[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: OpenShift Authentication alternative options?



Oh that's cool!

Now the bit when you were telling me your console was a release behind makes sense :D 

Cheers!

On Sun, Jul 13, 2014 at 10:45 PM, Mateus Caruccio <mateus caruccio getupcloud com> wrote:
We've implemented a simple login page in a separated branch:


On Sat, Jul 12, 2014 at 10:49 PM, Andrew Lau <andrew andrewklau com> wrote:

On Sun, Jul 13, 2014 at 4:57 AM, Clayton Coleman <ccoleman redhat com> wrote:
OpenShift Online implements a custom broker auth plugin in Rails to connect to our internal Red Hat authentication server (complex version of the mongo auth plugin).

It has been a long standing goal to make the console cookie session aware, use an auth token as a session key, and to separate the login/logout function out into a separate, pluggable set of pages.  I started a branch a while back that took code from online and moved it up.  The challenge is that it would make mod_auth integration change slightly and I was hesitant to inflict that on downstream consumers.  I'll try to publish that branch so folks can see it.

In a future revision of OpenShift we are considering moving the broker api to be 100% auth token based, and only allowing custom authentication (excluding client certs which are carried with https automatically) on a single endpoint - the POST /authorizations hook.  That would dramatically simplify the work to integrate for clients, but it's a somewhat large change.  Note that if we did this we'd introduce a new API version (the long awaited v2 API).  The console would then be forced to become auth token compatible and we'd have to split that out.  As part of that, it might be time to add an general auth component to Openshift (supporting oauth2 and multiple logins per user).  

Any other things folks want out of auth on Openshift?

Awesome! Do you know if there is any hidden documentation on how the current state of the mongo auth plugin for Openshift Origin works? It seems to be an option for things like the puppet modules, but nothing about user creatione tc.

On Jul 12, 2014, at 1:36 PM, Mateus Caruccio <mateus caruccio getupcloud com> wrote:

At getupcloud we use a pretty standard django backend for authentication.

Here is a snippet of our /var/www/openshift/broker/httpd/conf.d/openshift-origin-auth-remote-user.conf


WSGIPythonPath /var/www/html/getup/admin:/var/www/html/getup/.env/lib/python2.6/site-packages
WSGIScriptAlias /getup /var/www/html/getup/admin/admin/wsgi.py
...
<Location /broker>
    AuthName "OpenShift Broker API"
    AuthType Basic
    AuthBasicProvider wsgi
    WSGIAuthUserScript /var/www/html/getup/admin/admin/wsgi.py

    Require valid-user

    SetEnvIfNoCase Authorization Bearer passthrough

    # The node->broker auth is handled in the Ruby code
    BrowserMatchNoCase "^OpenShift" passthrough
    BrowserMatchNoCase "^Java OpenShift" passthrough

    Allow from env=passthrough

    # Console traffic will hit the local port.  mod_proxy will set this header automatically.
    SetEnvIf X-Forwarded-For "^$" local_traffic=1
    # Turn the Console output header into the Apache environment variable for the broker remote-user plugin
    SetEnvIf X-Remote-User "(..*)" REMOTE_USER=$1
    Allow from env=local_traffic

    Order Deny,Allow
    Deny from all
    Satisfy any
</Location>

Looks very similar to how my mod_authnz_external attempt worked, but I was using PHP and a remote API instead. How about the console aspect, the concept of that popup login prompt feels so dated.. 
 

Mateus Caruccio
Master of Puppets
+55 (51) 8298.0026
gtalk: mateus caruccio getupcloud com
twitter: @MateusCaruccio

This message and any attachment are solely for the intended
recipient and may contain confidential or privileged information
and it can not be forwarded or shared without permission.
Thank you!


On Sat, Jul 12, 2014 at 8:54 AM, Andrew Lau <andrew andrewklau com> wrote:
Hi all,

I've been experimenting options to integrate openshift authentication
with other alternatives, plus add another option that pesky no logout
button that seems to be asked a lot.

I've so far found two methods, which 'should' work in theory. I
haven't tested it on an openshift install yet.. So let me throw some
ideas in the pit

- Using mod_authnz_external, it's possible to query a php/perl/python
file for a simple exit (0) or exit (1). The script could query a
remote API or database, easy enough and works well. I've used this for
MySQL queries before, redmine, etc. It works, but sometimes has some
weird selinux issues depending on the backend. For most cases with
querying a PHP file, it works great!

- Using httpd24, mod_auth_form is an option. Pretty much, it allows
you to create a full style'd HTML form which can do a POST for
user/password. The way I could see this working, is creating a
dedicated 'authserver' which would accept these auths and then reverse
proxy that over the openshift broker. Short of, modifying all of the
config to work with httpd24.

Both seem to support a 'logout derivative' ie,
http://httpd.apache.org/docs/current/mod/mod_auth_form.html#authformlogoutlocation

If I understand correctly, as openshift origin relies on httpd to do
auth. We don't have to create users? Previously when using kerberos, I
never had to register user accounts. I assume that would be the same
for these methods.

Alternatively, any hints on how the production deployments like
getupcloud and rh's openshift doing it?

Thanks,
Andrew

_______________________________________________
dev mailing list
dev lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

_______________________________________________
dev mailing list
dev lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]