This is all cool. So when you talk about wok being the base web framework where it provides basic services like login, logout, plugin support, i18n etc. to plugin developers do you think adding 'auth' as another service provided by wok to plugin developers makes any sense?

 

Like you mentioned on IRC during scrum meeting, someone might even write a wok plugin for makeup tips and you are totally fine with it. Do you think if we provide an easy way for that developer to authenticate his/her plugin's users quickly and easily? Something other python web frameworks like flask already provide (http://flask.pocoo.org/snippets/category/authentication/), or even cherrypy for that matter (http://tools.cherrypy.org/wiki/AuthenticationAndAccessRestrictions). They provide nice decorators which plugin developers can use in their handlers (exposed in the language of cherrypy) methods. 

 

We could provide a nice wrapper around those ideas for authentication using say, PAM, NIS+, LDAP etc. 

 

 

What do you say?

 

----- Original message -----
From: Aline Manera <alinefm@linux.vnet.ibm.com>
To: luciojhc@linux.vnet.ibm.com, Harshal Patil/India/IBM@IBMIN, kimchi-devel@ovirt.org
Cc:
Subject: Re: [Kimchi-devel] adding '/auth' for authentication
Date: Thu, Aug 6, 2015 6:27 PM
 

On 05/08/2015 18:02, Lucio Correia wrote:
> On 08/05/2015 04:27 PM, Aline Manera wrote:
>>
>>
>> On 05/08/2015 14:56, Lucio Correia wrote:
>>> Hi Harshal,
>>>
>>> On 08/02/2015 01:45 PM, Harshal Patil wrote:
>>>> Hi,
>>>> In the 'wok' branch there isn't anything to detect if the session has
>>>> timed out on the browser side. On the other hand, on master (kimchi)
>>>> there is '/vms' endpoint called every 5 seconds which kinda takes care
>>>> of making sure the user is indeed logged in.
>>>> So I was wondering, if no one is already working on it, to introduce a
>>>> '/auth' endpoint which we can poll every 5 seconds using ajax and
>>>> based
>>>> on the response status code we can either redirect to login page or
>>>> just
>>>> stay on the same page. This is useful in 'wok' because there isn't any
>>>> '/vms' endpoint which existed in master (kimchi) by default.
>>>> I can submit a patch for review if this sounds good so far. Also, if
>>>> there is a better way of doing it, I would love to hear about it.
>>>> Harshal
>>>>
>>>>
>>>
>>> The 10-minutes time out is still working with wok branch. But it is
>>> only verified if you leave it in "Host" or "Guests" tab. Other tabs'
>>> APIs don't send "wok-robot" in headers.
>>>
>>> Your proposal is good, you will need to send "wok-robot" in '/auth'
>>> headers, and remove the "wok-robot" from kimchi plugin's Host and
>>> Guests API headers.
>>
>> Why do you need a API /auth to check the user is logged? Shouldn't the
>> "wok-robot" header be enough to do that?
>> Otherwise, we will increase significantly the number of the requests, as
>> the real request would be send after a /auth request.
>>
>
> Good point Aline, we really don't need /auth. If we want timeout
> checked for every request, I see two alternatives:
> * drop wok-robot verification from check_auth_session() in
> src/wok/auth.py.
> * add wok-robot headers to requestJSON() in wok.api.js.

I prefer the second alternative. The 'wok-robot' header was created to
distinguish AJAX requests from user requests.

>
> But I don't know why currently only hosts and guests tab use wok-robot.
>

Because only those tabs have logic to pool the request every X seconds.
In fact, we need to add this to every tab to keep consistence and
automatically logout user when session expires.