Re: mod_fcgid - cannot get authorizer process to be started
Jeff Trawick wrote: On Wed, Sep 30, 2009 at 11:37 AM, Barry Scott barry.sc...@onelan.co.uk mailto:barry.sc...@onelan.co.uk wrote: At this point let me ask this: Is it possible with the current code to ever have the fcgid Authorizer called? yes thanks for the confirmation and the example. I now have my Authorizer code and have the authentication happening. Listen *:9000 VirtualHost *:9000 Location / Order allow,deny Allow from all AuthType Digest AuthName Manager System AuthUserFile /home/bscott/Work/httpd-fcgid-test/auth/http.passwd Require onelan magic FastCgiAuthorizer /home/bscott/wc/svn/NTB-Next/onelan/DSM/Sources/WebUserInterface/bin/Authorizer.sh /Location /VirtualHost What I have learned about the code is this: * If any Require directive is present a 401 is returned if no credentials are sent * If any Require directive is present and credentials are present they are checked and the username is set in r. * If any Require directive is present and its not processed by any other authorizer the FastCgiAuthorizer is run It would be nice to reserve a Require entity name for use by fast CGI. The code as written today does not care if a Require entity name is processed by any module. Use of valid-group that sound officialbut is simply a Require entity name that no module supports. Barry
Re: mod_fcgid - cannot get authorizer process to be started
At this point let me ask this: Is it possible with the current code to ever have the fcgid Authorizer called? If it is not possible I'm willing to try and code the missing pieces, with a little help being pointed in the right direction. Barry
Re: mod_fcgid - cannot get authorizer process to be started
On Wed, Sep 30, 2009 at 11:37 AM, Barry Scott barry.sc...@onelan.co.ukwrote: At this point let me ask this: Is it possible with the current code to ever have the fcgid Authorizer called? yes This works for me, though it uses the unfortunate valid-group hack with httpd 2.2 so that no authorizers running before fcgid think they should evaluate: Location /docs IfVersion = 2.2 AuthBasicAuthoritative Off # AuthBasicProvider foo /IfVersion # work around problem with AAA in mod_fcgid (it can't track more than # one AAA script per URL, and even then the URL can't be handled by a # FastCGI app) # # FastCgiAccessChecker %%MYHG%%/apache/fastcgi/apps/access_check.pl # FastCgiAuthenticator %%MYHG%%/apache/fastcgi/apps/authenticate.pl # FastCgiAuthorizer%%MYHG%%/apache/fastcgi/apps/authorize.pl FastCgiAccessChecker %%MYHG%%/apache/fcgid/apps/aaa.pl FastCgiAuthenticator %%MYHG%%/apache/fcgid/apps/aaa.pl FastCgiAuthorizer%%MYHG%%/apache/fcgid/apps/aaa.pl FastCgiAccessCheckerAuthoritative On FastCgiAuthenticatorAuthoritative On FastCgiAuthorizerAuthoritativeOn AuthType Basic AuthName foo IfVersion 2.3 IfVersion 2.2 Require group foo /IfVersion IfVersion = 2.2 Require valid-group /IfVersion Order allow,deny Allow from all /IfVersion IfVersion = 2.3 Require group foo /IfVersion /Location If it is not possible I'm willing to try and code the missing pieces, with a little help being pointed in the right direction. I hope some require experts could jump in ;) A good solution might be to associate a script with a particular require-ment so that mod_fcgid can check the Require for any require-ments implemented by a FastCGI script. [too] simple example: FCGIDRequire mydb-user /path/to/my/authorizer.sh Location /foo Require mydb-user SetEnv whatever-needed-by-authorizer.sh /Location
Re: mod_fcgid - cannot get authorizer process to be started
On Wed, Sep 30, 2009 at 12:11 PM, Jeff Trawick traw...@gmail.com wrote: On Wed, Sep 30, 2009 at 11:37 AM, Barry Scott barry.sc...