[Ovirt-devel] [PATCH] Add username/password authentication for browsing from non-kerberized hosts

Steve Linabery slinabery at redhat.com
Fri Aug 15 03:08:09 UTC 2008 

On Thu, Aug 14, 2008 at 12:34:41PM -0400, Jason Guiditta wrote:
> Overall, ACK -works for me.  Couple notes/tweaks below.

Hi all,

Here's a revised patch which addresses most if not all of the concerns with the first version.

I await your review!

Thanks,
Steve
-------------- next part --------------
>From fd1e3e9793c110fe6a4be77def0ac8c8ae7fbff0 Mon Sep 17 00:00:00 2001
From: Steve Linabery <slinabery at redhat.com>
Date: Thu, 14 Aug 2008 20:16:12 -0500
Subject: [PATCH] Add basic auth for browsing from non-kerberized hosts.

This will require rake db:migrate or rebuild of appliance due to new session table in db.
---
 wui-appliance/wui-devel.ks                  |   10 +++++++
 wui/conf/ovirt-wui.conf                     |    6 ++--
 wui/src/app/controllers/application.rb      |   15 ++++------
 wui/src/app/controllers/login_controller.rb |   37 +++++++++++++++++++++++++++
 wui/src/config/environment.rb               |    2 +-
 wui/src/db/migrate/013_create_sessions.rb   |   35 +++++++++++++++++++++++++
 6 files changed, 92 insertions(+), 13 deletions(-)
 create mode 100644 wui/src/app/controllers/login_controller.rb
 create mode 100644 wui/src/db/migrate/013_create_sessions.rb

diff --git a/wui-appliance/wui-devel.ks b/wui-appliance/wui-devel.ks
index 3793026..5729b60 100644
--- a/wui-appliance/wui-devel.ks
+++ b/wui-appliance/wui-devel.ks
@@ -152,6 +152,16 @@ start() {
 	ipa-server-install -r PRIV.OVIRT.ORG -p @password@ -P @password@ -a @password@ \
 	  --hostname management.priv.ovirt.org -u dirsrv -U
 
+        # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=459061
+        # note: this has to happen after ipa-server-install or the templating
+	# feature in ipa-server-install chokes on the characters in the regexp
+	# we add here.
+        sed -i -e 's#<Proxy \*>#<ProxyMatch ^.*/ipa/ui.*$>#' \
+          /etc/httpd/conf.d/ipa.conf
+        sed -i -e 's#</Proxy>#</ProxyMatch>#' /etc/httpd/conf.d/ipa.conf
+        # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=459209
+        sed -i -e 's/^/#/' /etc/httpd/conf.d/ipa-rewrite.conf
+	service httpd restart
 	# now create the ovirtadmin user
 	echo @password@|kinit admin
 	# change max username length policy
diff --git a/wui/conf/ovirt-wui.conf b/wui/conf/ovirt-wui.conf
index 280d541..56ad1f8 100644
--- a/wui/conf/ovirt-wui.conf
+++ b/wui/conf/ovirt-wui.conf
@@ -2,11 +2,11 @@ NameVirtualHost *:80
 <VirtualHost *:80>
 ProxyRequests Off
 
-<Proxy *>
+<ProxyMatch ^.*/ovirt/login.*$>
   AuthType Kerberos
   AuthName "Kerberos Login"
   KrbMethodNegotiate on
-  KrbMethodK5Passwd off
+  KrbMethodK5Passwd on
   KrbServiceName HTTP
   Krb5KeyTab /etc/httpd/conf/ipa.keytab
   KrbSaveCredentials on
@@ -26,7 +26,7 @@ ProxyRequests Off
   RequestHeader set X-Forwarded-Keytab %{KRB5CCNAME}e
 
