Update remote-user-* config files

openshift · Jan 14, 2014 · 80b77f0 · 80b77f0
1 parent fc4362a
commit 80b77f0
Show file tree

Hide file tree

Showing 3 changed files with 183 additions and 71 deletions.
diff --git a/templates/broker/plugins/auth/basic/openshift-origin-auth-remote-user-basic.conf.erb b/templates/broker/plugins/auth/basic/openshift-origin-auth-remote-user-basic.conf.erb
@@ -3,53 +3,76 @@ LoadModule authn_file_module modules/mod_authn_file.so
 LoadModule authz_user_module modules/mod_authz_user.so
 
 <Location /broker>
-    AuthName "OpenShift broker API"
-    AuthType Basic
-    AuthUserFile /etc/openshift/htpasswd
-
-    SetEnvIfNoCase Authorization Bearer passthrough
-
-    # The node->broker auth is handled in the Ruby code
-    BrowserMatchNoCase ^OpenShift passthrough
-    # Console traffic will hit the local port.  mod_proxy will set this header automatically.
-    SetEnvIf X-Forwarded-For "^$" local_traffic=1
-    # Turn the Console output header into the Apache environment variable for the broker remote-user plugin
-    SetEnvIf X-Remote-User "(..*)" REMOTE_USER=$1
-
-    <IfVersion >= 2.4>
-        <RequireAny>
-            Require valid-user
-            Require env local_traffic passthrough
-        </RequireAny>
-    </IfVersion>
-
-    <IfVersion < 2.4>
-        Require valid-user
-        Allow from env=local_traffic
-        Allow from env=passthrough
-
-        Order Deny,Allow
-        Deny from all
-        Satisfy any
-    </IfVersion>
+  AuthName "OpenShift broker API"
+  AuthType Basic
+  AuthUserFile /etc/openshift/htpasswd
+  require valid-user
 
+  SetEnvIfNoCase Authorization Bearer passthrough
+
+  # The node->broker auth is handled in the Ruby code
+  BrowserMatchNoCase ^OpenShift passthrough
+
+  <IfVersion >= 2.4>
+    Require env passthrough
+  </IfVersion>
+  <IfVersion < 2.4>
+    Allow from env=passthrough
+  </IfVersion>
+
+  # Console traffic will hit the local port.  mod_proxy will set this header automatically.
+  SetEnvIf X-Forwarded-For "^$" local_traffic=1
+  # Turn the Console output header into the Apache environment variable for the broker remote-user plugin
+  SetEnvIf X-Remote-User "(..*)" REMOTE_USER=$1
+
+  <IfVersion >= 2.4>
+    Require env local_traffic
+  </IfVersion>
+  <IfVersion < 2.4>
+    Allow from env=local_traffic
+  </IfVersion>
+
+  # Broker auth based on iv/token generated and verified by broker
+  SetEnvIf broker_auth_key "^[A-Za-z0-9+/=]+$" BROKER_AUTH=1
+
+  <IfVersion >= 2.4>
+    Require env BROKER_AUTH
+  </IfVersion>
+  <IfVersion < 2.4>
+    Allow from env=BROKER_AUTH
+  </IfVersion>
+
+  <IfVersion < 2.4>
+    Order Deny,Allow
+    Deny from all
+    Satisfy any
+  </IfVersion>
 </Location>
 
 # The following APIs do not require auth:
 <Location /broker/rest/cartridges*>
-    <IfVersion >= 2.4>
-        Require all granted
-    </IfVersion>
-    <IfVersion < 2.4>
-        Allow from all
-    </IfVersion>
+  <IfVersion >= 2.4>
+    Require all granted
+  </IfVersion>
+  <IfVersion < 2.4>
+    Allow from all
+  </IfVersion>
 </Location>
 