@onelan.co.ukwrote: At this point let me ask this: Is it possible with the current code to ever have the fcgid Authorizer called? yes This works for me, though it uses the unfortunate valid-group hack with httpd 2.2 so that no authorizers running before fcgid think they should evaluate: Location /docs IfVersion = 2.2 AuthBasicAuthoritative Off # AuthBasicProvider foo /IfVersion # work around problem with AAA in mod_fcgid (it can't track more than # one AAA script per URL, and even then the URL can't be handled by a # FastCGI app) # # FastCgiAccessChecker %%MYHG%%/apache/fastcgi/apps/access_check.pl # FastCgiAuthenticator %%MYHG%%/apache/fastcgi/apps/authenticate.pl # FastCgiAuthorizer%%MYHG%%/apache/fastcgi/apps/authorize.pl FastCgiAccessChecker %%MYHG%%/apache/fcgid/apps/aaa.pl FastCgiAuthenticator %%MYHG%%/apache/fcgid/apps/aaa.pl FastCgiAuthorizer%%MYHG%%/apache/fcgid/apps/aaa.pl FastCgiAccessCheckerAuthoritative On FastCgiAuthenticatorAuthoritative On FastCgiAuthorizerAuthoritativeOn AuthType Basic AuthName foo IfVersion 2.3 IfVersion 2.2 Require group foo /IfVersion IfVersion = 2.2 Require valid-group /IfVersion Order allow,deny Allow from all /IfVersion IfVersion = 2.3 Require group foo /IfVersion /Location If it is not possible I'm willing to try and code the missing pieces, with a little help being pointed in the right direction. I hope some require experts could jump in ;) A good solution might be to associate a script with a particular require-ment so that mod_fcgid can check the Require for any require-ments implemented by a FastCGI script. [too] simple example: FCGIDRequire mydb-user /path/to/my/authorizer.sh Location /foo Require mydb-user SetEnv whatever-needed-by-authorizer.sh /Location BTW, authentication is another area where mod_fcgid could better fit in with httpd (in this case, 2.2+). Bundled authn module implement a provider, and the admin can specify which provider(s) handles authn. That's better than just calling all the authn hooks in a somewhat mysterious order and having them look at other config to decide if they should try to authenticate. It would be nice to configure a FastCGI authenticator as a provider, and then specify that the provider should be used within a particular container.
mod_fcgid - cannot get authorizer process to be started
The mod_fcgid page says to ask on dev I assume that this is the right place to ask. I'm using mod_fcgid from svn with HTTPD 2.2. I want to use a fast CGI authorizer to allow me to control access based on my rules. The authorizer needs to be a long running process - never exits. I know that the fcgid code is noticing the directive because I can change the filename and see the error message from the sources. But I'm at a lose as to the required to get this configuration to actually call my code. mod_fcgid is not starting up the authorizer process. I have the following fcgid specific lines in my httpd.conf file: httpd.conf ... LoadModule fcgid_module modules/mod_fcgid.so ... Listen *:9000 VirtualHost *:9000 Location / Order allow,deny Allow from all AuthType Digest AuthName Manager System Require valid-user AuthGroupFile /home/bscott/Work/httpd-fcgid-test/auth/http.group AuthUserFile /home/bscott/Work/httpd-fcgid-test/auth/http.passwd FastCgiAuthorizer /home/bscott/wc/svn/NTB-Next/onelan/DSM/Sources/WebUserInterface/bin/Authorizer /Location Location /player #+ HTTP auth file Order allow,deny Allow from all AuthType Digest AuthName Manager System Require valid-user AuthGroupFile /home/bscott/Work/httpd-fcgid-test/auth/http.group AuthUserFile /home/bscott/Work/httpd-fcgid-test/auth/http.passwd #- HTTP auth file #FCGID /Location /VirtualHost --- Barry - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: mod_fcgid - cannot get authorizer process to be started
On Tue, Sep 29, 2009 at 8:18 AM, Barry Scott barry.sc...@onelan.co.ukwrote: The mod_fcgid page says to ask on dev I assume that this is the right place to ask. I'm using mod_fcgid from svn with HTTPD 2.2. I want to use a fast CGI authorizer to allow me to control access based on my rules. The authorizer needs to be a long running process - never exits. I know that the fcgid code is noticing the directive because I can change the filename and see the error message from the sources. But I'm at a lose as to the required to get this configuration to actually call my code. mod_fcgid is not starting up the authorizer process. I have the following fcgid specific lines in my httpd.conf file: httpd.conf ... LoadModule fcgid_module modules/mod_fcgid.so ... Listen *:9000 VirtualHost *:9000 Location / Order allow,deny Allow from all AuthType Digest Did you really mean Digest authentication instead of Basic authentication? mod_fcgid only supports Basic, AFAICT. /* Get the user password */ if ((res = ap_get_basic_auth_pw(r, password)) != OK) return res;
