Merge pull request #115 from detiber/consoleBasicAuthTweak

kraman · kraman · commit 154a75456491 · 2013-10-29T13:54:40.000-07:00
Set correct auth config for console when using remote user basic auth
diff --git a/manifests/plugins/auth/htpasswd.pp b/manifests/plugins/auth/htpasswd.pp
@@ -37,6 +37,21 @@
     before  => Exec['Broker gem dependencies'],
   }
 
+  file {'Console htpasswd config':
+    path => '/var/www/openshift/console/httpd/conf.d/openshift-origin-auth-remote-user-basic.conf',
+    content =>
+      template('openshift_origin/console/plugins/auth/basic/openshift-origin-auth-remote-user-basic.conf.erb'),
+    owner => 'apache',
+    group => 'apache',
+    mode => '0644',
+    require => [
+      Package['rubygem-openshift-origin-auth-remote-user'],
+      File['Broker htpasswd config'],
+    ],
+    notify  => Service['openshift-console'],
+    before  => Exec['Console gem dependencies'],
+  }
+
   file { 'Auth plugin config':
     path    => '/etc/openshift/plugins.d/openshift-origin-auth-remote-user.conf',
     content => template('openshift_origin/broker/plugins/auth/basic/remote-user.conf.plugin.erb'),
diff --git a/templates/console/console.conf.erb b/templates/console/console.conf.erb
@@ -53,7 +53,7 @@ BROKER_API_SSL_OPTIONS={:verify_mode => OpenSSL::SSL::VERIFY_NONE}
 #   during startup of the console and any errors will prevent
 #   load.
 #
-CONSOLE_SECURITY=basic
+CONSOLE_SECURITY=<%= scope.lookupvar('::openshift_origin::broker_auth_plugin') == 'mongo' ? 'basic' : 'remote_user' %>
 
 #
 # The name of the request env variable or header that indicates a 
diff --git a/templates/console/plugins/auth/basic/openshift-origin-auth-remote-user-basic.conf.erb b/templates/console/plugins/auth/basic/openshift-origin-auth-remote-user-basic.conf.erb
@@ -0,0 +1,24 @@
+LoadModule auth_basic_module modules/mod_auth_basic.so
+LoadModule authn_file_module modules/mod_authn_file.so
+LoadModule authz_user_module modules/mod_authz_user.so
+
+# Turn the authenticated remote-user into an Apache environment variable for the console security controller
+RewriteEngine On
+RewriteCond %{LA-U:REMOTE_USER} (.+)
+RewriteRule . - [E=RU:%1]
+RequestHeader set X-Remote-User "%{RU}e" env=RU
+
+<Location /console>
+    AuthName "OpenShift Developer Console"
+    AuthType Basic
+    AuthUserFile /etc/openshift/htpasswd
+    require valid-user
+
+    # The node->broker auth is handled in the Ruby code
+    BrowserMatch Openshift passthrough
+    Allow from env=passthrough
+
+    Order Deny,Allow
+    Deny from all
+    Satisfy any
+</Location>

Original file line number	Diff line number	Diff line change
`@@ -53,7 +53,7 @@ BROKER_API_SSL_OPTIONS={:verify_mode => OpenSSL::SSL::VERIFY_NONE}`
`53`	`53`	`# during startup of the console and any errors will prevent`
`54`	`54`	`# load.`
`55`	`55`	`#`
`56`		`-CONSOLE_SECURITY=basic`
	`56`	`+CONSOLE_SECURITY=<%= scope.lookupvar('::openshift_origin::broker_auth_plugin') == 'mongo' ? 'basic' : 'remote_user' %>`
`57`	`57`
`58`	`58`	`#`
`59`	`59`	`# The name of the request env variable or header that indicates a`