Change in ovirt-engine[master]: 14. core: Add header authenticator

yzaslavs at redhat.com yzaslavs at redhat.com
Wed Jan 15 21:23:49 UTC 2014 

Yair Zaslavsky has submitted this change and it was merged.

Change subject: 14. core: Add header authenticator
......................................................................


14. core: Add header authenticator

This patch introduces a new authenticator that assumes that the
authentication has already been performed by the web server and that
takes the user name from a configurable request header.

To use this authenticator the web server has to be configured to
populate a header with the name of the authenticated user. An overly
simple example is the following:

  <Location /ovirt-engine/webadmin>
    RequestHeader set X-Remote-User jdoe
  </Location>

This makes the web server to add the X-Remote-User header with the
value "jdoe" to all the requests for URLs starting with /ovirt-engine/webadmin.
After doing this the engine can be configured creating a header.conf
file inside /etc/ovirt-engine/auth.conf.d with the following content:

  #
  # The name of the authentication profile:
  #
  name=simple

  #
  # The name of the module that contains the authenticator and the
  # directory implementations:
  #
  module=org.ovirt.engine.core.authentication

  #
  # The types of the authenticator and the directory to use:
  #
  authenticator.type=header
  directory.type=nop

  #
  # The name of the header to extract the user name from:
  #
  authenticator.header=X-Remote-User

The net result is that users connecting to the /ovirt-engine/webadmin
URL will be automatically authenticated as "jdoe" without having to
provide any credentials.

A more realistic example of the web server configuration is the
following:

  <Location /ovirt-engine/webadmin>
    AuthType Basic
    AuthName "Protected"
    AuthBasicProvider file
    AuthUserFile /etc/httpd/conf/users
    Require valid-user

    #
    # This is needed in order to enable the rewrite engine later,
    # otherwise the web server refuses to enable it because it
    # allows similar mechanism to cincumvent directory
    # restrictions:
    #
    Options +FollowSymLinks

    #
    # This rewrite rules are intended to copy the value of the
    # REMOTE_USER CGI environment variable into a header, as
    # JBoss AS 7 doesn't currently # have a mechanism to
    # access the environment variable:
    #
    RewriteEngine On
    RewriteCond %{REMOTE_USER} ^(.*)$
    RewriteRule ^(.*)$ - [E=REMOTE_USER:%1]
    RequestHeader set X-Remote-User %{REMOTE_USER}e
  </Location>

With this web server configuration and the same engine header.conf
engine configuration described above users will be asked for credentials
by the web server. Those credentials will be checked by the web server
using the /etc/httpd/conf/users file, and then the user will be
automatically logged in to the engine without having to provide any
additional credentials.

Change-Id: If2e212641d41f30fee753edff9581bd5c4fc31e2
Signed-off-by: Juan Hernandez <juan.hernandez at redhat.com>
---
A backend/manager/modules/authentication/src/main/java/org/ovirt/engine/core/authentication/header/HeaderAuthenticator.java
A backend/manager/modules/authentication/src/main/java/org/ovirt/engine/core/authentication/header/HeaderAuthenticatorFactory.java
M backend/manager/modules/authentication/src/main/resources/META-INF/services/org.ovirt.engine.core.authentication.AuthenticatorFactory
3 files changed, 143 insertions(+), 0 deletions(-)

Approvals:
  Yair Zaslavsky: Verified; Looks good to me, approved



-- 
To view, visit http://gerrit.ovirt.org/21028
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: If2e212641d41f30fee753edff9581bd5c4fc31e2
Gerrit-PatchSet: 32
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Juan Hernandez <juan.hernandez at redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl at redhat.com>
Gerrit-Reviewer: Juan Hernandez <juan.hernandez at redhat.com>
Gerrit-Reviewer: Liran Zelkha <lzelkha at redhat.com>
Gerrit-Reviewer: Martin Peřina <mperina at redhat.com>
Gerrit-Reviewer: Ravi Nori <rnori at redhat.com>
Gerrit-Reviewer: Yair Zaslavsky <yzaslavs at redhat.com>
Gerrit-Reviewer: oVirt Jenkins CI Server

More information about the Engine-commits mailing list