Re: mod_fcgid - cannot get authorizer process to be started
Jeff Trawick wrote: On Tue, Sep 29, 2009 at 8:18 AM, Barry Scott barry.sc...@onelan.co.uk mailto:barry.sc...@onelan.co.uk wrote: The mod_fcgid page says to ask on dev I assume that this is the right place to ask. I'm using mod_fcgid from svn with HTTPD 2.2. I want to use a fast CGI authorizer to allow me to control access based on my rules. The authorizer needs to be a long running process - never exits. I know that the fcgid code is noticing the directive because I can change the filename and see the error message from the sources. But I'm at a lose as to the required to get this configuration to actually call my code. mod_fcgid is not starting up the authorizer process. I have the following fcgid specific lines in my httpd.conf file: httpd.conf ... LoadModule fcgid_module modules/mod_fcgid.so ... Listen *:9000 VirtualHost *:9000 Location / Order allow,deny Allow from all AuthType Digest Did you really mean Digest authentication instead of Basic authentication? mod_fcgid only supports Basic, AFAICT. /* Get the user password */ if ((res = ap_get_basic_auth_pw(r, password)) != OK) return res; I don't want to be an authenticator, I want to be a authorizer. Authorizer has no need of passwords right. Barry
Re: mod_fcgid - cannot get authorizer process to be started
On Tue, Sep 29, 2009 at 11:26 AM, Barry Scott barry.sc...@onelan.co.ukwrote: Jeff Trawick wrote: On Tue, Sep 29, 2009 at 8:18 AM, Barry Scott barry.sc...@onelan.co.ukmailto: barry.sc...@onelan.co.uk wrote: The mod_fcgid page says to ask on dev I assume that this is the right place to ask. I'm using mod_fcgid from svn with HTTPD 2.2. I want to use a fast CGI authorizer to allow me to control access based on my rules. The authorizer needs to be a long running process - never exits. I know that the fcgid code is noticing the directive because I can change the filename and see the error message from the sources. But I'm at a lose as to the required to get this configuration to actually call my code. mod_fcgid is not starting up the authorizer process. I have the following fcgid specific lines in my httpd.conf file: httpd.conf ... LoadModule fcgid_module modules/mod_fcgid.so ... Listen *:9000 VirtualHost *:9000 Location / Order allow,deny Allow from all AuthType Digest Did you really mean Digest authentication instead of Basic authentication? mod_fcgid only supports Basic, AFAICT. /* Get the user password */ if ((res = ap_get_basic_auth_pw(r, password)) != OK) return res; I don't want to be an authenticator, I want to be a authorizer. Authorizer has no need of passwords right. whoops :( yes your require valid-user implies that you don't need authorization; try require valid-group instead
Re: mod_fcgid - cannot get authorizer process to be started
Jeff Trawick wrote:
On Tue, Sep 29, 2009 at 11:26 AM, Barry Scott
barry.sc...@onelan.co.uk mailto:barry.sc...@onelan.co.uk wrote:
Jeff Trawick wrote:
On Tue, Sep 29, 2009 at 8:18 AM, Barry Scott
barry.sc...@onelan.co.uk mailto:barry.sc...@onelan.co.uk
mailto:barry.sc...@onelan.co.uk
mailto:barry.sc...@onelan.co.uk wrote:
The mod_fcgid page says to ask on dev I assume that this is the
right place to ask.
I'm using mod_fcgid from svn with HTTPD 2.2.
I want to use a fast CGI authorizer to allow me to control
access
based on my rules.
The authorizer needs to be a long running process - never
exits.
I know that the fcgid code is noticing the directive
because I can
change the filename
and see the error message from the sources.
But I'm at a lose as to the required to get this
configuration to
actually call my code.
mod_fcgid is not starting up the authorizer process.
I have the following fcgid specific lines in my httpd.conf
file:
httpd.conf
...
LoadModule fcgid_module modules/mod_fcgid.so
...
Listen *:9000
VirtualHost *:9000
Location /
Order allow,deny
Allow from all
AuthType Digest
Did you really mean Digest authentication instead of Basic
authentication?
mod_fcgid only supports Basic, AFAICT.
/* Get the user password */
if ((res = ap_get_basic_auth_pw(r, password)) != OK)
return res;
I don't want to be an authenticator, I want to be a authorizer.
