[Cubicweb] Apache authentication: which CubicWeb API?

Dimitri Papadopoulos Orfanos dimitri.papadopoulos at cea.fr
Sat Oct 5 14:27:56 CEST 2013


Dear list members,

We had already discussed authentication options for an Apache front-end.

I still have a few questions concerning this specific context:
* accounts will be managed within CubicWeb,
* Apache will authenticate against the CubicWeb accounts.

Logilab had suggested Apache should bypass the CubicWeb layer and access 
directly the PostgreSQL layer, querying "cw_login" and "cw_upassword" 
from the "cw_cwuser" table.

Our sysadmins would rather use the CubicWeb layer. Among the benefits of 
this solution, a later migration of CubicWeb accounts to LDAP would not 
impact authentication.

How to access the CubicWeb layer from an Apache front-end running on the 
same server as the CubicWeb repository?
* I have a working prototype of a Python Apache module (see code below) 
that acesses the repository through ZMQ. See code below.
* Spawning a "cubicweb-ctl shell" command from the Apache authentication 
module doesn't look like a clean/robust solution.
* Is there another way to ask CubicWeb to test an identifier/password 
pair? If it helps, remember we are on the same server as the CubicWeb 
repository.



from mod_python import apache
from cubicweb import dbapi
from cubicweb import AuthenticationError

def authenhandler(req):
     pw = req.get_basic_auth_pw()
     user = req.user

     try:
         database = 'zmqpickle-tcp://localhost:8181'
         dbapi.connect(database, login=user, password=pw)
         return apache.OK
     except AuthenticationError:
         return apache.HTTP_UNAUTHORIZED

Regards,
-- 
Dimitri Papadopoulos
CEA/Saclay
I2BM, NeuroSpin
91191 Gif-sur-Yvette cedex, France



More information about the Cubicweb mailing list