[Ovirt-devel] [PATCH] Add username/password authentication for browsing from non-kerberized hosts
Steve Linabery
slinabery at redhat.com
Thu Aug 14 07:45:12 UTC 2008
Once again, apologies for the attachment.
Also, apologies for the comments in wui-devel.ks which wrap past 80 chars.
Please help me test this. Build a new appliance with this patch, ssh to the appliance, set a new ipa password for ovirtadmin, and then kdestroy. If you launch browser after that, you should get authorization requested dialog from firefox, and (following entry of correct username/password) get redirected back to dashboard.
Goodnight!
Steve
-------------- next part --------------
>From 49410330dd46413b30c1ed29ec86cc73c6cf2f41 Mon Sep 17 00:00:00 2001
From: Steve Linabery <slinabery at redhat.com>
Date: Thu, 14 Aug 2008 02:41:17 -0500
Subject: [PATCH] Add username/password authentication for browsing from non-kerberized hosts
Add cookie-based session support and migration file.
New login controller.
---
wui-appliance/wui-devel.ks | 7 +++++
wui/conf/ovirt-wui.conf | 6 ++--
wui/src/app/controllers/application.rb | 15 +++++-----
wui/src/app/controllers/login_controller.rb | 39 +++++++++++++++++++++++++++
wui/src/config/environment.rb | 2 +-
wui/src/db/migrate/013_create_sessions.rb | 35 ++++++++++++++++++++++++
6 files changed, 92 insertions(+), 12 deletions(-)
create mode 100644 wui/src/app/controllers/login_controller.rb
create mode 100644 wui/src/db/migrate/013_create_sessions.rb
diff --git a/wui-appliance/wui-devel.ks b/wui-appliance/wui-devel.ks
index e36f3a7..5c334d1 100644
--- a/wui-appliance/wui-devel.ks
+++ b/wui-appliance/wui-devel.ks
@@ -152,6 +152,13 @@ start() {
ipa-server-install -r PRIV.OVIRT.ORG -p @password@ -P @password@ -a @password@ \
--hostname management.priv.ovirt.org -u dirsrv -U
+ # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=459061
+ # note: this has to happen after ipa-server-install or the templating feature
+ # in ipa-server-install chokes on the characters in the regexp we add here.
+ sed -i -e 's#<Proxy \*>#<ProxyMatch ^.*/ipa/ui.*$>#' /etc/httpd/conf.d/ipa.conf
+ sed -i -e 's#</Proxy>#</ProxyMatch>#' /etc/httpd/conf.d/ipa.conf
+ sed -i -e 's/^/#/' /etc/httpd/conf.d/ipa-rewrite.conf
+ /usr/sbin/apachectl restart
# now create the ovirtadmin user
echo @password@|kinit admin
# change max username length policy
diff --git a/wui/conf/ovirt-wui.conf b/wui/conf/ovirt-wui.conf
index f56ce81..63e1dc4 100644
--- a/wui/conf/ovirt-wui.conf
+++ b/wui/conf/ovirt-wui.conf
@@ -2,11 +2,11 @@ NameVirtualHost *:80
<VirtualHost *:80>
ProxyRequests Off
-<Proxy *>
+<ProxyMatch ^.*/ovirt/login.*$>
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate on
- KrbMethodK5Passwd off
+ KrbMethodK5Passwd on
KrbServiceName HTTP
Krb5KeyTab /etc/httpd/conf/ipa.keytab
KrbSaveCredentials on
@@ -26,7 +26,7 @@ ProxyRequests Off
RequestHeader set X-Forwarded-Keytab %{KRB5CCNAME}e
# RequestHeader unset Authorization
-</Proxy>
+</ProxyMatch>
Alias /ovirt/stylesheets "/usr/share/ovirt-wui/public/stylesheets"
Alias /ovirt/images "/usr/share/ovirt-wui/public/images"
diff --git a/wui/src/app/controllers/application.rb b/wui/src/app/controllers/application.rb
index eacf6f3..53d0aa6 100644
--- a/wui/src/app/controllers/application.rb
+++ b/wui/src/app/controllers/application.rb
@@ -32,17 +32,16 @@ class ApplicationController < ActionController::Base
before_filter :pre_show, :only => [:show, :show_vms, :show_users,
:show_hosts, :show_storage]
before_filter :authorize_admin, :only => [:new, :create, :edit, :update, :destroy]
+ before_filter :is_logged_in
- def get_login_user
- if ENV["RAILS_ENV"] != 'test'
- user_from_principal(request.env["HTTP_X_FORWARDED_USER"])
- else
- 'ovirtadmin'
+ def is_logged_in
+ if session[:user] == nil
+ redirect_to :controller => "login", :action => "login"
end
end
-
- def user_from_principal(principal)
- principal.split('@')[0]
+
+ def get_login_user
+ session[:user]
end
def set_perms(hwpool)
diff --git a/wui/src/app/controllers/login_controller.rb b/wui/src/app/controllers/login_controller.rb
new file mode 100644
index 0000000..5babb43
--- /dev/null
+++ b/wui/src/app/controllers/login_controller.rb
@@ -0,0 +1,39 @@
+#
+# Copyright (C) 2008 Red Hat, Inc.
+# Written by Steve Linabery <slinabery at redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+# MA 02110-1301, USA. A copy of the GNU General Public License is
+# also available at http://www.gnu.org/copyleft/gpl.html.
+
+# Filters added to this controller apply to all controllers in the application.
+# Likewise, all the methods added will be available for all controllers.
+
+class LoginController < ActionController::Base
+
+ before_filter :is_logged_in, :except => :login
+ def login
+ myUser = "ovirtadmin"
+ if ENV["RAILS_ENV"] != "test"
+ myUser = user_from_principal(request.env["HTTP_X_FORWARDED_USER"])
+ end
+ session[:user] = myUser
+ redirect_to :controller => "dashboard"
+ end
+
+ def user_from_principal(principal)
+ principal.split('@')[0]
+ end
+
+end
diff --git a/wui/src/config/environment.rb b/wui/src/config/environment.rb
index 379dcf4..d14899a 100644
--- a/wui/src/config/environment.rb
+++ b/wui/src/config/environment.rb
@@ -44,7 +44,7 @@ Rails::Initializer.run do |config|
# Use the database for sessions instead of the file system
# (create the session table with 'rake db:sessions:create')
- # config.action_controller.session_store = :active_record_store
+ config.action_controller.session_store = :active_record_store
config.action_controller.session = {
:session_key => "_ovirt_session_id",
:secret => "a covert ovirt phrase or some such"
diff --git a/wui/src/db/migrate/013_create_sessions.rb b/wui/src/db/migrate/013_create_sessions.rb
new file mode 100644
index 0000000..9eca543
--- /dev/null
+++ b/wui/src/db/migrate/013_create_sessions.rb
@@ -0,0 +1,35 @@
+#
+# Copyright (C) 2008 Red Hat, Inc.
+# Written by Steve Linabery <slinabery at redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+# MA 02110-1301, USA. A copy of the GNU General Public License is
+# also available at http://www.gnu.org/copyleft/gpl.html.
+
+class CreateSessions < ActiveRecord::Migration
+ def self.up
+ create_table :sessions do |t|
+ t.string :session_id, :null => false
+ t.text :data
+ t.timestamps
+ end
+
+ add_index :sessions, :session_id
+ add_index :sessions, :updated_at
+ end
+
+ def self.down
+ drop_table :sessions
+ end
+end
--
1.5.5.2
More information about the ovirt-devel
mailing list