[Kimchi-devel] [PATCH V2 1/2] auth enhancement: expire the session when the request access periodically
Aline Manera
alinefm at linux.vnet.ibm.com
Tue Mar 4 18:39:14 UTC 2014
You could also update the cherrypy.session.timeout to 10 or 15 minutes
On 03/04/2014 06:45 AM, shaohef at linux.vnet.ibm.com wrote:
> From: ShaoHe Feng <shaohef at linux.vnet.ibm.com>
>
> Now UI will access the vms and host periodically.
> That will never make the session expire.
> This patch fix this problem.
> Now the UI can set "Kimchi-Robot" header when it wants to access the vms
> and host periodically.
> If the all requests with "Kimchi-Robot" header access for a long time, kimchi
> will expire the session.
>
> Signed-off-by: ShaoHe Feng <shaohef at linux.vnet.ibm.com>
> ---
> src/kimchi/auth.py | 13 +++++++++++++
> 1 file changed, 13 insertions(+)
>
> diff --git a/src/kimchi/auth.py b/src/kimchi/auth.py
> index f8ccea1..8a07e05 100644
> --- a/src/kimchi/auth.py
> +++ b/src/kimchi/auth.py
> @@ -22,6 +22,7 @@ import cherrypy
> import grp
> import PAM
> import re
> +import time
>
>
> from kimchi import template
> @@ -32,6 +33,7 @@ from kimchi.utils import run_command
> USER_ID = 'userid'
> USER_GROUPS = 'groups'
> USER_SUDO = 'sudo'
> +REFRESH = 'robot-refresh'
>
>
> def debug(msg):
> @@ -131,6 +133,15 @@ def check_auth_session():
> cherrypy.session.release_lock()
> if session is not None:
> debug("Session authenticated for user %s" % session)
> + kimchiRobot = cherrypy.request.headers.get('Kimchi-Robot')
> + if kimchiRobot and kimchiRobot.startswith("kimchi-robot"):
> + if (time.time() - cherrypy.session[REFRESH] >
> + cherrypy.session.timeout * 60):
> + cherrypy.session[USER_ID] = None
> + cherrypy.lib.sessions.expire()
> + raise cherrypy.HTTPError(403)
> + else:
> + cherrypy.session[REFRESH] = time.time()
> return True
>
> debug("Session not found")
> @@ -172,6 +183,7 @@ def login(userid, password):
> cherrypy.session[USER_ID] = userid
> cherrypy.session[USER_GROUPS] = user.get_groups()
> cherrypy.session[USER_SUDO] = user.has_sudo()
> + cherrypy.session[REFRESH] = time.time()
> cherrypy.session.release_lock()
> return user.get_user()
>
> @@ -179,6 +191,7 @@ def login(userid, password):
> def logout():
> cherrypy.session.acquire_lock()
> cherrypy.session[USER_ID] = None
> + cherrypy.session[REFRESH] = 0
> cherrypy.session.release_lock()
> cherrypy.lib.sessions.expire()
>
More information about the Kimchi-devel
mailing list