rPath Appliance Platform Agent:External Authentication
From rPath Wiki
|
rPath Appliance Platform Agent (rAPA) provides developers with the option to use an external authentication in place of built-in authentication. When a user logs in to the Appliance Platform web interface, the Appliance calls its validate_identity object. If the credentials are valid, the method returns an IdentityObject; if the credentials are not correct, the method returns None.
External authentication for rAPA is developed as a Python library which employs setuptools for build and deployment. This library may contain a single object, or it may incorporate other [[rPath Appliance Platform Agent:Plugins|rAPA plugins\\ as required. Some documentation about setuptools is provided here. The library should include an identity provider object, and an appliance should have a custom configuration that points to the object for authentication.
 | Currently, rAPA only supports username/password authentication mechanisms. |
Identity Provider Object
The custom identity provider object should either inherit from raa.identity.IdentityProvider or it should explicitly define particular methods it would otherwise inherit. The following is the list of methods that must be inherited or defined:
| Method | Description |
|---|---|
| encrypt_password(self, passwd) | Take the password and return an "encrypted" version; this is actually the password hashing function, such as MD5 or SHA1, perhaps with a salt |
| create_provider_model(self) | This should not be used |
| anonymous_identity(self) | Return an object with the following properties:
|
| validate_identity(self, userName, password, visitKey) | Look up the identity represented by user_name and determine whether the password is correct; returns either None if the credentials are invalid or an object with the following properties:
This is the principal method for identifying users; most authentication systems will only need to override the _check_password method below. |
| load_identity(self, visitKey) | Return an identity object based on the browser's visitKey; this should not be necessary |
| authenticated_identity(self, userName) | Return an identity object for the userName specified as if they had logged in successfully; used by the user management framework when doing per user operations; modifications to this method should not be necessary |
| add_user(self, userName, provider, group=None, groupDesc=None) | Create or register a new user with the identity framework |
| add_group(self, group, groupDesc) | Create or register a new group with the identity framework |
| set_user_groups(self, user, groups) | Associate the given user with the groups specified; all groups to which the user belongs should be listed in groups; the user will be removed from groups not specified |
| set_group_permissions(self, groupName, permissions) | Set the permissions, or roles that a group enables; all permissions should be specified as the permissions list is cleared before setting the new permissions |
| list_groups(self) | List all groups known by the identity system |
| list_permissions(self, groupName) | List all permissions the groupName grants |
| delete_user(self, userName) | Delete the user specified by userName and return the deleted UID |
| delete_group(self, groupName) | Delete the group specified by groupName and return the deleted GID; the admin group cannot be deleted |
| all_users(self) | List all users known to the identity system; return a list of dictionaries with the keys username, groups |
| all_groups(self) | List all groups known to the identity system; return a list of group names |
| all_permissions(self) | List all permissions registered with the identity system; return a list of descriptions as strings |
| set_password(self, user, password) | Change the password for the user specified; this could be just changing a record in a database, or it could involve more modifications if a callout to another system is required; this should be overridden |
| _check_password(self, user, password) | Validate the user and password; this is called from validate_identity, thus should be overridden to validate the credentials against the external authentication system |
| _initUsers(self) | Called by the framework when the system is started; should be implemented to create the first user that is allowed to log in, perhaps through a configuration parameter |
| | The pam plugin is an example of how an identity provider object can be written for external authentication. The plugin is available in the development environment file raa/identity/pam/__init__.py. |
Configuration Directive
As with other rPath Appliance Platform Agent plugins, add directives to custom.cfg to modify Appliance behavior. To ensure that the Appliance Platform uses the custom identity provider object to provide authentication, include the raa.identity.current_provider line in that file.
The value for this directive is determined by entry points registered with the setuptools framework. Developers should leverage the setup code to register the custom identity provider class under the raa.identity.current_provider entry point used by rPath Appliance Platform. For example, the pam class is registered as pam_identity in the following entry point code in the Appliance Platform's setup.py:
entry_points='''[raa.identity.current_provider] tools.identity_tool.provider = "raa_identity" tools.identity_tool.provider_paths = ["raa/identity/builtin", "raa/identity/pam"]'''
This default configuration indicates that all the modules under raa/identity/builtin and raa/identity/pam will be imported until an identity provider class is found (such as class.name == "raa_identity").
To specify the PAM identity provider, use custom configuration to override these defaults: That name under which it is registered is the value needed for the raa.identity.current_provide directive in custom.cfg:
tools.identity_tool.provider = "pam_identity"