3:45 a.m.
From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
V1 -> V2
Address ming's comment, raise 403 http error when expire.
Send UI patch.
UI still need to improve as Adam king said.
Hong Liang will improve it.
ShaoHe Feng (2):
auth enhancement: expire the session when the request access
periodically
UI: set kimchi robot header for some request.
src/kimchi/auth.py | 13 +++++++++++++
ui/js/src/kimchi.api.js | 2 ++
2 files changed, 15 insertions(+)
--
1.8.4.2
3:45 a.m.
New subject: [PATCH V2 1/2] auth enhancement: expire the session when the request access periodically
From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
Now UI will access the vms and host periodically.
That will never make the session expire.
This patch fix this problem.
Now the UI can set "Kimchi-Robot" header when it wants to access the vms
and host periodically.
If the all requests with "Kimchi-Robot" header access for a long time, kimchi
will expire the session.
Signed-off-by: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
---
src/kimchi/auth.py | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/src/kimchi/auth.py b/src/kimchi/auth.py
index f8ccea1..8a07e05 100644
--- a/src/kimchi/auth.py
+++ b/src/kimchi/auth.py
@@ -22,6 +22,7 @@ import cherrypy
import grp
import PAM
import re
+import time
from kimchi import template
@@ -32,6 +33,7 @@ from kimchi.utils import run_command
USER_ID = 'userid'
USER_GROUPS = 'groups'
USER_SUDO = 'sudo'
+REFRESH = 'robot-refresh'
def debug(msg):
@@ -131,6 +133,15 @@ def check_auth_session():
cherrypy.session.release_lock()
if session is not None:
debug("Session authenticated for user %s" % session)
+ kimchiRobot = cherrypy.request.headers.get('Kimchi-Robot')
+ if kimchiRobot and kimchiRobot.startswith("kimchi-robot"):
+ if (time.time() - cherrypy.session[REFRESH] >
+ cherrypy.session.timeout * 60):
+ cherrypy.session[USER_ID] = None
+ cherrypy.lib.sessions.expire()
+ raise cherrypy.HTTPError(403)
+ else:
+ cherrypy.session[REFRESH] = time.time()
return True
debug("Session not found")
@@ -172,6 +183,7 @@ def login(userid, password):
cherrypy.session[USER_ID] = userid
cherrypy.session[USER_GROUPS] = user.get_groups()
cherrypy.session[USER_SUDO] = user.has_sudo()
+ cherrypy.session[REFRESH] = time.time()
cherrypy.session.release_lock()
return user.get_user()
@@ -179,6 +191,7 @@ def login(userid, password):
def logout():
cherrypy.session.acquire_lock()
cherrypy.session[USER_ID] = None
+ cherrypy.session[REFRESH] = 0
cherrypy.session.release_lock()
cherrypy.lib.sessions.expire()
--
1.8.4.2
12:38 p.m.
New subject: [PATCH V2 1/2] auth enhancement: expire the session when the request access periodically
On 03/04/2014 06:45 AM, shaohef(a)linux.vnet.ibm.com wrote:
From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
Now UI will access the vms and host periodically.
That will never make the session expire.
This patch fix this problem.
Now the UI can set "Kimchi-Robot" header when it wants to access the vms
and host periodically.
If the all requests with "Kimchi-Robot" header access for a long time, kimchi
will expire the session.
Signed-off-by: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
---
src/kimchi/auth.py | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/src/kimchi/auth.py b/src/kimchi/auth.py
index f8ccea1..8a07e05 100644
--- a/src/kimchi/auth.py
+++ b/src/kimchi/auth.py
@@ -22,6 +22,7 @@ import cherrypy
import grp
import PAM
import re
+import time
from kimchi import template
@@ -32,6 +33,7 @@ from kimchi.utils import run_command
USER_ID = 'userid'
USER_GROUPS = 'groups'
USER_SUDO = 'sudo'
+REFRESH = 'robot-refresh'
def debug(msg):
@@ -131,6 +133,15 @@ def check_auth_session():
cherrypy.session.release_lock()
if session is not None:
debug("Session authenticated for user %s" % session)
+ kimchiRobot = cherrypy.request.headers.get('Kimchi-Robot')
+ if kimchiRobot and kimchiRobot.startswith("kimchi-robot"):
+ if (time.time() - cherrypy.session[REFRESH] >
+ cherrypy.session.timeout * 60):
+ cherrypy.session[USER_ID] = None
+ cherrypy.lib.sessions.expire()
+ raise cherrypy.HTTPError(403)
You should use 401 to ask the user to login again. 403 is used when user
is logged
in but does not have enough permissions to perform an operation
401 Unauthorized
The request requires user authentication.
