Re: [Catalyst] How to sudo using the Authentication plugin
On 11/05/12 19:18 Tomas Doran wrote:
On 11 May 2012, at 17:45, Robert Rothenberg wrote:
We're working on an application with a lot of users, and where the passwords
are encrypted (and future versions may also allow OpenID logins).
Developers would like the ability for the root user to be able to become
another user, for the purposes of debugging problems that real users might
be having on a live system.
How does one do this using the Authentication plugin?
Obvious things to try like the $c-user($new_user) doesn't work, not does
the (internal) $c-set_authenticated($user, $real) method.
The recommended approach would be to keep $c-user 'pure', and to arrange to
stash the current user in a top level base chain part, or top level auto.
If everything then subsequently uses $c-stash-{current_user} - then you can
do your sudo (or whatever other mechanism you may need in future) simply by
swapping out the user here.
This makes things a lot more pure - as the canonical user that $c-user will
give you is (more) immutable..
Also, if you swap the 'canonical' user part way through the request - when
the session plugin comes to re-serialize the session at the end of request -
you're pretty stuffed, as you're now writing out the wrong user… I.e.
re-sudoing, or doing any root level action is likely to require you to log
out and log in again - not what you actually want! :)
We don't mind having to log out and log back in again after sudoing.
I'm not looking forward to changing every use of $c-user in the code, and
concerned about how this might interact with any plugins that rely on $c-user.
Would you consider the ability to sudo a feature request for the
Authentication plugin? (with appropriate thoughts about the security
implications, of course).
Thanks,
Rob
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] How to sudo using the Authentication plugin
Wait a minute: would your solution work with $c-check_any_user_role?
On 12/05/12 11:09 Robert Rothenberg wrote:
On 11/05/12 19:18 Tomas Doran wrote:
On 11 May 2012, at 17:45, Robert Rothenberg wrote:
We're working on an application with a lot of users, and where the passwords
are encrypted (and future versions may also allow OpenID logins).
Developers would like the ability for the root user to be able to become
another user, for the purposes of debugging problems that real users might
be having on a live system.
How does one do this using the Authentication plugin?
Obvious things to try like the $c-user($new_user) doesn't work, not does
the (internal) $c-set_authenticated($user, $real) method.
The recommended approach would be to keep $c-user 'pure', and to arrange to
stash the current user in a top level base chain part, or top level auto.
If everything then subsequently uses $c-stash-{current_user} - then you
can do your sudo (or whatever other mechanism you may need in future) simply
by swapping out the user here.
This makes things a lot more pure - as the canonical user that $c-user will
give you is (more) immutable..
Also, if you swap the 'canonical' user part way through the request - when
the session plugin comes to re-serialize the session at the end of request -
you're pretty stuffed, as you're now writing out the wrong user… I.e.
re-sudoing, or doing any root level action is likely to require you to log
out and log in again - not what you actually want! :)
We don't mind having to log out and log back in again after sudoing.
I'm not looking forward to changing every use of $c-user in the code, and
concerned about how this might interact with any plugins that rely on
$c-user.
Would you consider the ability to sudo a feature request for the
Authentication plugin? (with appropriate thoughts about the security
implications, of course).
Thanks,
Rob
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] How to sudo using the Authentication plugin
Actually, I came across Catalyst::Plugin::Authentication::Credential::NoPassword in the latest version, which is apparently intended for the purpose of sudoing. With a bit of fiddling, I was able to get it to work. ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] How to sudo using the Authentication plugin
No need to use a plugin, just use an authentication realm that requires no password. Store the current user in a persistent session cookie and go back and forth with a single -authenticate method Sent from my iPhone On May 12, 2012, at 6:01 AM, Robert Rothenberg rob...@gmail.com wrote: Actually, I came across Catalyst::Plugin::Authentication::Credential::NoPassword in the latest version, which is apparently intended for the purpose of sudoing. With a bit of fiddling, I was able to get it to work. ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/ ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] How to sudo using the Authentication plugin
Using the standard Authentication plugin:
Plugin::Authentication
default_realm default
default
class SimpleDB
user_model MySchema::Login
id_field name
password_field password
password_type crypted
/default
admin
class SimpleDB
user_model MySchema::Login
id_field name
password_type none
/admin
/Plugin::Authentication
Then, whenever you need to 'sudo', just:
sub LoginAs : Private {
my ( $self, $c ) = @_;
my $user = $c-request-param('email') || q{};
if ($user) {
my $real = $c-user-name;
$c-delete_session;
$c-session-{real_user} = $real;
$c-authenticate( { name = $user }, 'admin' );
$c-response-redirect('/account/manage');
}
return 1;
}
Hope that helps.
On May 12, 2012, at 9:06 AM, Francisco Obispo wrote:
No need to use a plugin, just use an authentication realm that requires no
password.
Store the current user in a persistent session cookie and go back and forth
with a single -authenticate method
Sent from my iPhone
On May 12, 2012, at 6:01 AM, Robert Rothenberg rob...@gmail.com wrote:
Actually, I came across
Catalyst::Plugin::Authentication::Credential::NoPassword
in the latest version, which is apparently intended for the purpose of
sudoing.
With a bit of fiddling, I was able to get it to work.
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Francisco Obispo
email: fobi...@isc.org
Phone: +1 650 423 1374 || INOC-DBA *3557* NOC
PGP KeyID = B38DB1BE
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
[Catalyst] How to sudo using the Authentication plugin
We're working on an application with a lot of users, and where the passwords are encrypted (and future versions may also allow OpenID logins). Developers would like the ability for the root user to be able to become another user, for the purposes of debugging problems that real users might be having on a live system. How does one do this using the Authentication plugin? Obvious things to try like the $c-user($new_user) doesn't work, not does the (internal) $c-set_authenticated($user, $real) method. ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] How to sudo using the Authentication plugin
On 11 May 2012, at 17:45, Robert Rothenberg wrote:
We're working on an application with a lot of users, and where the passwords
are encrypted (and future versions may also allow OpenID logins).
Developers would like the ability for the root user to be able to become
another user, for the purposes of debugging problems that real users might
be having on a live system.
How does one do this using the Authentication plugin?
Obvious things to try like the $c-user($new_user) doesn't work, not does
the (internal) $c-set_authenticated($user, $real) method.
The recommended approach would be to keep $c-user 'pure', and to arrange to
stash the current user in a top level base chain part, or top level auto.
If everything then subsequently uses $c-stash-{current_user} - then you can
do your sudo (or whatever other mechanism you may need in future) simply by
swapping out the user here.
This makes things a lot more pure - as the canonical user that $c-user will
give you is (more) immutable..
Also, if you swap the 'canonical' user part way through the request - when the
session plugin comes to re-serialize the session at the end of request - you're
pretty stuffed, as you're now writing out the wrong user… I.e. re-sudoing, or
doing any root level action is likely to require you to log out and log in
again - not what you actually want! :)
Cheers
t0m
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