Authorizer has no need of passwords right.
whoops :(
yes
your require valid-user implies that you don't need authorization;
try require valid-group instead
I want the users password checked and to only proceed if it is valid.
I also want to run the fcgi Authorizer to check that the URL being
access is allowed according to the logic in my Authorizer code.
To that end I have the following:
Location /
Order allow,deny
Allow from all
# Use digest auth to check the username/password pair
AuthType Digest
AuthName Manager System
# no one gets in without a valid username/password pair
Require valid-user
# Use these files to find the passwd and group information
AuthGroupFile /home/bscott/Work/httpd-fcgid-test/auth/http.group
AuthUserFile /home/bscott/Work/httpd-fcgid-test/auth/http.passwd
# Run the Authorizer.sh to veto URL based on the username
FastCgiAuthorizer
/home/bscott/wc/svn/NTB-Next/onelan/DSM/Sources/WebUserInterface/bin/Authorizer.sh
/Location
What triggers HTTPD to call the Authorizer.sh code?
Surely not the commands that control authentication checks?
I cannot find Require valid-group defined in the 2.2 docs.
Do you mean I need to add:
Require group nosuchgroup
And that will cause the mod_authn_user (or what ever module) to try
and match nosuchgroup. When it fails my Authenicator will be run
to see if it can handle that directive?
Isn't this module crying out for a directive like:
Require fcgid-authenticater-user-is-valid
Barry
Re: mod_fcgid - cannot get authorizer process to be started
Barry Scott wrote:
Jeff Trawick wrote:
On Tue, Sep 29, 2009 at 11:26 AM, Barry Scott
barry.sc...@onelan.co.uk mailto:barry.sc...@onelan.co.uk wrote:
Jeff Trawick wrote:
On Tue, Sep 29, 2009 at 8:18 AM, Barry Scott
barry.sc...@onelan.co.uk mailto:barry.sc...@onelan.co.uk
mailto:barry.sc...@onelan.co.uk
mailto:barry.sc...@onelan.co.uk wrote:
The mod_fcgid page says to ask on dev I assume that this
is the
right place to ask.
I'm using mod_fcgid from svn with HTTPD 2.2.
I want to use a fast CGI authorizer to allow me to control
access
based on my rules.
The authorizer needs to be a long running process - never
exits.
I know that the fcgid code is noticing the directive
because I can
change the filename
and see the error message from the sources.
But I'm at a lose as to the required to get this
configuration to
actually call my code.
mod_fcgid is not starting up the authorizer process.
I have the following fcgid specific lines in my httpd.conf
file:
httpd.conf
...
LoadModule fcgid_module modules/mod_fcgid.so
...
Listen *:9000
VirtualHost *:9000
Location /
Order allow,deny
Allow from all
AuthType Digest
Did you really mean Digest authentication instead of Basic
authentication?
mod_fcgid only supports Basic, AFAICT.
/* Get the user password */
if ((res = ap_get_basic_auth_pw(r, password)) != OK)
return res;
I don't want to be an authenticator, I want to be a authorizer.
Authorizer has no need of passwords right.
whoops :(
yes
your require valid-user implies that you don't need authorization;
try require valid-group instead
I want the users password checked and to only proceed if it is valid.
I also want to run the fcgi Authorizer to check that the URL being
access is allowed according to the logic in my Authorizer code.
To that end I have the following:
Location /
Order allow,deny
Allow from all
# Use digest auth to check the username/password pair
AuthType Digest
AuthName Manager System
# no one gets in without a valid username/password pair
Require valid-user
# Use these files to find the passwd and group information
AuthGroupFile /home/bscott/Work/httpd-fcgid-test/auth/http.group
AuthUserFile /home/bscott/Work/httpd-fcgid-test/auth/http.passwd
# Run the Authorizer.sh to veto URL based on the username
FastCgiAuthorizer
/home/bscott/wc/svn/NTB-Next/onelan/DSM/Sources/WebUserInterface/bin/Authorizer.sh
/Location
What triggers HTTPD to call the Authorizer.sh code?
Surely not the commands that control authentication checks?
I cannot find Require valid-group defined in the 2.2 docs.
Do you mean I need to add:
Require group nosuchgroup
This does not work...
And that will cause the mod_authn_user (or what ever module) to try
and match nosuchgroup. When it fails my Authenicator will be run
to see if it can handle that directive?
