Yair Zaslavsky has submitted this change and it was merged.
Change subject: 14. core: Add header authenticator
......................................................................
14. core: Add header authenticator
This patch introduces a new authenticator that assumes that the
authentication has already been performed by the web server and that
takes the user name from a configurable request header.
To use this authenticator the web server has to be configured to
populate a header with the name of the authenticated user. An overly
simple example is the following:
<Location /ovirt-engine/webadmin>
RequestHeader set X-Remote-User jdoe
</Location>
This makes the web server to add the X-Remote-User header with the
value "jdoe" to all the requests for URLs starting with /ovirt-engine/webadmin.
After doing this the engine can be configured creating a header.conf
file inside /etc/ovirt-engine/auth.conf.d with the following content:
#
# The name of the authentication profile:
#
name=simple
#
# The name of the module that contains the authenticator and the
# directory implementations:
#
module=org.ovirt.engine.core.authentication
#
# The types of the authenticator and the directory to use:
#
authenticator.type=header
directory.type=nop
#
# The name of the header to extract the user name from:
#
authenticator.header=X-Remote-User
The net result is that users connecting to the /ovirt-engine/webadmin
URL will be automatically authenticated as "jdoe" without having to
provide any credentials.
A more realistic example of the web server configuration is the
following:
<Location /ovirt-engine/webadmin>
AuthType Basic
AuthName "Protected"
AuthBasicProvider file
AuthUserFile /etc/httpd/conf/users
Require valid-user
#
# This is needed in order to enable the rewrite engine later,
# otherwise the web server refuses to enable it because it
# allows similar mechanism to cincumvent directory
# restrictions:
#
Options +FollowSymLinks
#
# This rewrite rules are intended to copy the value of the
# REMOTE_USER CGI environment variable into a header, as
# JBoss AS 7 doesn't currently # have a mechanism to
# access the environment variable:
#
RewriteEngine On
RewriteCond %{REMOTE_USER} ^(.*)$
RewriteRule ^(.*)$ - [E=REMOTE_USER:%1]
RequestHeader set X-Remote-User %{REMOTE_USER}e
</Location>
With this web server configuration and the same engine header.conf
engine configuration described above users will be asked for credentials
by the web server. Those credentials will be checked by the web server
using the /etc/httpd/conf/users file, and then the user will be
automatically logged in to the engine without having to provide any
additional credentials.
Change-Id: If2e212641d41f30fee753edff9581bd5c4fc31e2
Signed-off-by: Juan Hernandez <juan.hernan...@redhat.com>
---
A
backend/manager/modules/authentication/src/main/java/org/ovirt/engine/core/authentication/header/HeaderAuthenticator.java
A
backend/manager/modules/authentication/src/main/java/org/ovirt/engine/core/authentication/header/HeaderAuthenticatorFactory.java
M
backend/manager/modules/authentication/src/main/resources/META-INF/services/org.ovirt.engine.core.authentication.AuthenticatorFactory
3 files changed, 143 insertions(+), 0 deletions(-)
Approvals:
Yair Zaslavsky: Verified; Looks good to me, approved
--
To view, visit http://gerrit.ovirt.org/21028
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: If2e212641d41f30fee753edff9581bd5c4fc31e2
Gerrit-PatchSet: 32
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Juan Hernandez <juan.hernan...@redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alo...@redhat.com>
Gerrit-Reviewer: Juan Hernandez <juan.hernan...@redhat.com>
Gerrit-Reviewer: Liran Zelkha <lzel...@redhat.com>
Gerrit-Reviewer: Martin Peřina <mper...@redhat.com>
Gerrit-Reviewer: Ravi Nori <rn...@redhat.com>
Gerrit-Reviewer: Yair Zaslavsky <yzasl...@redhat.com>
Gerrit-Reviewer: oVirt Jenkins CI Server
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches
