[Kimchi-devel] [PATCHv1 3/4] Add LDAP authentication

Aline Manera alinefm at linux.vnet.ibm.com
Wed Oct 22 11:54:51 UTC 2014 

On 10/22/2014 04:04 AM, Royce Lv wrote:
> On 2014年10月22日 02:43, Aline Manera wrote:
>>
>> On 10/20/2014 11:52 AM, lvroyce0210 at gmail.com wrote:
>>> From: Royce Lv <lvroyce at linux.vnet.ibm.com>
>>>
>>> Add LDAP authentication, also deals with invalid user,
>>> LDAP search base configure error and other LDAP errors.
>>>
>>> Signed-off-by: Royce Lv <lvroyce at linux.vnet.ibm.com>
>>> ---
>>> contrib/DEBIAN/control.in | 1 +
>>> contrib/kimchi.spec.fedora.in | 1 +
>>> contrib/kimchi.spec.suse.in | 1 +
>>> src/kimchi/auth.py | 44 ++++++++++++++++++++++++++++++++++++++++++-
>>> 4 files changed, 46 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/contrib/DEBIAN/control.in b/contrib/DEBIAN/control.in
>>> index 7372a58..0721960 100644
>>> --- a/contrib/DEBIAN/control.in
>>> +++ b/contrib/DEBIAN/control.in
>>> @@ -27,6 +27,7 @@ Depends: python-cherrypy3 (>= 3.2.0),
>>> firewalld,
>>> nginx,
>>> python-guestfs,
>>> + python-ldap,
>>> libguestfs-tools
>>> Build-Depends: libxslt,
>>> python-libxml2,
>>> diff --git a/contrib/kimchi.spec.fedora.in 
>>> b/contrib/kimchi.spec.fedora.in
>>> index 2ca3076..fcb8c11 100644
>>> --- a/contrib/kimchi.spec.fedora.in
>>> +++ b/contrib/kimchi.spec.fedora.in
>>> @@ -29,6 +29,7 @@ Requires: nfs-utils
>>> Requires: nginx
>>> Requires: iscsi-initiator-utils
>>> Requires: policycoreutils-python
>>> +Requires: python-ldap
>>> Requires: python-libguestfs
>>> Requires: libguestfs-tools
>>> BuildRequires: libxslt
>>> diff --git a/contrib/kimchi.spec.suse.in b/contrib/kimchi.spec.suse.in
>>> index 9ea240c..b8f0531 100644
>>> --- a/contrib/kimchi.spec.suse.in
>>> +++ b/contrib/kimchi.spec.suse.in
>>> @@ -23,6 +23,7 @@ Requires: python-psutil >= 0.6.0
>>> Requires: python-jsonschema >= 1.3.0
>>> Requires: python-ethtool
>>> Requires: python-ipaddr
>>> +Requires: python-ldap
>>> Requires: python-lxml
>>> Requires: python-xml
>>> Requires: nfs-client
>>> diff --git a/src/kimchi/auth.py b/src/kimchi/auth.py
>>> index 10c7c1f..162bbfd 100644
>>> --- a/src/kimchi/auth.py
>>> +++ b/src/kimchi/auth.py
>>> @@ -20,6 +20,7 @@
>>> import base64
>>> import cherrypy
>>> import fcntl
>>> +import ldap
>>> import multiprocessing
>>> import os
>>> import PAM
>>> @@ -177,6 +178,7 @@ class PAMUser(User):
>>>
>>> class LDAPUser(User):
>>> auth_type = "ldap"
>>> +
>>> def __init__(self, username):
>>> self.user = {}
>>> self.user[USER_NAME] = username
>>> @@ -187,7 +189,47 @@ class LDAPUser(User):
>>>
>>> @staticmethod
>>> def authenticate(username, password):
>>> - return False
>>> + ldap_server = config.get("authentication", "ldap_server").strip('"')
>>> + ldap_search_base = config.get(
>>> + "authentication", "ldap_search_base").strip('"')
>>> + ldap_search_filter = config.get(
>>> + "authentication", "ldap_search_filter",
>>> + vars={"username": username.encode("utf-8")}).strip('"')
>>> +
>>> + connect = ldap.open(ldap_server)
>>> + try:
>>> + try:
>>> + result = connect.search_s(
>>> + ldap_search_base, ldap.SCOPE_SUBTREE, ldap_search_filter)
>>> + if len(result) == 0:
>>> + entity = ldap_search_filter % {'username': username}
>>> + raise ldap.LDAPError("Invalid ldap entity:%s" % entity)
>>> + except ldap.NO_SUCH_OBJECT:
>>> + # ldap search base specified wrongly.
>>> + raise ldap.LDAPError(
>>> + "invalid ldap search base %s" % ldap_search_base)
>>> +
>>> + try:
>>> + connect.bind_s(result[0][0], password)
>>> + except ldap.INVALID_CREDENTIALS:
>>> + # invalid user password
>>> + raise ldap.LDAPError("invalid user/passwd")
>>> + connect.unbind_s()
>>> + return True
>>> + except ldap.LDAPError, e:
>>> + arg = {"username": username, "code": e.message}
>>> + raise OperationFailed("KCHAUTH0001E", arg)
>>> +
>>> + def get_groups(self):
>>> + return self.user[USER_GROUPS]
>>> +
>>
>>> + def get_roles(self):
>>> + self.user[USER_ROLES] = dict.fromkeys(tabs, 'admin')
>>> + return self.user[USER_ROLES]
>>
>> The admin ID's should be listed on Kimchi config file, instead of 
>> doing admin permissions to all users.
>>
>> So on __init__():
>>
>> self.admin_users = config.get("authentication", "ldap_admin_users")
>> self.user[USER_ROLES] = dict.fromkeys(tabs, 'admin') if 
>> self.user[USERNAME] in self.admin_users else dict.fromkeys(tabs, 'user')
>>
>> And on get_roles():
>>
>> def get_roles(self):
>> return self.user[USER_ROLES]
> Aline, this patch just want to cover Authentication-- whether we let a 
> person in.
> I will add authorization(what this person is allow to manipulate) 
> after we settled down our opinion on how to implement it.

Well, we already had an agreement on how get the admin users, right?
We will use Kimchi config file to handle that information and all the 
other users will have "user" role.

>
>>
>>
>>
>>> +
>>> + def get_user(self):
>>> + return self.user
>>> +
>>>
>>> def from_browser():
>>> # Enable Basic Authentication for REST tools.
>>
>> _______________________________________________
>> Kimchi-devel mailing list
>> Kimchi-devel at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/kimchi-devel
>>
>

More information about the Kimchi-devel mailing list