Isn't this module crying out for a directive like:
Require fcgid-authenticater-user-is-valid
Barry
Barry
Re: mod_fcgid - cannot get authorizer process to be started
On Tue, Sep 29, 2009 at 12:51 PM, Barry Scott barry.sc...@onelan.co.ukwrote:
Barry Scott wrote:
Jeff Trawick wrote:
On Tue, Sep 29, 2009 at 11:26 AM, Barry Scott
barry.sc...@onelan.co.ukmailto:
barry.sc...@onelan.co.uk wrote:
Jeff Trawick wrote:
On Tue, Sep 29, 2009 at 8:18 AM, Barry Scott
barry.sc...@onelan.co.uk mailto:barry.sc...@onelan.co.uk
mailto:barry.sc...@onelan.co.uk
mailto:barry.sc...@onelan.co.uk wrote:
The mod_fcgid page says to ask on dev I assume that this is the
right place to ask.
I'm using mod_fcgid from svn with HTTPD 2.2.
I want to use a fast CGI authorizer to allow me to control
access
based on my rules.
The authorizer needs to be a long running process - never
exits.
I know that the fcgid code is noticing the directive
because I can
change the filename
and see the error message from the sources.
But I'm at a lose as to the required to get this
configuration to
actually call my code.
mod_fcgid is not starting up the authorizer process.
I have the following fcgid specific lines in my httpd.conf
file:
httpd.conf
...
LoadModule fcgid_module modules/mod_fcgid.so
...
Listen *:9000
VirtualHost *:9000
Location /
Order allow,deny
Allow from all
AuthType Digest
Did you really mean Digest authentication instead of Basic
authentication?
mod_fcgid only supports Basic, AFAICT.
/* Get the user password */
if ((res = ap_get_basic_auth_pw(r, password)) != OK)
return res;
I don't want to be an authenticator, I want to be a authorizer.
Authorizer has no need of passwords right.
whoops :(
yes
your require valid-user implies that you don't need authorization; try
require valid-group instead
I want the users password checked and to only proceed if it is valid.
I also want to run the fcgi Authorizer to check that the URL being
access is allowed according to the logic in my Authorizer code.
require valid-user means that all it takes to access this resource is a
properly authenticated user.
If mod_authz_user sees valid-user during the authorization stage, it
returns OK and mod_fcgid' authorization hook is not called. You want to
take it further and also run the authorizer, since a properly authenticated
user is not good enough. So require valid-user or require user xxx or
other checks that can be made since the user is already known can't be used.
require valid-group is a hack to bypass checks that the AAA modules know
how to make (require user foo, require group bar, require ldap-group ...,
etc.). There's no provision to allow a FastCGI authorizer app to implement
a particular authorization require-ment. require group foo can also get
you to your authorizer (subject to what the group file module would do). I
haven't checked if that required group name is available to your authorize.
To that end I have the following:
Location /
Order allow,deny
Allow from all
# Use digest auth to check the username/password pair
AuthType Digest
AuthName Manager System
# no one gets in without a valid username/password pair
Require valid-user
mod_authz_user always returns OK from authorization hook with this require
# Use these files to find the passwd and group information
AuthGroupFile /home/bscott/Work/httpd-fcgid-test/auth/http.group
not needed and maybe harmful depending on your require directive
AuthUserFile /home/bscott/Work/httpd-fcgid-test/auth/http.passwd
# Run the Authorizer.sh to veto URL based on the username
FastCgiAuthorizer
/home/bscott/wc/svn/NTB-Next/onelan/DSM/Sources/WebUserInterface/bin/Authorizer.sh
/Location
What triggers HTTPD to call the Authorizer.sh code?
Surely not the commands that control authentication checks?
yes, the require directive; furthermore, if authorization hooks called
before mod_fcgid's think they have answered the question authoritatively,
mod_fcgid won't be called
I cannot find Require valid-group defined in the 2.2 docs.
Do you mean I need to add:
Require group nosuchgroup
This does not work...
because mod_authz_groupfile sees your AuthGroupFile and tries to answer
based on its contents (as well as whether or not that check is authoritative
(see
http://httpd.apache.org/docs/2.2/mod/mod_authz_groupfile.html#authzgroupfileauthoritative))?
And that will cause the mod_authn_user (or what ever module) to try
and match nosuchgroup. When it fails my Authenicator will be run
to see if it can handle that directive?
Isn't this module crying out for a directive like:
