[server] ip-based auth

Tarek Ziade tarek at mozilla.com
Wed Oct 12 06:11:01 PDT 2011


On 10/12/2011 08:00 AM, Ryan Kelly wrote:
>> Notice that the is_local() function should probably get integrated into
>> a per-ip authentication plugin in repoze.who, that could be configured
>> with a withelist of IP and/or "local" (meaning the same box).  Ryan: for
>> the per-ip auth, it would be a good idea to be able to do ranges. I have
>> used a neat lib in keyex for this, http://pypi.python.org/pypi/IPy  . I
>> recommend it
> I've implemented a basic ip-address-based auth plugin in my github branch:
>
>     https://github.com/rfk/demoapp

Awesome

> (By the way, can I please be part of the moz-services org on github?)
I'm a bit lost in the Github interface. I've tried to add "teams" in our 
org so we could give write access to all members, per-project or 
globally, but it looks like I don't have the rights.

I'll deffer this to Mike or Philikon

> It can be configured like so:
>
>      [who:plugin:mozipauth]
>      use = demoapp.security:IPAuthPlugin.from_config
>      ipranges = 123.123.0.0/16
>      userid = moz
>
>      [who:authenticators]
>      plugins = mozipauth
>
> This says that any request coming from 123.123.*.* will be authenticated
> as the user "moz" without any further effort or credentials checking.
>
> You can include multiple non-contiguous ranges as a space-separated
> list, or use the special range "local" to mean the same machine that the
> server is currently running from.
>
> By default the plugin does not respect the X-Forwarded-For header since
> it can be easy to spoof.  The "trusted_proxies" attribute can be used to
> specify proxies from whom X-Forwarded-For should be trusted.
>
> You can also add identity metadata based on originating IP instead of
> (or as well as) authenticating as a specific user.  For example, this
> will add "moz:localhost" as a security principal to all requests
> originating on the same machine as the server:
>
>      [who:plugin:localipauth]
>      use = demoapp.security:IPAuthPlugin.from_config
>      ipranges = local
>      metadata = {"mozsvc.groups": ["moz:localhost"]}
>
>      [who:mdproviders]
>      plugins = localipauth
>
> With this configuration in place, the is_local() check can become:
>
>      if "moz:localhost" not in effective_principals(request):
>          raise NotFound()
>
>
> This all seems to work, but I'm not sure that repoze.who is the best
> place for things like "is this a request from the local machine?".
> These sorts of checks aren't really about *identity* as such, they're
> additional metadata checks on the context of the request.

I am not sure we want to introduce the notion of groups in the core, 
since it can be quite specific to the apps we'll build.

And repoze.what is mostly about the storage and management of user/group 
data.

Having an "authenticated user" object tied to the request seems good 
enough, no matter how the authentication occured.

I'd be inclined to avoid extra complexity for now


> So it may be worth creating another extensibility point to capture these
> sorts of things - perhaps an authorization framework based on repoze.what:
>
>     http://what.repoze.org/docs/1.0/
>
> Unfortunately repoze.what doesn't appear to be compatible with the
> latest release of repoze.who, so I'm still investigating the options
> there.  There also doesn't appear to be a ready-built pyramid adapter
> like there is for repoze.who.
>
> Anyway, it's a start.  Thoughts?
>
>
>      Ryan
>
>
>
> _______________________________________________
> Services-dev mailing list
> Services-dev at mozilla.org
> https://mail.mozilla.org/listinfo/services-dev


-- 
Tarek Ziade - Mozilla Services

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.mozilla.org/private/services-dev/attachments/20111012/2c41037c/attachment.html>


More information about the Services-dev mailing list