<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">The login pattern has been changed to
the traditional login page which the "username" and the "password"
will be submitted using form. However the "/login" api is used in
the login_window pattern that we no longer use. When using the
"/login", browser get a "303" and redirect the page to <code
role="listitem" class="focusRow subFocusRow "><a class="moz-txt-link-freetext" href="https://9.123.141.135:8001/#tabs/guests">https://9.123.141.135:8001/#tabs/guests</a>.<br>
<br>
from my point of view, I suppose we build another API that
supplies the "GET" method for the browser to get the username
and role. Or else pass the "username" and "role" through xml to
have it stored into sessionstorage or cookie.<br>
<br>
For the roles, I recommend we have at least four for this
release: <b>admin</b>, <b>by-instance</b>, <b>read-only</b>,
<b>none</b>. It's the by-instance mode I have to explain. <br>
<img alt="" src="cid:part1.05040100.01000007@linux.vnet.ibm.com"
height="277" width="498"><br>
from the diagram, tab mode is used for xml transfering which tab
is going to be displayed by user role. Take "Guest" tab for
example, not only do we need to show the tab, but also we need
to know the user's role so that we can display the proper vms.
Different users need different privilege for action. admin has
full access, guest might be divided into two roles: one is
common users we give the user the ability to start/stop/delete
the vms that belongs to him, the other one might be admin-user
who is able to have the whole access to the action tab. To
clarify that, we need the by-instance tab. and the sub-tab.<br>
<br>
Waiting for your comments<br>
<br>
Best Regards<br>
<br>
Wang Wen<br>
<br>
</code>On 7/11/2014 10:16 AM, <a class="moz-txt-link-abbreviated" href="mailto:alinefm@linux.vnet.ibm.com">alinefm@linux.vnet.ibm.com</a> wrote:<br>
</div>
<blockquote
cite="mid:1405045017-13536-2-git-send-email-alinefm@linux.vnet.ibm.com"
type="cite">
<pre wrap="">From: Aline Manera <a class="moz-txt-link-rfc2396E" href="mailto:alinefm@linux.vnet.ibm.com"><alinefm@linux.vnet.ibm.com></a>
For now, Kimchi just supports 2 types of user roles: 'admin' - user has
full control of Kimchi features and 'user' with limited access. But in
future the idea is to have more and more roles so it is good to
already provide the authorization support with that in mind.
That way, instead of only returning if user has or not sudo permissions, the
/login API will return the user roles.
If the user has sudo permissions he/she will have 'admin' role,
otherwise, 'user' role.
curl -H "Content-Type: application/json" -H "Accept: application/json<a class="moz-txt-link-rfc2396E" href="http://localhost:8010/login-d'{">"
http://localhost:8010/login
-d'{"</a>username": "guest", "password": "guest-passwd"}' -X POST
{"username": "guest", "roles": ["user"], "groups": []}
curl -H "Content-Type: application/json" -H "Accept: application/json<a class="moz-txt-link-rfc2396E" href="http://localhost:8010/login-d'{">"
http://localhost:8010/login
-d'{"</a>username": "sysadmin", "password": "sysadmin-passwd"}' -X POST
{"username": "sysadmin", "roles": ["admin"], "groups": []}
Signed-off-by: Aline Manera <a class="moz-txt-link-rfc2396E" href="mailto:alinefm@linux.vnet.ibm.com"><alinefm@linux.vnet.ibm.com></a>
---
src/kimchi/auth.py | 12 ++++++++----
tests/test_rest.py | 6 ++++++
tests/utils.py | 6 +++---
3 files changed, 17 insertions(+), 7 deletions(-)
diff --git a/src/kimchi/auth.py b/src/kimchi/auth.py
index 6a4a610..b1febf0 100644
--- a/src/kimchi/auth.py
+++ b/src/kimchi/auth.py
@@ -38,6 +38,7 @@
USER_NAME = 'username'
USER_GROUPS = 'groups'
USER_SUDO = 'sudo'
+USER_ROLES = 'roles'
REFRESH = 'robot-refresh'
@@ -62,7 +63,7 @@ def __init__(self, username):
self.user = {}
self.user[USER_NAME] = username
self.user[USER_GROUPS] = None
- self.user[USER_SUDO] = False
+ self.user[USER_ROLES] = ['user']
def get_groups(self):
self.user[USER_GROUPS] = [g.gr_name for g in grp.getgrall()
@@ -74,10 +75,13 @@ def has_sudo(self):
p = multiprocessing.Process(target=self._has_sudo, args=(result,))
p.start()
p.join()
- self.user[USER_SUDO] = bool(result.value)
- return self.user[USER_SUDO]
+ if result.value:
+ self.user[USER_ROLES] = ['admin']
+ return result.value
def _has_sudo(self, result):
+ result.value = False
+
_master, slave = pty.openpty()
os.setsid()
fcntl.ioctl(slave, termios.TIOCSCTTY, 0)
@@ -94,7 +98,7 @@ def _has_sudo(self, result):
self.user[USER_NAME]])
for line in out.split('\n'):
if line and re.search("(ALL)", line):
- result.value = 1
+ result.value = True
debug("User %s can run any command with sudo" %
result.value)
return
diff --git a/tests/test_rest.py b/tests/test_rest.py
index ad8fc72..ba9431d 100644
--- a/tests/test_rest.py
+++ b/tests/test_rest.py
@@ -1552,6 +1552,12 @@ def test_auth_session(self):
req = json.dumps({'username': user, 'password': pw})
resp = self.request('/login', req, 'POST', hdrs)
self.assertEquals(200, resp.status)
+
+ user_info = json.loads(resp.read())
+ self.assertEquals(sorted(user_info.keys()),
+ ['groups', 'roles', 'username'])
+ self.assertEquals(user_info['roles'], [u'admin'])
+
cookie = resp.getheader('set-cookie')
hdrs['Cookie'] = cookie
diff --git a/tests/utils.py b/tests/utils.py
index fd9b23c..4853b7a 100644
--- a/tests/utils.py
+++ b/tests/utils.py
@@ -157,8 +157,8 @@ def patch_auth(sudo=True):
def _get_groups(self):
return None
- def _has_sudo(self):
- return sudo
+ def _has_sudo(self, result):
+ result.value = sudo
def _authenticate(username, password, service="passwd"):
try:
@@ -170,7 +170,7 @@ def _authenticate(username, password, service="passwd"):
import kimchi.auth
kimchi.auth.authenticate = _authenticate
kimchi.auth.User.get_groups = _get_groups
- kimchi.auth.User.has_sudo = _has_sudo
+ kimchi.auth.User._has_sudo = _has_sudo
def normalize_xml(xml_str):
</pre>
</blockquote>
<br>
</body>
</html>