On 2014年10月22日 02:43, Aline Manera wrote:
On 10/20/2014 11:52 AM, lvroyce0210(a)gmail.com wrote:
> From: Royce Lv <lvroyce(a)linux.vnet.ibm.com>
>
> Add LDAP authentication, also deals with invalid user,
> LDAP search base configure error and other LDAP errors.
>
> Signed-off-by: Royce Lv <lvroyce(a)linux.vnet.ibm.com>
> ---
> contrib/DEBIAN/control.in | 1 +
> contrib/kimchi.spec.fedora.in | 1 +
> contrib/kimchi.spec.suse.in | 1 +
> src/kimchi/auth.py | 44 ++++++++++++++++++++++++++++++++++++++++++-
> 4 files changed, 46 insertions(+), 1 deletion(-)
>
> diff --git a/contrib/DEBIAN/control.in b/contrib/DEBIAN/control.in
> index 7372a58..0721960 100644
> --- a/contrib/DEBIAN/control.in
> +++ b/contrib/DEBIAN/control.in
> @@ -27,6 +27,7 @@ Depends: python-cherrypy3 (>= 3.2.0),
> firewalld,
> nginx,
> python-guestfs,
> + python-ldap,
> libguestfs-tools
> Build-Depends: libxslt,
> python-libxml2,
> diff --git a/contrib/kimchi.spec.fedora.in
> b/contrib/kimchi.spec.fedora.in
> index 2ca3076..fcb8c11 100644
> --- a/contrib/kimchi.spec.fedora.in
> +++ b/contrib/kimchi.spec.fedora.in
> @@ -29,6 +29,7 @@ Requires: nfs-utils
> Requires: nginx
> Requires: iscsi-initiator-utils
> Requires: policycoreutils-python
> +Requires: python-ldap
> Requires: python-libguestfs
> Requires: libguestfs-tools
> BuildRequires: libxslt
> diff --git a/contrib/kimchi.spec.suse.in b/contrib/kimchi.spec.suse.in
> index 9ea240c..b8f0531 100644
> --- a/contrib/kimchi.spec.suse.in
> +++ b/contrib/kimchi.spec.suse.in
> @@ -23,6 +23,7 @@ Requires: python-psutil >= 0.6.0
> Requires: python-jsonschema >= 1.3.0
> Requires: python-ethtool
> Requires: python-ipaddr
> +Requires: python-ldap
> Requires: python-lxml
> Requires: python-xml
> Requires: nfs-client
> diff --git a/src/kimchi/auth.py b/src/kimchi/auth.py
> index 10c7c1f..162bbfd 100644
> --- a/src/kimchi/auth.py
> +++ b/src/kimchi/auth.py
> @@ -20,6 +20,7 @@
> import base64
> import cherrypy
> import fcntl
> +import ldap
> import multiprocessing
> import os
> import PAM
> @@ -177,6 +178,7 @@ class PAMUser(User):
>
> class LDAPUser(User):
> auth_type = "ldap"
> +
> def __init__(self, username):
> self.user = {}
> self.user[USER_NAME] = username
> @@ -187,7 +189,47 @@ class LDAPUser(User):
>
> @staticmethod
> def authenticate(username, password):
> - return False
> + ldap_server = config.get("authentication",
"ldap_server").strip('"')
> + ldap_search_base = config.get(
> + "authentication", "ldap_search_base").strip('"')
> + ldap_search_filter = config.get(
> + "authentication", "ldap_search_filter",
> + vars={"username":
username.encode("utf-8")}).strip('"')
> +
> + connect = ldap.open(ldap_server)
> + try:
> + try:
> + result = connect.search_s(
> + ldap_search_base, ldap.SCOPE_SUBTREE, ldap_search_filter)
> + if len(result) == 0:
> + entity = ldap_search_filter % {'username': username}
> + raise ldap.LDAPError("Invalid ldap entity:%s" % entity)
> + except ldap.NO_SUCH_OBJECT:
> + # ldap search base specified wrongly.
> + raise ldap.LDAPError(
> + "invalid ldap search base %s" % ldap_search_base)
> +
> + try:
> + connect.bind_s(result[0][0], password)
> + except ldap.INVALID_CREDENTIALS:
> + # invalid user password
> + raise ldap.LDAPError("invalid user/passwd")
> + connect.unbind_s()
> + return True
> + except ldap.LDAPError, e:
> + arg = {"username": username, "code": e.message}
> + raise OperationFailed("KCHAUTH0001E", arg)
> +
> + def get_groups(self):
> + return self.user[USER_GROUPS]
> +
> + def get_roles(self):
> + self.user[USER_ROLES] = dict.fromkeys(tabs, 'admin')
> + return self.user[USER_ROLES]
The admin ID's should be listed on Kimchi config file, instead of
doing admin permissions to all users.
So on __init__():
self.admin_users = config.get("authentication", "ldap_admin_users")
self.user[USER_ROLES] = dict.fromkeys(tabs, 'admin') if
self.user[USERNAME] in self.admin_users else dict.fromkeys(tabs, 'user')
And on get_roles():
def get_roles(self):
return self.user[USER_ROLES]
Aline, this patch just want to cover Authentication--
whether we let a
person in.
I will add authorization(what this person is allow to manipulate) after
we settled down our opinion on how to implement it.
> +
> + def get_user(self):
> + return self.user
> +
>
> def from_browser():
> # Enable Basic Authentication for REST tools.
_______________________________________________
Kimchi-devel mailing list
Kimchi-devel(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/kimchi-devel