Juan Hernandez has uploaded a new change for review.
Change subject: core: Add remote user authenticator
......................................................................
core: Add remote user authenticator
This patch adds an authenticator that performs authentication using the
user name specified in the REMOTE_USER CGI environment variable. This
environment variable isn't directly accessible by the application
server, but indirectly via the HttpServletRequest.getRemoteUser()
method. In JBoss AS 7 this method will return a result only if using the
AJP connector and if JBoss Web is configured to not perform
authentication. Unfortunatelly it isn't possible to configure JBoss Web
to not perform authenticator in JBoss AS 7.1.1, the capability has been
added in JBoss EAP 6.1 and in WildFly 8. In these newer versions there
is a new system property avaialable for this purpose. This patch adds
that variable to the engine configuration:
<property
name="org.apache.coyote.ajp.AprProcessor.TOMCATAUTHENTICATION"
value="false"
/>
Note that this property will be completely ignored in JBoss AS 7.1.1,
and thus this authenticator won't work.
To configure this authenticator create an authentication profile
configuration inside /etc/ovirt-engine/auth.d like the following:
#
# The name of the authentication profile:
#
name=myprofile
#
# The type of the authenticator:
#
authenticator.type=remote
#
# The type of the directory:
#
directory.type=nop
The web server also needs to be configured to perform authentication,
for example:
<Location /webadmin>
AuthType Basic
AuthName "Protected"
AuthBasicProvider file
AuthUserFile /etc/httpd/conf/users
Require valid-user
</Location>
Change-Id: I0856ac9b9631f3b25eff4a9c93bb548727c74587
Signed-off-by: Juan Hernandez <[email protected]>
---
A
backend/manager/modules/authentication/src/main/java/org/ovirt/engine/core/authentication/remote/RemoteUserAuthenticator.java
A
backend/manager/modules/authentication/src/main/java/org/ovirt/engine/core/authentication/remote/RemoteUserAuthenticatorFactory.java
M
backend/manager/modules/authentication/src/main/resources/META-INF/services/org.ovirt.engine.core.authentication.AuthenticatorFactory
M packaging/services/ovirt-engine/ovirt-engine.xml.in
4 files changed, 139 insertions(+), 0 deletions(-)
git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/99/21299/1
diff --git
a/backend/manager/modules/authentication/src/main/java/org/ovirt/engine/core/authentication/remote/RemoteUserAuthenticator.java
b/backend/manager/modules/authentication/src/main/java/org/ovirt/engine/core/authentication/remote/RemoteUserAuthenticator.java
new file mode 100644
index 0000000..cf25969
--- /dev/null
+++
b/backend/manager/modules/authentication/src/main/java/org/ovirt/engine/core/authentication/remote/RemoteUserAuthenticator.java
@@ -0,0 +1,93 @@
+package org.ovirt.engine.core.authentication.remote;
+
+import static org.apache.commons.lang.StringUtils.isEmpty;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.ovirt.engine.core.authentication.NegotiatingAuthenticator;
+import org.ovirt.engine.core.authentication.NegotiationResult;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * This authenticator assumes that the web server has already performed the
authentication and takes the user from a
+ * {@code REMOTE_USER} CGI environment variable. The Apache web server, for
example, this variable is passed by the
+ * AJP connector, and it is available calling {@link
javax.servlet.http.HttpServletRequest#getRemoteUser()}. Note that
+ * in JBoss AS 7.1.1 this is disabled, and can't be enabled. Starting with
JBoss EAP 6.1 and with WildFly 8 this has
+ * to be aenabled adding the following system property:
+ *
+ * <pre>
+ * -Dorg.apache.coyote.ajp.AprProcessor.TOMCATAUTHENTICATION=false
+ * </pre>
+ *
+ * Inside JBoss AS the natural place for this is the {@code standalone.xml}
file, something like this:
+ *
+ * <pre>
+ * <property name="org.apache.coyote.ajp.AprProcessor.TOMCATAUTHENTICATION"
value="false"/>
+ * </pre>
+ *
+ * To enable this authenticator create an authentication profile like this:
+ *
+ * <pre>
+ * name=myprofile
+ * module=org.ovirt.engine.core.authentication
+ * authenticator.type=remote
+ * directory.type=nop
+ * </pre>
+ *
+ * And configure the web server with your preferred authentication mechanism,
fore example:
+ *
+ * <pre>
+ * <Location /webadmin>
+ * AuthType Basic
+ * AuthName "Protected"
+ * AuthBasicProvider file
+ * AuthUserFile /etc/httpd/conf/users
+ * Require valid-user
+ * </pre>
+ */
+public class RemoteUserAuthenticator implements NegotiatingAuthenticator {
+ // The log:
+ private static final Logger log =
LoggerFactory.getLogger(RemoteUserAuthenticator.class);
+
+ // The name of the authenticator:
+ private String name;
+
+ /**
+ * Create a new remote user authenticator.