   # RequestHeader unset Authorization
-</Proxy>
+</ProxyMatch>
 
 Alias /ovirt/stylesheets "/usr/share/ovirt-wui/public/stylesheets"
 Alias /ovirt/images "/usr/share/ovirt-wui/public/images"
diff --git a/wui/src/app/controllers/application.rb b/wui/src/app/controllers/application.rb
index eacf6f3..f779131 100644
--- a/wui/src/app/controllers/application.rb
+++ b/wui/src/app/controllers/application.rb
@@ -32,19 +32,16 @@ class ApplicationController < ActionController::Base
   before_filter :pre_show, :only => [:show, :show_vms, :show_users, 
                                      :show_hosts, :show_storage]
   before_filter :authorize_admin, :only => [:new, :create, :edit, :update, :destroy]
+  before_filter :is_logged_in
+
+  def is_logged_in
+    redirect_to (:controller => "login", :action => "login") unless session[:user] != nil
+  end
 
   def get_login_user
-    if ENV["RAILS_ENV"] != 'test'
-        user_from_principal(request.env["HTTP_X_FORWARDED_USER"])
-    else
-        'ovirtadmin'
-    end
+    (ENV["RAILS_ENV"] == "production") ? session[:user] : "ovirtadmin"
   end
   
-  def user_from_principal(principal)
-    principal.split('@')[0]
-  end
-
   def set_perms(hwpool)
     @user = get_login_user
     @can_view = hwpool.can_view(@user)
diff --git a/wui/src/app/controllers/login_controller.rb b/wui/src/app/controllers/login_controller.rb
new file mode 100644
index 0000000..65d18e7
--- /dev/null
+++ b/wui/src/app/controllers/login_controller.rb
@@ -0,0 +1,37 @@
+# 
+# Copyright (C) 2008 Red Hat, Inc.
+# Written by Steve Linabery <slinabery at redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+# MA  02110-1301, USA.  A copy of the GNU General Public License is
+# also available at http://www.gnu.org/copyleft/gpl.html.
+
+# Filters added to this controller apply to all controllers in the application.
+# Likewise, all the methods added will be available for all controllers.
+
+class LoginController < ActionController::Base
+
+  before_filter :is_logged_in, :except => :login
+  def login
+    session[:user] = (ENV["RAILS_ENV"] == "production") ? 
+    user_from_principal(request.env["HTTP_X_FORWARDED_USER"]) :
+      "ovirtadmin"
+    redirect_to :controller => "dashboard"
+  end
+
+  def user_from_principal(principal)
+    principal.split('@')[0]
+  end
+
+end
diff --git a/wui/src/config/environment.rb b/wui/src/config/environment.rb
index 379dcf4..d14899a 100644
--- a/wui/src/config/environment.rb
+++ b/wui/src/config/environment.rb
@@ -44,7 +44,7 @@ Rails::Initializer.run do |config|
 
   # Use the database for sessions instead of the file system
   # (create the session table with 'rake db:sessions:create')
-  # config.action_controller.session_store = :active_record_store
+  config.action_controller.session_store = :active_record_store
   config.action_controller.session = {
   :session_key => "_ovirt_session_id",
   :secret => "a covert ovirt phrase or some such" 
diff --git a/wui/src/db/migrate/013_create_sessions.rb b/wui/src/db/migrate/013_create_sessions.rb
new file mode 100644
index 0000000..9eca543
--- /dev/null
+++ b/wui/src/db/migrate/013_create_sessions.rb
@@ -0,0 +1,35 @@
+#
+# Copyright (C) 2008 Red Hat, Inc.
+# Written by Steve Linabery <slinabery at redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+# MA  02110-1301, USA.  A copy of the GNU General Public License is
+# also available at http://www.gnu.org/copyleft/gpl.html.
+
+class CreateSessions < ActiveRecord::Migration
+  def self.up
+    create_table :sessions do |t|
+      t.string :session_id, :null => false
+      t.text :data
+      t.timestamps
+    end
+
+    add_index :sessions, :session_id
+    add_index :sessions, :updated_at
+  end
+
+  def self.down
+    drop_table :sessions
+  end
+end
-- 
1.5.5.2

More information about the ovirt-devel mailing list