 <Location /broker/rest/api*>
-    <IfVersion >= 2.4>
-        Require all granted
-    </IfVersion>
-    <IfVersion < 2.4>
-        Allow from all
-    </IfVersion>
+  <IfVersion >= 2.4>
+    Require all granted
+  </IfVersion>
+  <IfVersion < 2.4>
+    Allow from all
+  </IfVersion>
+</Location>
+
+<Location /broker/rest/environment*>
+  <IfVersion >= 2.4>
+    Require all granted
+  </IfVersion>
+  <IfVersion < 2.4>
+    Allow from all
+  </IfVersion>
 </Location>
diff --git a/templates/broker/plugins/auth/kerberos/openshift-origin-auth-remote-user-kerberos.conf.erb b/templates/broker/plugins/auth/kerberos/openshift-origin-auth-remote-user-kerberos.conf.erb
@@ -1,37 +1,84 @@
+# Provided by the mod_auth_kerb package
 LoadModule auth_basic_module modules/mod_auth_basic.so
 LoadModule authz_user_module modules/mod_authz_user.so
 LoadModule auth_kerb_module modules/mod_auth_kerb.so
-
 <Location /broker>
-    AuthName "OpenShift"
-    AuthType Kerberos
-    KrbMethodNegotiate On
-    KrbMethodK5Passwd On
-    KrbServiceName HTTP/<%= scope.lookupvar('::openshift_origin::broker_krb_service_name') %>
-    KrbAuthRealms <%= scope.lookupvar('::openshift_origin::broker_krb_auth_realms') %>
-    Krb5KeyTab <%= scope.lookupvar('::openshift_origin::broker_krb_keytab') %>
-    Require valid-user
-
-    SetEnvIfNoCase Authorization Bearer passthrough
-
-    # The node->broker auth is handled in the Ruby code
-    BrowserMatch Openshift passthrough
+  AuthName "OpenShift broker API"
+  AuthType Kerberos
+  KrbMethodNegotiate On
+  KrbMethodK5Passwd On
+  # The KrbLocalUserMapping enables conversion to local users, using
+  # auth_to_local rules in /etc/krb5.conf. By default it strips the
+  # @REALM part. See krb5.conf(5) for details how to set up specific rules.
+  KrbLocalUserMapping On
+  KrbServiceName HTTP/<%= scope.lookupvar('::openshift_origin::broker_krb_service_name') %>
+  KrbAuthRealms <%= scope.lookupvar('::openshift_origin::broker_krb_auth_realms') %>
+  Krb5KeyTab <%= scope.lookupvar('::openshift_origin::broker_krb_keytab') %>
+  require valid-user
+
+  SetEnvIfNoCase Authorization Bearer passthrough
+
+  # The node->broker auth is handled in the Ruby code
+  BrowserMatchNoCase ^OpenShift passthrough
+  <IfVersion >= 2.4>
+    Require env passthrough
+  </IfVersion>
+  <IfVersion < 2.4>
     Allow from env=passthrough
+  </IfVersion>
+
+  # Console traffic will hit the local port.  mod_proxy will set this header automatically.
+  SetEnvIf X-Forwarded-For "^$" local_traffic=1
+  # Turn the Console output header into the Apache environment variable for the broker remote-user plugin
+  SetEnvIf X-Remote-User "(..*)" REMOTE_USER=$1
+  <IfVersion >= 2.4>
+    Require env local_traffic
+  </IfVersion>
+  <IfVersion < 2.4>
+    Allow from env=local_traffic
+  </IfVersion>
+
+  # Broker auth based on iv/token generated and verified by broker
+  SetEnvIf broker_auth_key "^[A-Za-z0-9+/=]+$" BROKER_AUTH=1
+
+  <IfVersion >= 2.4>
+    Require env BROKER_AUTH
+  </IfVersion>
+  <IfVersion < 2.4>
+    Allow from env=BROKER_AUTH
+  </IfVersion>
 
+  <IfVersion < 2.4>
     Order Deny,Allow
     Deny from all
     Satisfy any
+  </IfVersion>
 </Location>
 
 # The following APIs do not require auth:
-<Location /broker/rest/application_templates*>
-    Allow from all
-</Location>
-
 <Location /broker/rest/cartridges*>
+  <IfVersion >= 2.4>
+    Require all granted
+  </IfVersion>
+  <IfVersion < 2.4>
     Allow from all
+  </IfVersion>
 </Location>
 
