[Cubicweb] Apache authentication: which CubicWeb API?

Sylvain Thénault sylvain.thenault at logilab.fr
Mon Oct 7 10:36:36 CEST 2013


On 05 octobre 14:27, Dimitri Papadopoulos Orfanos wrote:
> Dear list members,

Hi Dimitri,
 
> We had already discussed authentication options for an Apache front-end.
> 
> I still have a few questions concerning this specific context:
> * accounts will be managed within CubicWeb,
> * Apache will authenticate against the CubicWeb accounts.
> 
> Logilab had suggested Apache should bypass the CubicWeb layer and
> access directly the PostgreSQL layer, querying "cw_login" and
> "cw_upassword" from the "cw_cwuser" table.
> 
> Our sysadmins would rather use the CubicWeb layer. Among the
> benefits of this solution, a later migration of CubicWeb accounts to
> LDAP would not impact authentication.

The point of direct SQL access was to use an existent apache module., but it's
true that in the long run accessing the cubicweb layer is better.

> How to access the CubicWeb layer from an Apache front-end running on
> the same server as the CubicWeb repository?

> * I have a working prototype of a Python Apache module (see code
> below) that acesses the repository through ZMQ. See code below.

> * Spawning a "cubicweb-ctl shell" command from the Apache
> authentication module doesn't look like a clean/robust solution.

Yes, using zmq as you do it sounds like the good way to go.

> * Is there another way to ask CubicWeb to test an
> identifier/password pair? If it helps, remember we are on the same
> server as the CubicWeb repository.
 
Is there any problem with the code below ? it sounds good to me, beside that you
should close the opened connection before returning.
 
> from mod_python import apache
> from cubicweb import dbapi
> from cubicweb import AuthenticationError
> 
> def authenhandler(req):
>     pw = req.get_basic_auth_pw()
>     user = req.user
> 
>     try:
>         database = 'zmqpickle-tcp://localhost:8181'
>         dbapi.connect(database, login=user, password=pw)
>         return apache.OK
>     except AuthenticationError:
>         return apache.HTTP_UNAUTHORIZED
-- 
Sylvain Thénault, LOGILAB, Paris (01.45.32.03.12) - Toulouse (05.62.17.16.42)
Formations Python, Debian, Méth. Agiles: http://www.logilab.fr/formations
Développement logiciel sur mesure:       http://www.logilab.fr/services
CubicWeb, the semantic web framework:    http://www.cubicweb.org



More information about the Cubicweb mailing list