From 80b77f07f80ae93eb296d3a659d85ce3a2088235 Mon Sep 17 00:00:00 2001 From: Krishna Raman Date: Tue, 14 Jan 2014 10:13:52 -0800 Subject: [PATCH] Update remote-user-* config files --- ...ift-origin-auth-remote-user-basic.conf.erb | 105 +++++++++++------- ...-origin-auth-remote-user-kerberos.conf.erb | 83 +++++++++++--- ...hift-origin-auth-remote-user-ldap.conf.erb | 66 +++++++++-- 3 files changed, 183 insertions(+), 71 deletions(-) diff --git a/templates/broker/plugins/auth/basic/openshift-origin-auth-remote-user-basic.conf.erb b/templates/broker/plugins/auth/basic/openshift-origin-auth-remote-user-basic.conf.erb index 06783fc2..8a98696b 100644 --- a/templates/broker/plugins/auth/basic/openshift-origin-auth-remote-user-basic.conf.erb +++ b/templates/broker/plugins/auth/basic/openshift-origin-auth-remote-user-basic.conf.erb @@ -3,53 +3,76 @@ LoadModule authn_file_module modules/mod_authn_file.so LoadModule authz_user_module modules/mod_authz_user.so - AuthName "OpenShift broker API" - AuthType Basic - AuthUserFile /etc/openshift/htpasswd - - SetEnvIfNoCase Authorization Bearer passthrough - - # The node->broker auth is handled in the Ruby code - BrowserMatchNoCase ^OpenShift passthrough - # Console traffic will hit the local port. mod_proxy will set this header automatically. - SetEnvIf X-Forwarded-For "^$" local_traffic=1 - # Turn the Console output header into the Apache environment variable for the broker remote-user plugin - SetEnvIf X-Remote-User "(..*)" REMOTE_USER=$1 - - = 2.4> - - Require valid-user - Require env local_traffic passthrough - - - - - Require valid-user - Allow from env=local_traffic - Allow from env=passthrough - - Order Deny,Allow - Deny from all - Satisfy any - + AuthName "OpenShift broker API" + AuthType Basic + AuthUserFile /etc/openshift/htpasswd + require valid-user + SetEnvIfNoCase Authorization Bearer passthrough + + # The node->broker auth is handled in the Ruby code + BrowserMatchNoCase ^OpenShift passthrough + + = 2.4> + Require env passthrough + + + Allow from env=passthrough + + + # Console traffic will hit the local port. mod_proxy will set this header automatically. + SetEnvIf X-Forwarded-For "^$" local_traffic=1 + # Turn the Console output header into the Apache environment variable for the broker remote-user plugin + SetEnvIf X-Remote-User "(..*)" REMOTE_USER=$1 + + = 2.4> + Require env local_traffic + + + Allow from env=local_traffic + + + # Broker auth based on iv/token generated and verified by broker + SetEnvIf broker_auth_key "^[A-Za-z0-9+/=]+$" BROKER_AUTH=1 + + = 2.4> + Require env BROKER_AUTH + + + Allow from env=BROKER_AUTH + + + + Order Deny,Allow + Deny from all + Satisfy any + # The following APIs do not require auth: - = 2.4> - Require all granted - - - Allow from all - + = 2.4> + Require all granted + + + Allow from all + - = 2.4> - Require all granted - - - Allow from all - + = 2.4> + Require all granted + + + Allow from all + + + + + = 2.4> + Require all granted + + + Allow from all + \ No newline at end of file diff --git a/templates/broker/plugins/auth/kerberos/openshift-origin-auth-remote-user-kerberos.conf.erb b/templates/broker/plugins/auth/kerberos/openshift-origin-auth-remote-user-kerberos.conf.erb index 336f8f8a..e16c6fe7 100644 --- a/templates/broker/plugins/auth/kerberos/openshift-origin-auth-remote-user-kerberos.conf.erb +++ b/templates/broker/plugins/auth/kerberos/openshift-origin-auth-remote-user-kerberos.conf.erb @@ -1,37 +1,84 @@ +# Provided by the mod_auth_kerb package LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule authz_user_module modules/mod_authz_user.so LoadModule auth_kerb_module modules/mod_auth_kerb.so - - AuthName "OpenShift" - AuthType Kerberos - KrbMethodNegotiate On - KrbMethodK5Passwd On - KrbServiceName HTTP/<%= scope.lookupvar('::openshift_origin::broker_krb_service_name') %> - KrbAuthRealms <%= scope.lookupvar('::openshift_origin::broker_krb_auth_realms') %> - Krb5KeyTab <%= scope.lookupvar('::openshift_origin::broker_krb_keytab') %> - Require valid-user - - SetEnvIfNoCase Authorization Bearer passthrough - - # The node->broker auth is handled in the Ruby code - BrowserMatch Openshift passthrough + AuthName "OpenShift broker API" + AuthType Kerberos + KrbMethodNegotiate On + KrbMethodK5Passwd On + # The KrbLocalUserMapping enables conversion to local users, using + # auth_to_local rules in /etc/krb5.conf. By default it strips the + # @REALM part. See krb5.conf(5) for details how to set up specific rules. + KrbLocalUserMapping On + KrbServiceName HTTP/<%= scope.lookupvar('::openshift_origin::broker_krb_service_name') %> + KrbAuthRealms <%= scope.lookupvar('::openshift_origin::broker_krb_auth_realms') %> + Krb5KeyTab <%= scope.lookupvar('::openshift_origin::broker_krb_keytab') %> + require valid-user + + SetEnvIfNoCase Authorization Bearer passthrough + + # The node->broker auth is handled in the Ruby code + BrowserMatchNoCase ^OpenShift passthrough + = 2.4> + Require env passthrough + + Allow from env=passthrough + + + # Console traffic will hit the local port. mod_proxy will set this header automatically. + SetEnvIf X-Forwarded-For "^$" local_traffic=1 + # Turn the Console output header into the Apache environment variable for the broker remote-user plugin + SetEnvIf X-Remote-User "(..*)" REMOTE_USER=$1 + = 2.4> + Require env local_traffic + + + Allow from env=local_traffic + + + # Broker auth based on iv/token generated and verified by broker + SetEnvIf broker_auth_key "^[A-Za-z0-9+/=]+$" BROKER_AUTH=1 + + = 2.4> + Require env BROKER_AUTH + + + Allow from env=BROKER_AUTH + + Order Deny,Allow Deny from all Satisfy any + # The following APIs do not require auth: - - Allow from all - - + = 2.4> + Require all granted + + Allow from all + + = 2.4> + Require all granted + + Allow from all + + + + = 2.4> + Require all granted + + + Allow from all + + \ No newline at end of file diff --git a/templates/broker/plugins/auth/ldap/openshift-origin-auth-remote-user-ldap.conf.erb b/templates/broker/plugins/auth/ldap/openshift-origin-auth-remote-user-ldap.conf.erb index 19786190..59a69ea4 100644 --- a/templates/broker/plugins/auth/ldap/openshift-origin-auth-remote-user-ldap.conf.erb +++ b/templates/broker/plugins/auth/ldap/openshift-origin-auth-remote-user-ldap.conf.erb @@ -11,34 +11,76 @@ LoadModule authnz_ldap_module modules/mod_authnz_ldap.so # LDAPCacheTTL 0 - AuthName "OpenShift broker API" - AuthType Basic - AuthBasicProvider ldap - AuthLDAPURL "<%= scope.lookupvar('::openshift_origin::broker_ldap_uri') %>?uid?sub?(objectClass=*)" - require valid-user + AuthName "OpenShift broker API" + AuthType Basic + AuthBasicProvider ldap + AuthLDAPURL "<%= scope.lookupvar('::openshift_origin::broker_ldap_uri') %>?uid?sub?(objectClass=*)" + require valid-user - SetEnvIfNoCase Authorization Bearer passthrough + SetEnvIfNoCase Authorization Bearer passthrough - # The node->broker auth is handled in the Ruby code - BrowserMatchNoCase ^OpenShift passthrough + # The node->broker auth is handled in the Ruby code + BrowserMatchNoCase ^OpenShift passthrough + = 2.4> + Require env passthrough + + Allow from env=passthrough + - # Console traffic will hit the local port. mod_proxy will set this header automatically. - SetEnvIf X-Forwarded-For "^$" local_traffic=1 - # Turn the Console output header into the Apache environment variable for the broker remote-user plugin - SetEnvIf X-Remote-User "(..*)" REMOTE_USER=$1 + # Console traffic will hit the local port. mod_proxy will set this header automatically. + SetEnvIf X-Forwarded-For "^$" local_traffic=1 + # Turn the Console output header into the Apache environment variable for the broker remote-user plugin + SetEnvIf X-Remote-User "(..*)" REMOTE_USER=$1 + = 2.4> + Require env local_traffic + + Allow from env=local_traffic + + + # Broker auth based on iv/token generated and verified by broker + SetEnvIf broker_auth_key "^[A-Za-z0-9+/=]+$" BROKER_AUTH=1 + + = 2.4> + Require env BROKER_AUTH + + + Allow from env=BROKER_AUTH + + + Order Deny,Allow Deny from all Satisfy any + # The following APIs do not require auth: + = 2.4> + Require all granted + + Allow from all + + = 2.4> + Require all granted + + + Allow from all + + + + + = 2.4> + Require all granted + + Allow from all + \ No newline at end of file