[Kimchi-devel] [PATCH 1/2] authorization: Update /login to return user roles instead of sudo parameter

Aline Manera alinefm at linux.vnet.ibm.com
Fri Jul 11 12:15:41 UTC 2014 


On 07/11/2014 08:40 AM, Wen Wang wrote:
> The login pattern has been changed to the traditional login page which
> the "username" and the "password" will be  submitted using form. However
> the "/login" api is used in the login_window pattern that we no longer
> use. When using the "/login", browser get a "303" and redirect the page
> to |https://9.123.141.135:8001/#tabs/guests.
>
> from my point of view, I suppose we build another API that supplies the
> "GET" method for the browser to get the username and role. Or else pass
> the "username" and "role" through xml to have it stored into
> sessionstorage or cookie.
>

Got your point!

 From backend code I have:

@cherrypy.expose
def login(self, *args, **kwargs):
     ...
     auth.login(username, password, **kwa)
     raise cherrypy.HTTPRedirect(next_url, 303)

I suggest we do the redirection in the front end after receiving the 
login data

@cherrypy.expose
def login(self, *args, **kwargs):
     ...
     return auth.login(username, password, **kwa)

And in UI get the data and redirect to right page

What do you think?

> For the roles, I recommend we have at least four for this release:
> *admin*, *by-instance*, *read-only*, *none*. It's the by-instance mode I
> have to explain.

The roles for 1.3 will be "admin" and "user"

What you listed above are the "mode" attribute values

>
> from the diagram, tab mode is used for xml transfering which tab is
> going to be displayed by user role. Take "Guest" tab for example, not
> only do we need to show the tab, but also we need to know the user's
> role so that we can display the proper vms. Different users need
> different privilege for action.

Related to the guest tab, if the user has access to a VM (ie, user is 
assigned to that VM) he/she will have full control in the VM

admin has full access, guest might be
> divided into two roles: one is common users we give the user the ability
> to start/stop/delete the vms that belongs to him, the other one might be
> admin-user who is able to have the whole access to the action tab. To
> clarify that, we need the by-instance tab. and the sub-tab.
>

Let me try to resume:

"admin" role in Guest tab can do everything: manage all VMs, create new 
ones, etc

"user" role in Guest tab can manage all the VMs listed and CAN NOT 
CREATE NEW ONE

