On 02.07.2012 [17:47:49 -0300], Cleber Rosa wrote:
> On 07/02/2012 05:22 PM, Nishanth Aravamudan wrote:
> >Hi Cleber,
> >
> >On 22.06.2012 [17:39:54 -0300], Cleber Rosa wrote:
> >>On 06/21/2012 10:52 PM, Nishanth Aravamudan wrote:
> >>>So my autotest installation is authenticated via LDAP with a stanza in
> >>>the appropriate httpd.conf files. The autotest-rpc-client, though,
> >>>assumes (I think?) that it doesn't need auth to get to the RPC server
> >>>... and perhaps it shouldn't. But I couldn't figure out a way to allow
> >>>RPC access to everyone while keeping LDAP authentication to the UI.
> >>>
> >>>On a similar vein, I'd like the admin interface to be restricted to a
> >>>few users, but I can't find a clean way of doing that either.
> >>Can you provide your configuration (with sensitive info masked out)
> >>? I'd like to understand if you're just protecting users access to
> >>the web ui client files or if you're also protecting the rpc server.
> >Thanks for taking a look:
> >
> >/usr/local/autotest/apache/conf/afe-directives
> >
> ><Location "/afe">
> > DirectoryIndex AfeClient.html
> > AuthType basic
> > AuthBasicProvider ldap
> > AuthzLDAPAuthoritative on
> > AuthBasicAuthoritative off
> > AuthLDAPURL ldap://<correct URL>
> > Require valid-user
> > AuthUserFile /dev/null
> ></Location>
> >
> >With this, authentication does succeed, but there are a few issues:
> >
> >1) I think this does cause RPC calls to be protected ... which perhaps
> >they should be in my environment so I can always tell *who* submitted
> >what job, etc. How does that work without such authentication?
>
> I don't think it does, since "/afe" just serves static content (the
> web client ui, html+js files). The client code just uses the
> current (UNIX) username, and the server believes that.
Right, so I think the CLI (which uses the client code?) needs to be
updated to allow a username/password to be sent? There was something I
was reading in the source that implied this used to be the case (and it
was sent via some specific header) ... ah found it:
REMOTE_USER in headers and passed the username found to
thread_local.set_user(). If no such header is found, looks for
HTTP_AUTHORIZATION header with username (this allows CLI to authenticate).
If neither of those are found, DEBUG_USER is used.
"""
from frontend/apache_auth.py
> >2) The admin interface is under /afe and I would like to essentially
> >restrict access to that area to some specific LDAP users (basically
> >myself :) -- but I couldn't figure out a way to configure Apache for
> >that.
>
> Have you tried replacing "valid-user" for your own username at the
> "Require" directive?
Well, sure, that will let me secure the whole site as just me. My point
was I want everyone who has valid LDAP credentials (at least for now)
to be able to access the web UI, but only myself to delete/lock
hosts/acls/etc.
Thanks,
Nish
--
Nishanth Aravamudan <n...@us.ibm.com>
IBM Linux Technology Center
_______________________________________________
Autotest mailing list
Autotest@test.kernel.org
http://test.kernel.org/cgi-bin/mailman/listinfo/autotest
