-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Support for authentication using external proxy (#33) * add options for HTTP header authentication to config * add template for handling error 401: Unauthorized * support external authentication Expects authentication to be done using an external tool (such as Apache), that fills the users UUID to a HTTP header and acts as a proxy. * version 0.7.3, simple auth mode available, docs for auth created * version 0.7.3, simple auth mode available, docs for auth created * typo in link --------- Co-authored-by: Jakub Man <jakub.man@pm.me>
- Loading branch information
Showing
9 changed files
with
126 additions
and
39 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
# ExaFS tool | ||
## Auth mechanism | ||
|
||
Since version 0.7.3, the application supports three different forms of user authorization. | ||
|
||
* SSO using Shibboleth | ||
* Simple Auth proxy | ||
* Local single-user mode | ||
|
||
### SSO | ||
To use SSO, you need to set up Apache + Shiboleth in the usual way. Then set `SSO_AUTH = True` in the application configuration file **config.py** | ||
|
||
Shibboleth configuration example: | ||
|
||
#### shibboleth config: | ||
``` | ||
<Location /> | ||
AuthType shibboleth | ||
ShibRequestSetting requireSession 1 | ||
require shib-session | ||
</Location> | ||
``` | ||
|
||
|
||
#### httpd ssl.conf | ||
We recomend using app with https only. It's important to configure proxy pass to uwsgi in httpd config. | ||
``` | ||
# Proxy everything to the WSGI server except /Shibboleth.sso and | ||
# /shibboleth-sp | ||
ProxyPass /kon.php ! | ||
ProxyPass /Shibboleth.sso ! | ||
ProxyPass /shibboleth-sp ! | ||
ProxyPass / uwsgi://127.0.0.1:8000/ | ||
``` | ||
|
||
### Simple Auth | ||
This mode uses a WWW server (usually Apache) as an auth proxy. It is thus possible to use an external user database. Everything needs to be set in the web server configuration, then in **config.py** enable `HEADER_AUTH = True` and set `AUTH_HEADER_NAME = 'X-Authenticated-User'` | ||
|
||
See [apache.conf.example](./apache.conf.example) for more information about configuration. | ||
|
||
### Local single user mode | ||
This mode is used as a fallback if neither SSO nor Simple Auth is enabled. Configuration is done using **config.py**. The mode is more for testing purposes, it does not allow to set up multiple users with different permission levels and also does not perform user authentication. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
# mod_dbd configuration | ||
DBDriver pgsql | ||
DBDParams "dbname=exafs_users host=localhost user=exafs password=verysecurepassword" | ||
|
||
DBDMin 4 | ||
DBDKeep 8 | ||
DBDMax 20 | ||
DBDExptime 300 | ||
|
||
# ExaFS authentication | ||
<VirtualHost *:80> | ||
ServerName example.com | ||
DocumentRoot /var/www/html | ||
|
||
<Location /> | ||
AuthType Basic | ||
AuthName "Database Authentication" | ||
AuthBasicProvider dbd | ||
AuthDBDUserPWQuery "SELECT pass_hash AS password FROM \"users\" WHERE email = %s" | ||
Require valid-user | ||
RequestHeader set X-Authenticated-User expr=%{REMOTE_USER} | ||
ProxyPass http://127.0.0.1:8080/ | ||
</Location> | ||
</VirtualHost> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1 @@ | ||
__version__ = "0.7.2" | ||
__version__ = "0.7.3" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
{% extends 'layouts/default.j2' %} | ||
{% block content %} | ||
<h1>Could not log you in.</h1> | ||
<p class="form-text">401: Unauthorized</p> | ||
<p>Please log out and try logging in again.</p> | ||
<p><a href="{{url_for('logout')}}">Log out</a></p> | ||
{% endblock %} |