 <Location /broker/rest/api*>
+  <IfVersion >= 2.4>
+    Require all granted
+  </IfVersion>
+  <IfVersion < 2.4>
     Allow from all
+  </IfVersion>
 </Location>
+
+<Location /broker/rest/environment*>
+  <IfVersion >= 2.4>
+    Require all granted
+  </IfVersion>
+  <IfVersion < 2.4>
+    Allow from all
+  </IfVersion>
+</Location>
diff --git a/templates/broker/plugins/auth/ldap/openshift-origin-auth-remote-user-ldap.conf.erb b/templates/broker/plugins/auth/ldap/openshift-origin-auth-remote-user-ldap.conf.erb
@@ -11,34 +11,76 @@ LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
 # LDAPCacheTTL 0
 
 <Location /broker>
-    AuthName "OpenShift broker API"
-    AuthType Basic
-    AuthBasicProvider ldap
-    AuthLDAPURL "<%= scope.lookupvar('::openshift_origin::broker_ldap_uri') %>?uid?sub?(objectClass=*)"
-    require valid-user
+  AuthName "OpenShift broker API"
+  AuthType Basic
+  AuthBasicProvider ldap
+  AuthLDAPURL "<%= scope.lookupvar('::openshift_origin::broker_ldap_uri') %>?uid?sub?(objectClass=*)"
+  require valid-user
 
-    SetEnvIfNoCase Authorization Bearer passthrough
+  SetEnvIfNoCase Authorization Bearer passthrough
 
-    # The node->broker auth is handled in the Ruby code
-    BrowserMatchNoCase ^OpenShift passthrough
+  # The node->broker auth is handled in the Ruby code
+  BrowserMatchNoCase ^OpenShift passthrough
+  <IfVersion >= 2.4>
+    Require env passthrough
+  </IfVersion>
+  <IfVersion < 2.4>
     Allow from env=passthrough
+  </IfVersion>
 
-    # Console traffic will hit the local port.  mod_proxy will set this header automatically.
-    SetEnvIf X-Forwarded-For "^$" local_traffic=1
-    # Turn the Console output header into the Apache environment variable for the broker remote-user plugin
-    SetEnvIf X-Remote-User "(..*)" REMOTE_USER=$1
+  # Console traffic will hit the local port.  mod_proxy will set this header automatically.
+  SetEnvIf X-Forwarded-For "^$" local_traffic=1
+  # Turn the Console output header into the Apache environment variable for the broker remote-user plugin
+  SetEnvIf X-Remote-User "(..*)" REMOTE_USER=$1
+  <IfVersion >= 2.4>
+    Require env local_traffic
+  </IfVersion>
+  <IfVersion < 2.4>
     Allow from env=local_traffic
+  </IfVersion>
 
+
+  # Broker auth based on iv/token generated and verified by broker
+  SetEnvIf broker_auth_key "^[A-Za-z0-9+/=]+$" BROKER_AUTH=1
+
+  <IfVersion >= 2.4>
+    Require env BROKER_AUTH
+  </IfVersion>
+  <IfVersion < 2.4>
+    Allow from env=BROKER_AUTH
+  </IfVersion>
+
+  <IfVersion < 2.4>
     Order Deny,Allow
     Deny from all
     Satisfy any
+  </IfVersion>
 </Location>
 
 # The following APIs do not require auth:
 <Location /broker/rest/cartridges*>
+  <IfVersion >= 2.4>
+    Require all granted
+  </IfVersion>
+  <IfVersion < 2.4>
     Allow from all
+  </IfVersion>
 </Location>
 
 <Location /broker/rest/api*>
+  <IfVersion >= 2.4>
+    Require all granted
+  </IfVersion>
+  <IfVersion < 2.4>
+    Allow from all
+  </IfVersion>
+</Location>
+
+<Location /broker/rest/environment*>
+  <IfVersion >= 2.4>
+    Require all granted
+  </IfVersion>
+  <IfVersion < 2.4>
     Allow from all
+  </IfVersion>
 </Location>