[Kimchi-devel] [PATCHv1 3/4] Add LDAP authentication

Royce Lv lvroyce at linux.vnet.ibm.com
Wed Oct 22 06:04:44 UTC 2014 

On 2014年10月22日 02:43, Aline Manera wrote:
>
> On 10/20/2014 11:52 AM, lvroyce0210 at gmail.com wrote:
>> From: Royce Lv <lvroyce at linux.vnet.ibm.com>
>>
>> Add LDAP authentication, also deals with invalid user,
>> LDAP search base configure error and other LDAP errors.
>>
>> Signed-off-by: Royce Lv <lvroyce at linux.vnet.ibm.com>
>> ---
>> contrib/DEBIAN/control.in | 1 +
>> contrib/kimchi.spec.fedora.in | 1 +
>> contrib/kimchi.spec.suse.in | 1 +
>> src/kimchi/auth.py | 44 ++++++++++++++++++++++++++++++++++++++++++-
>> 4 files changed, 46 insertions(+), 1 deletion(-)
>>
>> diff --git a/contrib/DEBIAN/control.in b/contrib/DEBIAN/control.in
>> index 7372a58..0721960 100644
>> --- a/contrib/DEBIAN/control.in
>> +++ b/contrib/DEBIAN/control.in
>> @@ -27,6 +27,7 @@ Depends: python-cherrypy3 (>= 3.2.0),
>> firewalld,
>> nginx,
>> python-guestfs,
>> + python-ldap,
>> libguestfs-tools
>> Build-Depends: libxslt,
>> python-libxml2,
>> diff --git a/contrib/kimchi.spec.fedora.in 
>> b/contrib/kimchi.spec.fedora.in
>> index 2ca3076..fcb8c11 100644
>> --- a/contrib/kimchi.spec.fedora.in
>> +++ b/contrib/kimchi.spec.fedora.in
>> @@ -29,6 +29,7 @@ Requires: nfs-utils
>> Requires: nginx
>> Requires: iscsi-initiator-utils
>> Requires: policycoreutils-python
>> +Requires: python-ldap
>> Requires: python-libguestfs
>> Requires: libguestfs-tools
>> BuildRequires: libxslt
>> diff --git a/contrib/kimchi.spec.suse.in b/contrib/kimchi.spec.suse.in
>> index 9ea240c..b8f0531 100644
>> --- a/contrib/kimchi.spec.suse.in
>> +++ b/contrib/kimchi.spec.suse.in
>> @@ -23,6 +23,7 @@ Requires: python-psutil >= 0.6.0
>> Requires: python-jsonschema >= 1.3.0
>> Requires: python-ethtool
>> Requires: python-ipaddr
>> +Requires: python-ldap
>> Requires: python-lxml
>> Requires: python-xml
>> Requires: nfs-client
>> diff --git a/src/kimchi/auth.py b/src/kimchi/auth.py
>> index 10c7c1f..162bbfd 100644
>> --- a/src/kimchi/auth.py
>> +++ b/src/kimchi/auth.py
>> @@ -20,6 +20,7 @@
>> import base64
>> import cherrypy
>> import fcntl
>> +import ldap
>> import multiprocessing
>> import os
>> import PAM
>> @@ -177,6 +178,7 @@ class PAMUser(User):
>>
>> class LDAPUser(User):
>> auth_type = "ldap"
>> +
>> def __init__(self, username):
>> self.user = {}
>> self.user[USER_NAME] = username
>> @@ -187,7 +189,47 @@ class LDAPUser(User):
>>
>> @staticmethod
>> def authenticate(username, password):
>> - return False
>> + ldap_server = config.get("authentication", "ldap_server").strip('"')
>> + ldap_search_base = config.get(
>> + "authentication", "ldap_search_base").strip('"')
>> + ldap_search_filter = config.get(
>> + "authentication", "ldap_search_filter",
>> + vars={"username": username.encode("utf-8")}).strip('"')
>> +
>> + connect = ldap.open(ldap_server)
>> + try:
>> + try:
>> + result = connect.search_s(
>> + ldap_search_base, ldap.SCOPE_SUBTREE, ldap_search_filter)
>> + if len(result) == 0:
>> + entity = ldap_search_filter % {'username': username}
>> + raise ldap.LDAPError("Invalid ldap entity:%s" % entity)
>> + except ldap.NO_SUCH_OBJECT:
>> + # ldap search base specified wrongly.
>> + raise ldap.LDAPError(
>> + "invalid ldap search base %s" % ldap_search_base)
>> +
>> + try:
>> + connect.bind_s(result[0][0], password)
>> + except ldap.INVALID_CREDENTIALS:
>> + # invalid user password
>> + raise ldap.LDAPError("invalid user/passwd")
>> + connect.unbind_s()
>> + return True
>> + except ldap.LDAPError, e:
>> + arg = {"username": username, "code": e.message}
>> + raise OperationFailed("KCHAUTH0001E", arg)
>> +
>> + def get_groups(self):
>> + return self.user[USER_GROUPS]
>> +
>
>> + def get_roles(self):
>> + self.user[USER_ROLES] = dict.fromkeys(tabs, 'admin')
>> + return self.user[USER_ROLES]
>
> The admin ID's should be listed on Kimchi config file, instead of 
> doing admin permissions to all users.
>
> So on __init__():
>
> self.admin_users = config.get("authentication", "ldap_admin_users")
> self.user[USER_ROLES] = dict.fromkeys(tabs, 'admin') if 
> self.user[USERNAME] in self.admin_users else dict.fromkeys(tabs, 'user')
>
> And on get_roles():
>
> def get_roles(self):
> return self.user[USER_ROLES]
Aline, this patch just want to cover Authentication-- whether we let a 
person in.
I will add authorization(what this person is allow to manipulate) after 
we settled down our opinion on how to implement it.

>
>
>
>> +
>> + def get_user(self):
>> + return self.user
>> +
>>
>> def from_browser():
>> # Enable Basic Authentication for REST tools.
>
> _______________________________________________
> Kimchi-devel mailing list
> Kimchi-devel at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/kimchi-devel
>

More information about the Kimchi-devel mailing list