<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<br>
<div class="moz-cite-prefix">On 06/08/2015 14:27, Harshal Patil
wrote:<br>
</div>
<blockquote
cite="mid:201508061728.t76HSJFB015091@d28av06.in.ibm.com"
type="cite">
<div class="socmaildefaultfont" dir="ltr"
style="font-family:Arial;font-size:10.5pt">
<div dir="ltr" style="font-family:Arial;font-size:10.5pt">
<div dir="ltr">This is all cool. So when you talk about wok
being the base web framework where it provides basic
services <span style="font-family: Arial;">like login,
logout, plugin support, i18n etc.</span> to plugin
developers do you think adding 'auth' as another service
provided by wok to plugin developers makes any sense?</div>
<div dir="ltr"> </div>
<div dir="ltr">Like you mentioned on IRC during scrum meeting,
someone might even write a wok plugin for makeup tips and
you are totally fine with it. Do you think if we provide an
easy way for that developer to authenticate his/her plugin's
users quickly and easily? Something other python web
frameworks like flask already provide (<a
moz-do-not-send="true"
href="http://flask.pocoo.org/snippets/category/authentication/">http://flask.pocoo.org/snippets/category/authentication/</a>),
or even cherrypy for that matter (<a moz-do-not-send="true"
href="http://tools.cherrypy.org/wiki/AuthenticationAndAccessRestrictions">http://tools.cherrypy.org/wiki/AuthenticationAndAccessRestrictions</a>).
They provide nice decorators which plugin developers can use
in their handlers (exposed in the language of cherrypy)
methods. </div>
<div dir="ltr"> </div>
<div dir="ltr">We could provide a nice wrapper around those
ideas for authentication using say, PAM, NIS+, LDAP etc. </div>
<div dir="ltr"> </div>
<div dir="ltr"> </div>
<div dir="ltr">What do you say? <br>
</div>
</div>
</div>
</blockquote>
<br>
Wait! Wait! We are talking on different topics.<br>
<br>
Wok already supports PAM and LDAP authentication. You can properly
configure which method to use in your wok.conf file.<br>
To do the authentication on server side we have the APIs /login and
/logout - to initialize and finalize a web server session to an
user.<br>
<br>
If we are talking about authentication methods, the API already
exists.<br>
<br>
What I and Lucio were talking is how to check user has a valid
session for each AJAX request - for that you should add the
'wok'-robot' header to your AJAX calls.<br>
<br>
<blockquote
cite="mid:201508061728.t76HSJFB015091@d28av06.in.ibm.com"
type="cite">
<div class="socmaildefaultfont" dir="ltr"
style="font-family:Arial;font-size:10.5pt">
<div dir="ltr" style="font-family:Arial;font-size:10.5pt">
<div dir="ltr"> </div>
<blockquote data-history-content-modified="1" dir="ltr"
style="border-left:solid #aaaaaa 2px; margin-left:5px;
padding-left:5px; direction:ltr">----- Original message
-----<br>
From: Aline Manera <a class="moz-txt-link-rfc2396E" href="mailto:alinefm@linux.vnet.ibm.com"><alinefm@linux.vnet.ibm.com></a><br>
To: <a class="moz-txt-link-abbreviated" href="mailto:luciojhc@linux.vnet.ibm.com">luciojhc@linux.vnet.ibm.com</a>, Harshal
Patil/India/IBM@IBMIN, <a class="moz-txt-link-abbreviated" href="mailto:kimchi-devel@ovirt.org">kimchi-devel@ovirt.org</a><br>
Cc:<br>
Subject: Re: [Kimchi-devel] adding '/auth' for
authentication<br>
Date: Thu, Aug 6, 2015 6:27 PM<br>
<div><br>
<font size="2" face="Default Monospace,Courier
New,Courier,monospace">On 05/08/2015 18:02, Lucio
Correia wrote:<br>
> On 08/05/2015 04:27 PM, Aline Manera wrote:<br>
>><br>
>><br>
>> On 05/08/2015 14:56, Lucio Correia wrote:<br>
>>> Hi Harshal,<br>
>>><br>
>>> On 08/02/2015 01:45 PM, Harshal Patil
wrote:<br>
>>>> Hi,<br>
>>>> In the 'wok' branch there isn't
anything to detect if the session has<br>
>>>> timed out on the browser side. On the
other hand, on master (kimchi)<br>
>>>> there is '/vms' endpoint called every 5
seconds which kinda takes care<br>
>>>> of making sure the user is indeed
logged in.<br>
>>>> So I was wondering, if no one is
already working on it, to introduce a<br>
>>>> '/auth' endpoint which we can poll
every 5 seconds using ajax and<br>
>>>> based<br>
>>>> on the response status code we can
either redirect to login page or<br>
>>>> just<br>
>>>> stay on the same page. This is useful
in 'wok' because there isn't any<br>
>>>> '/vms' endpoint which existed in master
(kimchi) by default.<br>
>>>> I can submit a patch for review if this
sounds good so far. Also, if<br>
>>>> there is a better way of doing it, I
would love to hear about it.<br>
>>>> Harshal<br>
>>>><br>
>>>><br>
>>><br>
>>> The 10-minutes time out is still working
with wok branch. But it is<br>
>>> only verified if you leave it in "Host" or
"Guests" tab. Other tabs'<br>
>>> APIs don't send "wok-robot" in headers.<br>
>>><br>
>>> Your proposal is good, you will need to
send "wok-robot" in '/auth'<br>
>>> headers, and remove the "wok-robot" from
kimchi plugin's Host and<br>
>>> Guests API headers.<br>
>><br>
>> Why do you need a API /auth to check the user
is logged? Shouldn't the<br>
>> "wok-robot" header be enough to do that?<br>
>> Otherwise, we will increase significantly the
number of the requests, as<br>
>> the real request would be send after a /auth
request.<br>
>><br>
><br>
> Good point Aline, we really don't need /auth. If we
want timeout<br>
> checked for every request, I see two alternatives:<br>
> * drop wok-robot verification from
check_auth_session() in<br>
> src/wok/auth.py.<br>
> * add wok-robot headers to requestJSON() in
wok.api.js.<br>
<br>
I prefer the second alternative. The 'wok-robot' header
was created to<br>
distinguish AJAX requests from user requests.<br>
<br>
><br>
> But I don't know why currently only hosts and
guests tab use wok-robot.<br>
><br>
<br>
Because only those tabs have logic to pool the request
every X seconds.<br>
In fact, we need to add this to every tab to keep
consistence and<br>
automatically logout user when session expires.</font></div>
</blockquote>
<div dir="ltr"> </div>
</div>
</div>
<br>
</blockquote>
<br>
</body>
</html>