[Kimchi-devel] [PATCH] auth enhancement: expire the session when the request periodic access

Shu Ming shuming at linux.vnet.ibm.com
Mon Mar 3 15:24:37 UTC 2014 

2014/3/3 22:54, shaohef at linux.vnet.ibm.com:
> From: ShaoHe Feng <shaohef at linux.vnet.ibm.com>
>
> Now UI will periodic access the vms and host.
> The will never make the session be timeout.
> This patch fix this problem.
> Now the UI can set "User-Agent" as "kimchi-robot" when it want to
> periodic access the vms and host.
> If the "User-Agent" starts with "kimchi-robot" for a long time, kimchi
> will expire the session.
So after the session is expired,  will the front UI application continue 
to access the vms and host periodically?  I am afraid that will cause 
bunch of authentication failure messages in the back end.

>
> A UI patch will send later.
>
> Signed-off-by: ShaoHe Feng <shaohef at linux.vnet.ibm.com>
> ---
>   src/kimchi/auth.py | 11 +++++++++++
>   1 file changed, 11 insertions(+)
>
> diff --git a/src/kimchi/auth.py b/src/kimchi/auth.py
> index f8ccea1..b1c08db 100644
> --- a/src/kimchi/auth.py
> +++ b/src/kimchi/auth.py
> @@ -22,6 +22,7 @@ import cherrypy
>   import grp
>   import PAM
>   import re
> +import time
>
>
>   from kimchi import template
> @@ -32,6 +33,7 @@ from kimchi.utils import run_command
>   USER_ID = 'userid'
>   USER_GROUPS = 'groups'
>   USER_SUDO = 'sudo'
> +REFRESH = 'robot-refresh'
>
>
>   def debug(msg):
> @@ -131,6 +133,13 @@ def check_auth_session():
>       cherrypy.session.release_lock()
>       if session is not None:
>           debug("Session authenticated for user %s" % session)
> +        userAgent = cherrypy.request.headers.get('User-Agent')
> +        if userAgent.startswith("kimchi-robot"):
> +            if (time.time() - cherrypy.session[REFRESH] >
> +               cherrypy.session.timeout * 60):
> +                cherrypy.lib.sessions.expire()
> +        else:
> +            cherrypy.session[REFRESH] = time.time()
>           return True
>
>       debug("Session not found")
> @@ -172,6 +181,7 @@ def login(userid, password):
>       cherrypy.session[USER_ID] = userid
>       cherrypy.session[USER_GROUPS] = user.get_groups()
>       cherrypy.session[USER_SUDO] = user.has_sudo()
> +    cherrypy.session[REFRESH] = time.time()
>       cherrypy.session.release_lock()
>       return user.get_user()
>
> @@ -179,6 +189,7 @@ def login(userid, password):
>   def logout():
>       cherrypy.session.acquire_lock()
>       cherrypy.session[USER_ID] = None
> +    cherrypy.session[REFRESH] = 0
>       cherrypy.session.release_lock()
>       cherrypy.lib.sessions.expire()
>

More information about the Kimchi-devel mailing list