/src/app/controllers/application.rb index eacf6f3..53d0aa6 100644 --- a/wui/src/app/controllers/application.rb +++ b/wui/src/app/controllers/application.rb @@ -32,17 +32,16 @@ class ApplicationController < ActionController::Base before_filter :pre_show, :only => [:show, :show_vms, :show_users, :show_hosts, :show_storage] before_filter :authorize_admin, :only => [:new, :create, :edit, :update, :destroy] + before_filter :is_logged_in - def get_login_user - if ENV["RAILS_ENV"] != 'test' - user_from_principal(request.env["HTTP_X_FORWARDED_USER"]) - else - 'ovirtadmin' + def is_logged_in + if session[:user] == nil + redirect_to :controller => "login", :action => "login" end end - - def user_from_principal(principal) - principal.split('@')[0] + + def get_login_user + session[:user] end def set_perms(hwpool) diff --git a/wui/src/app/controllers/login_controller.rb b/wui/src/app/controllers/login_controller.rb new file mode 100644 index 0000000..5babb43 --- /dev/null +++ b/wui/src/app/controllers/login_controller.rb @@ -0,0 +1,39 @@ +# +# Copyright (C) 2008 Red Hat, Inc. +# Written by Steve Linabery <slinabery at redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +# MA 02110-1301, USA. A copy of the GNU General Public License is +# also available at http://www.gnu.org/copyleft/gpl.html. + +# Filters added to this controller apply to all controllers in the application. +# Likewise, all the methods added will be available for all controllers. + +class LoginController < ActionController::Base + + before_filter :is_logged_in, :except => :login + def login + myUser = "ovirtadmin" + if ENV["RAILS_ENV"] != "test" + myUser = user_from_principal(request.env["HTTP_X_FORWARDED_USER"]) + end + session[:user] = myUser + redirect_to :controller => "dashboard" + end + + def user_from_principal(principal) + principal.split('@')[0] + end + +end diff --git a/wui/src/config/environment.rb b/wui/src/config/environment.rb index 379dcf4..d14899a 100644 --- a/wui/src/config/environment.rb +++ b/wui/src/config/environment.rb @@ -44,7 +44,7 @@ Rails::Initializer.run do |config| # Use the database for sessions instead of the file system # (create the session table with 'rake db:sessions:create') - # config.action_controller.session_store = :active_record_store + config.action_controller.session_store = :active_record_store config.action_controller.session = { :session_key => "_ovirt_session_id", :secret => "a covert ovirt phrase or some such" diff --git a/wui/src/db/migrate/013_create_sessions.rb b/wui/src/db/migrate/013_create_sessions.rb new file mode 100644 index 0000000..9eca543 --- /dev/null +++ b/wui/src/db/migrate/013_create_sessions.rb @@ -0,0 +1,35 @@ +# +# Copyright (C) 2008 Red Hat, Inc. +# Written by Steve Linabery <slinabery at redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +# MA 02110-1301, USA. A copy of the GNU General Public License is +# also available at http://www.gnu.org/copyleft/gpl.html. + +class CreateSessions < ActiveRecord::Migration + def self.up + create_table :sessions do |t| + t.string :session_id, :null => false + t.text :data + t.timestamps + end + + add_index :sessions, :session_id + add_index :sessions, :updated_at + end + + def self.down + drop_table :sessions + end +end -- 1.5.5.2
Alan Pevec
2008-Aug-14 14:35 UTC
[Ovirt-devel] [PATCH] Add username/password authentication for browsing from non-kerberized hosts
Steve Linabery wrote:> Also, apologies for the comments in wui-devel.ks which wrap past 80 chars.no apologies, use \ :)> Please help me test this. Build a new appliance with this patch, ssh to the appliance, set a new ipa password for ovirtadmin, and then kdestroy. If you launch browser after that, you should get authorization requested dialog from firefox, and (following entry of correct username/password) get redirected back to dashboard.works as advertised, so ACK Comments: - when to expire the session? - and related: do we need explicit logout action?> diff --git a/wui-appliance/wui-devel.ks b/wui-appliance/wui-devel.ks > + /usr/sbin/apachectl restartwhy not service httpd reload ?
Jason Guiditta
2008-Aug-14 16:34 UTC
[Ovirt-devel] [PATCH] Add username/password authentication for browsing from non-kerberized hosts
Overall, ACK -works for me. Couple notes/tweaks below. On Thu, 2008-08-14 at 02:45 -0500, Steve Linabery wrote:> Once again, apologies for the attachment. > > Also, apologies for the comments in wui-devel.ks which wrap past 80 chars. > > Please help me test this. Build a new appliance with this patch, ssh to the appliance, set a new ipa password for ovirtadmin, and then kdestroy. If you launch browser after that, you should get authorization requested dialog from firefox, and (following entry of correct username/password) get redirected back to dashboard. > > Goodnight! > Steve >diff --git a/wui/src/app/controllers/application.rb b/wui/src/app/controllers/application.rb index eacf6f3..53d0aa6 100644 --- a/wui/src/app/controllers/application.rb +++ b/wui/src/app/controllers/application.rb @@ -32,17 +32,16 @@ class ApplicationController < ActionController::Base before_filter :pre_show, :only => [:show, :show_vms, :show_users, :show_hosts, :show_storage] before_filter :authorize_admin, :only => [:new, :create, :edit, :update, :destroy] + before_filter :is_logged_in - def get_login_user - if ENV["RAILS_ENV"] != 'test' - user_from_principal(request.env["HTTP_X_FORWARDED_USER"]) - else - 'ovirtadmin' + def is_logged_in + if session[:user] == nil + redirect_to :controller => "login", :action => "login" we may want to change this next rev, since we don't really want a redirect while the user is logged in and just reauthing diff --git a/wui/src/app/controllers/login_controller.rb b/wui/src/app/controllers/login_controller.rb + before_filter :is_logged_in, :except => :login + def login + myUser = "ovirtadmin" + if ENV["RAILS_ENV"] != "test" + myUser = user_from_principal(request.env["HTTP_X_FORWARDED_USER"]) + end + session[:user] = myUser To combine this with what I did in my earlier patch (which I will regenerate w/o the env test) and to make it more succinct, I would suggest changing the above block to: session[:user] = (ENV["RAILS_ENV"] == "production") ? user_from_principal(request.env["HTTP_X_FORWARDED_USER"]) : "ovirtadmin" + redirect_to :controller => "dashboard" Same comment as in application.rb for the redirect -j> _______________________________________________ > Ovirt-devel mailing list > Ovirt-devel at redhat.com > https://www.redhat.com/mailman/listinfo/ovirt-devel