[Kimchi-devel] [PATCH V2 1/2] auth enhancement: expire the session when the request access periodically

Aline Manera alinefm at linux.vnet.ibm.com
Tue Mar 4 18:39:14 UTC 2014 

You could also update the cherrypy.session.timeout to 10 or 15 minutes

On 03/04/2014 06:45 AM, shaohef at linux.vnet.ibm.com wrote:
> From: ShaoHe Feng <shaohef at linux.vnet.ibm.com>
>
> Now UI will access the vms and host periodically.
> That will never make the session expire.
> This patch fix this problem.
> Now the UI can set "Kimchi-Robot" header when it wants to access the vms
> and host periodically.
> If the all requests with "Kimchi-Robot" header access for a long time, kimchi
> will expire the session.
>
> Signed-off-by: ShaoHe Feng <shaohef at linux.vnet.ibm.com>
> ---
>   src/kimchi/auth.py | 13 +++++++++++++
>   1 file changed, 13 insertions(+)
>
> diff --git a/src/kimchi/auth.py b/src/kimchi/auth.py
> index f8ccea1..8a07e05 100644
> --- a/src/kimchi/auth.py
> +++ b/src/kimchi/auth.py
> @@ -22,6 +22,7 @@ import cherrypy
>   import grp
>   import PAM
>   import re
> +import time
>
>
>   from kimchi import template
> @@ -32,6 +33,7 @@ from kimchi.utils import run_command
>   USER_ID = 'userid'
>   USER_GROUPS = 'groups'
>   USER_SUDO = 'sudo'
> +REFRESH = 'robot-refresh'
>
>
>   def debug(msg):
> @@ -131,6 +133,15 @@ def check_auth_session():
>       cherrypy.session.release_lock()
>       if session is not None:
>           debug("Session authenticated for user %s" % session)
> +        kimchiRobot = cherrypy.request.headers.get('Kimchi-Robot')
> +        if kimchiRobot and kimchiRobot.startswith("kimchi-robot"):
> +            if (time.time() - cherrypy.session[REFRESH] >
> +               cherrypy.session.timeout * 60):
> +                cherrypy.session[USER_ID] = None
> +                cherrypy.lib.sessions.expire()
> +                raise cherrypy.HTTPError(403)
> +        else:
> +            cherrypy.session[REFRESH] = time.time()
>           return True
>
>       debug("Session not found")
> @@ -172,6 +183,7 @@ def login(userid, password):
>       cherrypy.session[USER_ID] = userid
>       cherrypy.session[USER_GROUPS] = user.get_groups()
>       cherrypy.session[USER_SUDO] = user.has_sudo()
> +    cherrypy.session[REFRESH] = time.time()
>       cherrypy.session.release_lock()
>       return user.get_user()
>
> @@ -179,6 +191,7 @@ def login(userid, password):
>   def logout():
>       cherrypy.session.acquire_lock()
>       cherrypy.session[USER_ID] = None
> +    cherrypy.session[REFRESH] = 0
>       cherrypy.session.release_lock()
>       cherrypy.lib.sessions.expire()
>

More information about the Kimchi-devel mailing list