[Ovirt-devel] [PATCH] Add username/password authentication for browsing from non-kerberized hosts
Steve Linabery
slinabery at redhat.com
Fri Aug 15 03:08:09 UTC 2008
On Thu, Aug 14, 2008 at 12:34:41PM -0400, Jason Guiditta wrote:
> Overall, ACK -works for me. Couple notes/tweaks below.
Hi all,
Here's a revised patch which addresses most if not all of the concerns with the first version.
I await your review!
Thanks,
Steve
-------------- next part --------------
>From fd1e3e9793c110fe6a4be77def0ac8c8ae7fbff0 Mon Sep 17 00:00:00 2001
From: Steve Linabery <slinabery at redhat.com>
Date: Thu, 14 Aug 2008 20:16:12 -0500
Subject: [PATCH] Add basic auth for browsing from non-kerberized hosts.
This will require rake db:migrate or rebuild of appliance due to new session table in db.
---
wui-appliance/wui-devel.ks | 10 +++++++
wui/conf/ovirt-wui.conf | 6 ++--
wui/src/app/controllers/application.rb | 15 ++++------
wui/src/app/controllers/login_controller.rb | 37 +++++++++++++++++++++++++++
wui/src/config/environment.rb | 2 +-
wui/src/db/migrate/013_create_sessions.rb | 35 +++++++++++++++++++++++++
6 files changed, 92 insertions(+), 13 deletions(-)
create mode 100644 wui/src/app/controllers/login_controller.rb
create mode 100644 wui/src/db/migrate/013_create_sessions.rb
diff --git a/wui-appliance/wui-devel.ks b/wui-appliance/wui-devel.ks
index 3793026..5729b60 100644
--- a/wui-appliance/wui-devel.ks
+++ b/wui-appliance/wui-devel.ks
@@ -152,6 +152,16 @@ start() {
ipa-server-install -r PRIV.OVIRT.ORG -p @password@ -P @password@ -a @password@ \
--hostname management.priv.ovirt.org -u dirsrv -U
+ # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=459061
+ # note: this has to happen after ipa-server-install or the templating
+ # feature in ipa-server-install chokes on the characters in the regexp
+ # we add here.
+ sed -i -e 's#<Proxy \*>#<ProxyMatch ^.*/ipa/ui.*$>#' \
+ /etc/httpd/conf.d/ipa.conf
+ sed -i -e 's#</Proxy>#</ProxyMatch>#' /etc/httpd/conf.d/ipa.conf
+ # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=459209
+ sed -i -e 's/^/#/' /etc/httpd/conf.d/ipa-rewrite.conf
+ service httpd restart
# now create the ovirtadmin user
echo @password@|kinit admin
# change max username length policy
diff --git a/wui/conf/ovirt-wui.conf b/wui/conf/ovirt-wui.conf
index 280d541..56ad1f8 100644
--- a/wui/conf/ovirt-wui.conf
+++ b/wui/conf/ovirt-wui.conf
@@ -2,11 +2,11 @@ NameVirtualHost *:80
<VirtualHost *:80>
ProxyRequests Off
-<Proxy *>
+<ProxyMatch ^.*/ovirt/login.*$>
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate on
- KrbMethodK5Passwd off
+ KrbMethodK5Passwd on
KrbServiceName HTTP
Krb5KeyTab /etc/httpd/conf/ipa.keytab
KrbSaveCredentials on
@@ -26,7 +26,7 @@ ProxyRequests Off
RequestHeader set X-Forwarded-Keytab %{KRB5CCNAME}e
# RequestHeader unset Authorization
-</Proxy>
+</ProxyMatch>
Alias /ovirt/stylesheets "/usr/share/ovirt-wui/public/stylesheets"
Alias /ovirt/images "/usr/share/ovirt-wui/public/images"
diff --git a/wui/src/app/controllers/application.rb b/wui/src/app/controllers/application.rb
index eacf6f3..f779131 100644
--- a/wui/src/app/controllers/application.rb
+++ b/wui/src/app/controllers/application.rb
@@ -32,19 +32,16 @@ class ApplicationController < ActionController::Base
before_filter :pre_show, :only => [:show, :show_vms, :show_users,
:show_hosts, :show_storage]
before_filter :authorize_admin, :only => [:new, :create, :edit, :update, :destroy]
+ before_filter :is_logged_in
+
+ def is_logged_in
+ redirect_to (:controller => "login", :action => "login") unless session[:user] != nil
+ end
def get_login_user
- if ENV["RAILS_ENV"] != 'test'
- user_from_principal(request.env["HTTP_X_FORWARDED_USER"])
- else
- 'ovirtadmin'
- end
+ (ENV["RAILS_ENV"] == "production") ? session[:user] : "ovirtadmin"
end
- def user_from_principal(principal)
- principal.split('@')[0]
- end
-
def set_perms(hwpool)
@user = get_login_user
@can_view = hwpool.can_view(@user)
diff --git a/wui/src/app/controllers/login_controller.rb b/wui/src/app/controllers/login_controller.rb
new file mode 100644
index 0000000..65d18e7
--- /dev/null
+++ b/wui/src/app/controllers/login_controller.rb
@@ -0,0 +1,37 @@
+#
+# Copyright (C) 2008 Red Hat, Inc.
+# Written by Steve Linabery <slinabery at redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+# MA 02110-1301, USA. A copy of the GNU General Public License is
+# also available at http://www.gnu.org/copyleft/gpl.html.
+
+# Filters added to this controller apply to all controllers in the application.
+# Likewise, all the methods added will be available for all controllers.
+
+class LoginController < ActionController::Base
+
+ before_filter :is_logged_in, :except => :login
+ def login
+ session[:user] = (ENV["RAILS_ENV"] == "production") ?
+ user_from_principal(request.env["HTTP_X_FORWARDED_USER"]) :
+ "ovirtadmin"
+ redirect_to :controller => "dashboard"
+ end
+
+ def user_from_principal(principal)
+ principal.split('@')[0]
+ end
+
+end
diff --git a/wui/src/config/environment.rb b/wui/src/config/environment.rb
index 379dcf4..d14899a 100644
--- a/wui/src/config/environment.rb
+++ b/wui/src/config/environment.rb
@@ -44,7 +44,7 @@ Rails::Initializer.run do |config|
# Use the database for sessions instead of the file system
# (create the session table with 'rake db:sessions:create')
- # config.action_controller.session_store = :active_record_store
+ config.action_controller.session_store = :active_record_store
config.action_controller.session = {
:session_key => "_ovirt_session_id",
:secret => "a covert ovirt phrase or some such"
diff --git a/wui/src/db/migrate/013_create_sessions.rb b/wui/src/db/migrate/013_create_sessions.rb
new file mode 100644
index 0000000..9eca543
--- /dev/null
+++ b/wui/src/db/migrate/013_create_sessions.rb
@@ -0,0 +1,35 @@
+#
+# Copyright (C) 2008 Red Hat, Inc.
+# Written by Steve Linabery <slinabery at redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+# MA 02110-1301, USA. A copy of the GNU General Public License is
+# also available at http://www.gnu.org/copyleft/gpl.html.
+
+class CreateSessions < ActiveRecord::Migration
+ def self.up
+ create_table :sessions do |t|
+ t.string :session_id, :null => false
+ t.text :data
+ t.timestamps
+ end
+
+ add_index :sessions, :session_id
+ add_index :sessions, :updated_at
+ end
+
+ def self.down
+ drop_table :sessions
+ end
+end
--
1.5.5.2
More information about the ovirt-devel
mailing list