403 Forbidden
The server understood the request, but is refusing to fulfill it.
+ else:
+ cherrypy.session[REFRESH] = time.time()
return True
debug("Session not found")
@@ -172,6 +183,7 @@ def login(userid, password):
cherrypy.session[USER_ID] = userid
cherrypy.session[USER_GROUPS] = user.get_groups()
cherrypy.session[USER_SUDO] = user.has_sudo()
+ cherrypy.session[REFRESH] = time.time()
cherrypy.session.release_lock()
return user.get_user()
@@ -179,6 +191,7 @@ def login(userid, password):
def logout():
cherrypy.session.acquire_lock()
cherrypy.session[USER_ID] = None
+ cherrypy.session[REFRESH] = 0
cherrypy.session.release_lock()
cherrypy.lib.sessions.expire()
12:39 p.m.
New subject: [PATCH V2 1/2] auth enhancement: expire the session when the request access periodically
You could also update the cherrypy.session.timeout to 10 or 15 minutes
On 03/04/2014 06:45 AM, shaohef(a)linux.vnet.ibm.com wrote:
From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
Now UI will access the vms and host periodically.
That will never make the session expire.
This patch fix this problem.
Now the UI can set "Kimchi-Robot" header when it wants to access the vms
and host periodically.
If the all requests with "Kimchi-Robot" header access for a long time, kimchi
will expire the session.
Signed-off-by: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
---
src/kimchi/auth.py | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/src/kimchi/auth.py b/src/kimchi/auth.py
index f8ccea1..8a07e05 100644
--- a/src/kimchi/auth.py
+++ b/src/kimchi/auth.py
@@ -22,6 +22,7 @@ import cherrypy
import grp
import PAM
import re
+import time
from kimchi import template
@@ -32,6 +33,7 @@ from kimchi.utils import run_command
USER_ID = 'userid'
USER_GROUPS = 'groups'
USER_SUDO = 'sudo'
+REFRESH = 'robot-refresh'
def debug(msg):
@@ -131,6 +133,15 @@ def check_auth_session():
cherrypy.session.release_lock()
if session is not None:
debug("Session authenticated for user %s" % session)
+ kimchiRobot = cherrypy.request.headers.get('Kimchi-Robot')
+ if kimchiRobot and kimchiRobot.startswith("kimchi-robot"):
+ if (time.time() - cherrypy.session[REFRESH] >
+ cherrypy.session.timeout * 60):
+ cherrypy.session[USER_ID] = None
+ cherrypy.lib.sessions.expire()
+ raise cherrypy.HTTPError(403)
+ else:
+ cherrypy.session[REFRESH] = time.time()
return True
debug("Session not found")
@@ -172,6 +183,7 @@ def login(userid, password):
cherrypy.session[USER_ID] = userid
cherrypy.session[USER_GROUPS] = user.get_groups()
cherrypy.session[USER_SUDO] = user.has_sudo()
+ cherrypy.session[REFRESH] = time.time()
cherrypy.session.release_lock()
return user.get_user()
@@ -179,6 +191,7 @@ def login(userid, password):
def logout():
cherrypy.session.acquire_lock()
cherrypy.session[USER_ID] = None
+ cherrypy.session[REFRESH] = 0
cherrypy.session.release_lock()
cherrypy.lib.sessions.expire()
3:45 a.m.
New subject: [PATCH V2 2/2] UI: set kimchi robot header for some request.
From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
Then session will expire when these request access periodically.
Signed-off-by: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
Signed-off-by: Hongliang Wang <hlwang(a)linux.vnet.ibm.com>
---
ui/js/src/kimchi.api.js | 2 ++
1 file changed, 2 insertions(+)
diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js
index fdd9cfc..c93426f 100644
--- a/ui/js/src/kimchi.api.js
+++ b/ui/js/src/kimchi.api.js
@@ -84,6 +84,7 @@ var kimchi = {
type : 'GET',
resend: true,
contentType : 'application/json',
+ headers: {'Kimchi-Robot': 'kimchi-robot'},
dataType : 'json',
success : suc,
error: err
@@ -335,6 +336,7 @@ var kimchi = {
url : kimchi.url + 'vms',
type : 'GET',
contentType : 'application/json',
+ headers: {'Kimchi-Robot': 'kimchi-robot'},
dataType : 'json',
resend: true,
success : suc,
--
1.8.4.2
3946
days inactive
3946
days old
4 comments
2 participants
participants (2)
-
Aline Manera -
shaohef@linux.vnet.ibm.com