We just need to care about those 2 roles right now

When we add more roles, we do the adjustments needed to accommodate them

> Waiting for your comments
>
> Best Regards
>
> Wang Wen
>
> |On 7/11/2014 10:16 AM, alinefm at linux.vnet.ibm.com wrote:
>> From: Aline Manera<alinefm at linux.vnet.ibm.com>
>>
>> For now, Kimchi just supports 2 types of user roles: 'admin' - user has
>> full control of Kimchi features and 'user' with limited access. But in
>> future the idea is to have more and more roles so it is good to
>> already provide the authorization support with that in mind.
>> That way, instead of only returning if user has or not sudo permissions, the
>> /login API will return the user roles.
>> If the user has sudo permissions he/she will have 'admin' role,
>> otherwise, 'user' role.
>>
>> curl -H "Content-Type: application/json" -H "Accept: application/json"
>>    http://localhost:8010/login
>>    -d'{"username": "guest", "password": "guest-passwd"}' -X POST
>>
>> {"username": "guest", "roles": ["user"], "groups": []}
>>
>> curl -H "Content-Type: application/json" -H "Accept: application/json"
>>    http://localhost:8010/login
>>    -d'{"username": "sysadmin", "password": "sysadmin-passwd"}' -X POST
>>
>> {"username": "sysadmin", "roles": ["admin"], "groups": []}
>>
>> Signed-off-by: Aline Manera<alinefm at linux.vnet.ibm.com>
>> ---
>>   src/kimchi/auth.py | 12 ++++++++----
>>   tests/test_rest.py |  6 ++++++
>>   tests/utils.py     |  6 +++---
>>   3 files changed, 17 insertions(+), 7 deletions(-)
>>
>> diff --git a/src/kimchi/auth.py b/src/kimchi/auth.py
>> index 6a4a610..b1febf0 100644
>> --- a/src/kimchi/auth.py
>> +++ b/src/kimchi/auth.py
>> @@ -38,6 +38,7 @@
>>   USER_NAME = 'username'
>>   USER_GROUPS = 'groups'
>>   USER_SUDO = 'sudo'
>> +USER_ROLES = 'roles'
>>   REFRESH = 'robot-refresh'
>>
>>
>> @@ -62,7 +63,7 @@ def __init__(self, username):
>>           self.user = {}
>>           self.user[USER_NAME] = username
>>           self.user[USER_GROUPS] = None
>> -        self.user[USER_SUDO] = False
>> +        self.user[USER_ROLES] = ['user']
>>
>>       def get_groups(self):
>>           self.user[USER_GROUPS] = [g.gr_name for g in grp.getgrall()
>> @@ -74,10 +75,13 @@ def has_sudo(self):
>>           p = multiprocessing.Process(target=self._has_sudo, args=(result,))
>>           p.start()
>>           p.join()
>> -        self.user[USER_SUDO] = bool(result.value)
>> -        return self.user[USER_SUDO]
>> +        if result.value:
>> +            self.user[USER_ROLES] = ['admin']
>> +        return result.value
>>
>>       def _has_sudo(self, result):
>> +        result.value = False
>> +
>>           _master, slave = pty.openpty()
>>           os.setsid()
>>           fcntl.ioctl(slave, termios.TIOCSCTTY, 0)
>> @@ -94,7 +98,7 @@ def _has_sudo(self, result):
>>                                             self.user[USER_NAME]])
>>               for line in out.split('\n'):
>>                   if line and re.search("(ALL)", line):
>> -                    result.value = 1
>> +                    result.value = True
>>                       debug("User %s can run any command with sudo" %
>>                             result.value)
>>                       return
>> diff --git a/tests/test_rest.py b/tests/test_rest.py
>> index ad8fc72..ba9431d 100644
>> --- a/tests/test_rest.py
>> +++ b/tests/test_rest.py
>> @@ -1552,6 +1552,12 @@ def test_auth_session(self):
>>           req = json.dumps({'username': user, 'password': pw})
>>           resp = self.request('/login', req, 'POST', hdrs)
>>           self.assertEquals(200, resp.status)
>> +
>> +        user_info = json.loads(resp.read())
>> +        self.assertEquals(sorted(user_info.keys()),
>> +                          ['groups', 'roles', 'username'])
>> +        self.assertEquals(user_info['roles'], [u'admin'])
>> +
>>           cookie = resp.getheader('set-cookie')
>>           hdrs['Cookie'] = cookie
>>
>> diff --git a/tests/utils.py b/tests/utils.py
>> index fd9b23c..4853b7a 100644
>> --- a/tests/utils.py
>> +++ b/tests/utils.py
>> @@ -157,8 +157,8 @@ def patch_auth(sudo=True):
>>       def _get_groups(self):
>>           return None
>>
>> -    def _has_sudo(self):
>> -        return sudo
>> +    def _has_sudo(self, result):
>> +        result.value = sudo
>>
>>       def _authenticate(username, password, service="passwd"):
>>           try:
>> @@ -170,7 +170,7 @@ def _authenticate(username, password, service="passwd"):
>>       import kimchi.auth
>>       kimchi.auth.authenticate = _authenticate
>>       kimchi.auth.User.get_groups = _get_groups
>> -    kimchi.auth.User.has_sudo = _has_sudo
>> +    kimchi.auth.User._has_sudo = _has_sudo
>>
>>
>>   def normalize_xml(xml_str):
>
>
>
> _______________________________________________
> Kimchi-devel mailing list
> Kimchi-devel at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/kimchi-devel
>

More information about the Kimchi-devel mailing list