Re: [Catalyst] How to sudo using the Authentication plugin
On 11/05/12 19:18 Tomas Doran wrote: On 11 May 2012, at 17:45, Robert Rothenberg wrote: We're working on an application with a lot of users, and where the passwords are encrypted (and future versions may also allow OpenID logins). Developers would like the ability for the root user to be able to become another user, for the purposes of debugging problems that real users might be having on a live system. How does one do this using the Authentication plugin? Obvious things to try like the $c-user($new_user) doesn't work, not does the (internal) $c-set_authenticated($user, $real) method. The recommended approach would be to keep $c-user 'pure', and to arrange to stash the current user in a top level base chain part, or top level auto. If everything then subsequently uses $c-stash-{current_user} - then you can do your sudo (or whatever other mechanism you may need in future) simply by swapping out the user here. This makes things a lot more pure - as the canonical user that $c-user will give you is (more) immutable.. Also, if you swap the 'canonical' user part way through the request - when the session plugin comes to re-serialize the session at the end of request - you're pretty stuffed, as you're now writing out the wrong user… I.e. re-sudoing, or doing any root level action is likely to require you to log out and log in again - not what you actually want! :) We don't mind having to log out and log back in again after sudoing. I'm not looking forward to changing every use of $c-user in the code, and concerned about how this might interact with any plugins that rely on $c-user. Would you consider the ability to sudo a feature request for the Authentication plugin? (with appropriate thoughts about the security implications, of course). Thanks, Rob ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] How to sudo using the Authentication plugin
Wait a minute: would your solution work with $c-check_any_user_role? On 12/05/12 11:09 Robert Rothenberg wrote: On 11/05/12 19:18 Tomas Doran wrote: On 11 May 2012, at 17:45, Robert Rothenberg wrote: We're working on an application with a lot of users, and where the passwords are encrypted (and future versions may also allow OpenID logins). Developers would like the ability for the root user to be able to become another user, for the purposes of debugging problems that real users might be having on a live system. How does one do this using the Authentication plugin? Obvious things to try like the $c-user($new_user) doesn't work, not does the (internal) $c-set_authenticated($user, $real) method. The recommended approach would be to keep $c-user 'pure', and to arrange to stash the current user in a top level base chain part, or top level auto. If everything then subsequently uses $c-stash-{current_user} - then you can do your sudo (or whatever other mechanism you may need in future) simply by swapping out the user here. This makes things a lot more pure - as the canonical user that $c-user will give you is (more) immutable.. Also, if you swap the 'canonical' user part way through the request - when the session plugin comes to re-serialize the session at the end of request - you're pretty stuffed, as you're now writing out the wrong user… I.e. re-sudoing, or doing any root level action is likely to require you to log out and log in again - not what you actually want! :) We don't mind having to log out and log back in again after sudoing. I'm not looking forward to changing every use of $c-user in the code, and concerned about how this might interact with any plugins that rely on $c-user. Would you consider the ability to sudo a feature request for the Authentication plugin? (with appropriate thoughts about the security implications, of course). Thanks, Rob ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] How to sudo using the Authentication plugin
Actually, I came across Catalyst::Plugin::Authentication::Credential::NoPassword in the latest version, which is apparently intended for the purpose of sudoing. With a bit of fiddling, I was able to get it to work. ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] How to sudo using the Authentication plugin
No need to use a plugin, just use an authentication realm that requires no password. Store the current user in a persistent session cookie and go back and forth with a single -authenticate method Sent from my iPhone On May 12, 2012, at 6:01 AM, Robert Rothenberg rob...@gmail.com wrote: Actually, I came across Catalyst::Plugin::Authentication::Credential::NoPassword in the latest version, which is apparently intended for the purpose of sudoing. With a bit of fiddling, I was able to get it to work. ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/ ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] How to sudo using the Authentication plugin
Using the standard Authentication plugin: Plugin::Authentication default_realm default default class SimpleDB user_model MySchema::Login id_field name password_field password password_type crypted /default admin class SimpleDB user_model MySchema::Login id_field name password_type none /admin /Plugin::Authentication Then, whenever you need to 'sudo', just: sub LoginAs : Private { my ( $self, $c ) = @_; my $user = $c-request-param('email') || q{}; if ($user) { my $real = $c-user-name; $c-delete_session; $c-session-{real_user} = $real; $c-authenticate( { name = $user }, 'admin' ); $c-response-redirect('/account/manage'); } return 1; } Hope that helps. On May 12, 2012, at 9:06 AM, Francisco Obispo wrote: No need to use a plugin, just use an authentication realm that requires no password. Store the current user in a persistent session cookie and go back and forth with a single -authenticate method Sent from my iPhone On May 12, 2012, at 6:01 AM, Robert Rothenberg rob...@gmail.com wrote: Actually, I came across Catalyst::Plugin::Authentication::Credential::NoPassword in the latest version, which is apparently intended for the purpose of sudoing. With a bit of fiddling, I was able to get it to work. ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/ ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/ Francisco Obispo email: fobi...@isc.org Phone: +1 650 423 1374 || INOC-DBA *3557* NOC PGP KeyID = B38DB1BE ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
[Catalyst] How to sudo using the Authentication plugin
We're working on an application with a lot of users, and where the passwords are encrypted (and future versions may also allow OpenID logins). Developers would like the ability for the root user to be able to become another user, for the purposes of debugging problems that real users might be having on a live system. How does one do this using the Authentication plugin? Obvious things to try like the $c-user($new_user) doesn't work, not does the (internal) $c-set_authenticated($user, $real) method. ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] How to sudo using the Authentication plugin
On 11 May 2012, at 17:45, Robert Rothenberg wrote: We're working on an application with a lot of users, and where the passwords are encrypted (and future versions may also allow OpenID logins). Developers would like the ability for the root user to be able to become another user, for the purposes of debugging problems that real users might be having on a live system. How does one do this using the Authentication plugin? Obvious things to try like the $c-user($new_user) doesn't work, not does the (internal) $c-set_authenticated($user, $real) method. The recommended approach would be to keep $c-user 'pure', and to arrange to stash the current user in a top level base chain part, or top level auto. If everything then subsequently uses $c-stash-{current_user} - then you can do your sudo (or whatever other mechanism you may need in future) simply by swapping out the user here. This makes things a lot more pure - as the canonical user that $c-user will give you is (more) immutable.. Also, if you swap the 'canonical' user part way through the request - when the session plugin comes to re-serialize the session at the end of request - you're pretty stuffed, as you're now writing out the wrong user… I.e. re-sudoing, or doing any root level action is likely to require you to log out and log in again - not what you actually want! :) Cheers t0m ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/