Module: check_mk
Branch: master
Commit: 0e24304a1458e3725927b34fba74c64f83538ee1
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=0e24304a1458e3…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Mon Feb 25 12:36:14 2013 +0100
New option auth_by_http_header to use the value of a HTTP header variable for
authentication (Useful in reverse proxy environments)
---
ChangeLog | 2 ++
web/htdocs/config.py | 3 +++
web/htdocs/login.py | 24 ++++++++++++++++++------
web/htdocs/sidebar.py | 2 +-
web/plugins/wato/check_mk_configuration.py | 23 +++++++++++++++++++++++
5 files changed, 47 insertions(+), 7 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 33d673e..c5e27bc 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,8 @@
Multisite:
* New availability view for arbitrary host/service collections
+ * New option auth_by_http_header to use the value of a HTTP header
+ variable for authentication (Useful in reverse proxy environments)
Event Console:
* New rule feature: automatically delete event after actions
diff --git a/web/htdocs/config.py b/web/htdocs/config.py
index 6e94a1f..bf8c5b0 100644
--- a/web/htdocs/config.py
+++ b/web/htdocs/config.py
@@ -561,6 +561,9 @@ def load_default_values(into):
# Maximum livetime of unmodified selections
into["selection_livetime"] = 3600
+ # Configure HTTP header to read usernames from
+ into["auth_by_http_header"] = False
+
# ____ ___
# | __ )_ _|
# | _ \| |
diff --git a/web/htdocs/login.py b/web/htdocs/login.py
index 8af8b71..4c4d7b6 100644
--- a/web/htdocs/login.py
+++ b/web/htdocs/login.py
@@ -91,6 +91,14 @@ def set_auth_cookie(username, serial):
def get_cookie_value():
return auth_cookie_value(config.user_id, load_serial(config.user_id))
+def renew_cookie(cookie_name, username, serial):
+ # Do not renew if:
+ # a) The _ajaxid var is set
+ # b) A logout is requested
+ if (html.req.myfile != 'logout' or html.has_var('_ajaxid')) \
+ and cookie_name == site_cookie_name():
+ set_auth_cookie(username, serial)
+
def check_auth_cookie(cookie_name):
username, issue_time, cookie_hash = html.cookie(cookie_name,
'::').split(':', 2)
@@ -110,12 +118,7 @@ def check_auth_cookie(cookie_name):
raise MKAuthException(_('Invalid credentials'))
# Once reached this the cookie is a good one. Renew it!
- # Do not renew if:
- # a) The _ajaxid var is set
- # b) A logout is requested
- if (html.req.myfile != 'logout' or html.has_var('_ajaxid')) \
- and cookie_name == site_cookie_name():
- set_auth_cookie(username, serial)
+ renew_cookie(cookie_name, username, serial)
# Return the authenticated username
return username
@@ -135,6 +138,15 @@ def check_auth():
if html.var("_secret"):
return check_auth_automation()
+ # When http header auth is enabled, try to read the username from the var
+ # and when there is some available, set the auth cookie (for other addons) and
proceed.
+ if config.auth_by_http_header:
+ username = html.req.headers_in.get(config.auth_by_http_header, None)
+ if username:
+ serial = load_serial(username)
+ renew_cookie(site_cookie_name(), username, serial)
+ return username
+
for cookie_name in html.get_cookie_names():
if cookie_name.startswith('auth_'):
try:
diff --git a/web/htdocs/sidebar.py b/web/htdocs/sidebar.py
index 473521c..fb990f5 100644
--- a/web/htdocs/sidebar.py
+++ b/web/htdocs/sidebar.py
@@ -142,7 +142,7 @@ def sidebar_foot():
html.icon_button("user_profile.py", _("Edit your personal
settings, change your password"), "sidebar_settings",
target="main")
# html.write('<li><a class=profile target="main"
href="user_profile.py" title="%s"></a></li>' %
_('Edit user profile'))
- if config.may("general.logout"):
+ if config.may("general.logout") and not config.auth_by_http_header:
html.icon_button("logout.py", _("Log out"),
"sidebar_logout", target="_top")
# html.write('<li><a class=logout target="_top"
href="logout.py" title="%s"></a></li>' %
_('Logout'))
html.write('</ul>')
diff --git a/web/plugins/wato/check_mk_configuration.py
b/web/plugins/wato/check_mk_configuration.py
index bd20672..b0e4c4c 100644
--- a/web/plugins/wato/check_mk_configuration.py
+++ b/web/plugins/wato/check_mk_configuration.py
@@ -297,6 +297,29 @@ register_configvar(group,
"details for each executed compilation.")),
domain = "multisite")
+register_configvar(group,
+ "auth_by_http_header",
+ Optional(
+ TextAscii(
+ label = _("HTTP Header Variable"),
+ help = _("Configure the name of the environment variable to read
"
+ "from the incoming HTTP requests"),
+ default_value = 'REMOTE_USER',
+ ),
+ title = _("Authenticate users by incoming HTTP requests"),
+ label = _("Activate HTTP header authentication (Warning: Only activate
"
+ "in trusted environments, see help for details)"),
+ help = _("If this option is enabled, multisite reads the configured HTTP
header "
+ "variable from the incoming HTTP request and simply takes the
string "
+ "in this variable as name of the authenticated user. "
+ "Be warned: Only allow access from trusted ip addresses "
+ "(Apache <tt>Allow from</tt>), like proxy "
+ "servers, to this webpage. A user with access to this page could
simply fake "
+ "the authentication information. This option can be useful to
"
+ " realize authentication in reverse proxy environments.")
+ ),
+ domain = "multisite")
+
# .----------------------------------------------------------------------.
# | _ _ __ __ _ |
# | | | | |___ ___ _ __ | \/ | __ _ _ __ ___ | |_ |