[Kimchi-devel] adding '/auth' for authentication

Thu Aug 6 18:40:56 UTC 2015

On 06/08/2015 14:27, Harshal Patil wrote:
> This is all cool. So when you talk about wok being the base web 
> framework where it provides basic services like login, logout, plugin 
> support, i18n etc. to plugin developers do you think adding 'auth' as 
> another service provided by wok to plugin developers makes any sense?
> Like you mentioned on IRC during scrum meeting, someone might even 
> write a wok plugin for makeup tips and you are totally fine with it. 
> Do you think if we provide an easy way for that developer to 
> authenticate his/her plugin's users quickly and easily? Something 
> other python web frameworks like flask already provide 
> (http://flask.pocoo.org/snippets/category/authentication/), or even 
> cherrypy for that matter 
> (http://tools.cherrypy.org/wiki/AuthenticationAndAccessRestrictions). 
> They provide nice decorators which plugin developers can use in their 
> handlers (exposed in the language of cherrypy) methods.
> We could provide a nice wrapper around those ideas for authentication 
> using say, PAM, NIS+, LDAP etc.
> What do you say?

Wait! Wait! We are talking on different topics.

Wok already supports PAM and LDAP authentication. You can properly 
configure which method to use in your wok.conf file.
To do the authentication on server side we have the APIs /login and 
/logout - to initialize and finalize a web server session to an user.

If we are talking about authentication methods, the API already exists.

What I and Lucio were talking is how to check user has a valid session 
for each AJAX request - for that you should add the 'wok'-robot' header 
to your AJAX calls.

>     ----- Original message -----
>     From: Aline Manera <alinefm at linux.vnet.ibm.com>
>     To: luciojhc at linux.vnet.ibm.com, Harshal Patil/India/IBM at IBMIN,
>     kimchi-devel at ovirt.org
>     Cc:
>     Subject: Re: [Kimchi-devel] adding '/auth' for authentication
>     Date: Thu, Aug 6, 2015 6:27 PM
>
>     On 05/08/2015 18:02, Lucio Correia wrote:
>     > On 08/05/2015 04:27 PM, Aline Manera wrote:
>     >>
>     >>
>     >> On 05/08/2015 14:56, Lucio Correia wrote:
>     >>> Hi Harshal,
>     >>>
>     >>> On 08/02/2015 01:45 PM, Harshal Patil wrote:
>     >>>> Hi,
>     >>>> In the 'wok' branch there isn't anything to detect if the
>     session has
>     >>>> timed out on the browser side. On the other hand, on master
>     (kimchi)
>     >>>> there is '/vms' endpoint called every 5 seconds which kinda
>     takes care
>     >>>> of making sure the user is indeed logged in.
>     >>>> So I was wondering, if no one is already working on it, to
>     introduce a
>     >>>> '/auth' endpoint which we can poll every 5 seconds using ajax and
>     >>>> based
>     >>>> on the response status code we can either redirect to login
>     page or
>     >>>> just
>     >>>> stay on the same page. This is useful in 'wok' because there
>     isn't any
>     >>>> '/vms' endpoint which existed in master (kimchi) by default.
>     >>>> I can submit a patch for review if this sounds good so far.
>     Also, if
>     >>>> there is a better way of doing it, I would love to hear about it.
>     >>>> Harshal
>     >>>>
>     >>>>
>     >>>
>     >>> The 10-minutes time out is still working with wok branch. But
>     it is
>     >>> only verified if you leave it in "Host" or "Guests" tab. Other
>     tabs'
>     >>> APIs don't send "wok-robot" in headers.
>     >>>
>     >>> Your proposal is good, you will need to send "wok-robot" in
>     '/auth'
>     >>> headers, and remove the "wok-robot" from kimchi plugin's Host and
>     >>> Guests API headers.
>     >>
>     >> Why do you need a API /auth to check the user is logged?
>     Shouldn't the
>     >> "wok-robot" header be enough to do that?
>     >> Otherwise, we will increase significantly the number of the
>     requests, as
>     >> the real request would be send after a /auth request.
>     >>
>     >
>     > Good point Aline, we really don't need /auth. If we want timeout
>     > checked for every request, I see two alternatives:
>     > * drop wok-robot verification from check_auth_session() in
>     > src/wok/auth.py.
>     > * add wok-robot headers to requestJSON() in wok.api.js.
>
>     I prefer the second alternative. The 'wok-robot' header was created to
>     distinguish AJAX requests from user requests.
>
>     >
>     > But I don't know why currently only hosts and guests tab use
>     wok-robot.
>     >
>
>     Because only those tabs have logic to pool the request every X
>     seconds.
>     In fact, we need to add this to every tab to keep consistence and
>     automatically logout user when session expires.
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/kimchi-devel/attachments/20150806/bf5410a0/attachment.html>