+ *
+ * @param name the name of the authenticator
+ */
+ public RemoteUserAuthenticator(String name) {
+ this.name = name;
+ }
+
+ /**
+ * {@inheritDoc}
+ */
+ @Override
+ public String getName() {
+ return name;
+ }
+
+ /**
+ * {@inheritDoc}
+ */
+ @Override
+ public NegotiationResult negotiate(HttpServletRequest req,
HttpServletResponse rsp) {
+ // Get the value of the REMOTE_USER CGI environment variable, if it
isn't available send a warning explaining
+ // that the web server or the application server may not be correctly
configured:
+ String value = req.getRemoteUser();
+ if (isEmpty(value)) {
+ log.warn(
+ "Can't authenticate the user because the REMOTE_USER CGI
environment variable isn't available, check" +
+ "the configuration of the web server and the application
server."
+ );
+ return new NegotiationResult(false, null);
+ }
+
+ // We are good, the user has already been authenticated by the web
server:
+ return new NegotiationResult(true, value);
+ }
+}
diff --git
a/backend/manager/modules/authentication/src/main/java/org/ovirt/engine/core/authentication/remote/RemoteUserAuthenticatorFactory.java
b/backend/manager/modules/authentication/src/main/java/org/ovirt/engine/core/authentication/remote/RemoteUserAuthenticatorFactory.java
new file mode 100644
index 0000000..f7d59a9
--- /dev/null
+++
b/backend/manager/modules/authentication/src/main/java/org/ovirt/engine/core/authentication/remote/RemoteUserAuthenticatorFactory.java
@@ -0,0 +1,41 @@
+package org.ovirt.engine.core.authentication.remote;
+
+import java.io.File;
+
+import org.ovirt.engine.core.authentication.Authenticator;
+import org.ovirt.engine.core.authentication.AuthenticatorFactory;
+import org.ovirt.engine.core.authentication.Configuration;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class RemoteUserAuthenticatorFactory implements AuthenticatorFactory {
+ // The log:
+ private static final Logger log =
LoggerFactory.getLogger(RemoteUserAuthenticatorFactory.class);
+
+ // The type supported by this factory:
+ private static final String TYPE = "remote";
+
+ // Names of the configuration parameters:
+ private static final String NAME_PARAMETER = "name";
+
+ @Override
+ public String getType() {
+ return TYPE;
+ }
+
+ @Override
+ public Authenticator create(File file, Configuration config) {
+ // Get the name of the authenticator:
+ String name = config.getInheritedString(NAME_PARAMETER);
+ if (name == null) {
+ log.error(
+ "The configuration file \"{}\" doesn't contain the name of the
authenticator.",
+ file.getAbsolutePath()
+ );
+ return null;
+ }
+
+ // We are good, create the authenticator:
+ return new RemoteUserAuthenticator(name);
+ }
+}
diff --git
a/backend/manager/modules/authentication/src/main/resources/META-INF/services/org.ovirt.engine.core.authentication.AuthenticatorFactory
b/backend/manager/modules/authentication/src/main/resources/META-INF/services/org.ovirt.engine.core.authentication.AuthenticatorFactory
index e5e211f..9c88471 100644
---
a/backend/manager/modules/authentication/src/main/resources/META-INF/services/org.ovirt.engine.core.authentication.AuthenticatorFactory
+++
b/backend/manager/modules/authentication/src/main/resources/META-INF/services/org.ovirt.engine.core.authentication.AuthenticatorFactory
@@ -7,3 +7,4 @@
org.ovirt.engine.core.authentication.kerberos.KerberosPasswordAuthenticatorFactory
org.ovirt.engine.core.authentication.openstack.KeystoneAuthenticatorFactory
org.ovirt.engine.core.authentication.nop.NopAuthenticatorFactory
+org.ovirt.engine.core.authentication.remote.RemoteUserAuthenticatorFactory
diff --git a/packaging/services/ovirt-engine/ovirt-engine.xml.in
b/packaging/services/ovirt-engine/ovirt-engine.xml.in
index acfa985..d262f99 100644
--- a/packaging/services/ovirt-engine/ovirt-engine.xml.in
+++ b/packaging/services/ovirt-engine/ovirt-engine.xml.in
@@ -34,6 +34,10 @@
<property name="org.apache.coyote.http11.Http11Protocol.COMPRESSION"
value="on"/>
<property
name="org.apache.coyote.http11.Http11Protocol.COMPRESSION_MIME_TYPES"
value="text/javascript,text/css,text/html,text/xml,text/json,application/x-yaml,application/xml,application/json"/>
+ <!-- Disable authentication in Tomcat so that the application
+ will be able to access the name of the remote user: -->
+ <property name="org.apache.coyote.ajp.AprProcessor.TOMCATAUTHENTICATION"
value="false"/>
+
</system-properties>
<!-- We need to enable the management subsystem because it is an
--
To view, visit http://gerrit.ovirt.org/21299
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I0856ac9b9631f3b25eff4a9c93bb548727c74587
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Juan Hernandez <[email protected]>
_______________________________________________
Engine-patches mailing list
[email protected]
http://lists.ovirt.org/mailman/listinfo/engine-patches
