Skip to content
Permalink
Browse files

web UI auth: decouple auth_user from session

Sessions are processed in web UI part only. Pcsd backend does not work
with sessions so it only gets who is logged in and not the whole session.
  • Loading branch information...
tomjelinek committed Feb 3, 2016
1 parent b9e7f06 commit bc6ad9086857559db57f4e3e6de66762291c0774
Showing with 525 additions and 490 deletions.
  1. +32 −18 pcsd/auth.rb
  2. +10 −10 pcsd/cfgsync.rb
  3. +1 −1 pcsd/cluster_entity.rb
  4. +4 −4 pcsd/fenceagent.rb
  5. +113 −113 pcsd/pcs.rb
  6. +21 −21 pcsd/pcsd-cli.rb
  7. +63 −38 pcsd/pcsd.rb
  8. +260 −254 pcsd/remote.rb
  9. +9 −7 pcsd/resource.rb
  10. +12 −24 pcsd/test/test_auth.rb
@@ -47,7 +47,7 @@ def self.validUser(username, password, generate_token = false)

def self.getUsersGroups(username)
stdout, stderr, retval = run_cmd(
getSuperuserSession, "id", "-Gn", username
getSuperuserAuth(), "id", "-Gn", username
)
if retval != 0
$logger.info(
@@ -94,41 +94,43 @@ def self.validToken(token)
return false
end

def self.loginByToken(session, cookies)
def self.loginByToken(cookies)
auth_user = {}
if username = validToken(cookies["token"])
if SUPERUSER == username
if cookies['CIB_user'] and cookies['CIB_user'].strip != ''
session[:username] = cookies['CIB_user']
auth_user[:username] = cookies['CIB_user']
if cookies['CIB_user_groups'] and cookies['CIB_user_groups'].strip != ''
session[:usergroups] = cookieUserDecode(
auth_user[:usergroups] = cookieUserDecode(
cookies['CIB_user_groups']
).split(nil)
else
session[:usergroups] = []
auth_user[:usergroups] = []
end
else
session[:username] = SUPERUSER
session[:usergroups] = []
auth_user[:username] = SUPERUSER
auth_user[:usergroups] = []
end
return true
return auth_user
else
session[:username] = username
auth_user[:username] = username
success, groups = getUsersGroups(username)
session[:usergroups] = success ? groups : []
return true
auth_user[:usergroups] = success ? groups : []
return auth_user
end
end
return false
return nil
end

def self.loginByPassword(session, username, password)
def self.loginByPassword(username, password)
if validUser(username, password)
session[:username] = username
auth_user = {}
auth_user[:username] = username
success, groups = getUsersGroups(username)
session[:usergroups] = success ? groups : []
return true
auth_user[:usergroups] = success ? groups : []
return auth_user
end
return false
return nil
end

def self.isLoggedIn(session)
@@ -141,7 +143,7 @@ def self.isLoggedIn(session)
return false
end

def self.getSuperuserSession()
def self.getSuperuserAuth()
return {
:username => SUPERUSER,
:usergroups => [],
@@ -162,5 +164,17 @@ def self.cookieUserEncode(text)
def self.cookieUserDecode(text)
return Base64.decode64(text)
end

def self.sessionToAuthUser(session)
return {
:username => session[:username],
:usergroups => session[:usergroups],
}
end

def self.authUserToSession(auth_user, session)
session[:username] = auth_user[:username]
session[:usergroups] = auth_user[:usergroups]
end
end

@@ -425,15 +425,15 @@ def self.save(data)


class ConfigPublisher
def initialize(session, configs, nodes, cluster_name, tokens={})
def initialize(auth_user, configs, nodes, cluster_name, tokens={})
@configs = configs
@nodes = nodes
@cluster_name = cluster_name
@published_configs_names = @configs.collect { |cfg|
cfg.class.name
}
@additional_tokens = tokens
@session = session
@auth_user = auth_user
end

def send(force=false)
@@ -451,7 +451,7 @@ def send(force=false)
@nodes.each { |node|
threads << Thread.new {
code, out = send_request_with_token(
@session, node, 'set_configs', true, data, true, nil, 30,
@auth_user, node, 'set_configs', true, data, true, nil, 30,
@additional_tokens
)
if 200 == code
@@ -535,11 +535,11 @@ def get_old_local_configs(node_response, published_configs_names)


class ConfigFetcher
def initialize(session, config_classes, nodes, cluster_name)
def initialize(auth_user, config_classes, nodes, cluster_name)
@config_classes = config_classes
@nodes = nodes
@cluster_name = cluster_name
@session = session
@auth_user = auth_user
end

def fetch_all()
@@ -591,7 +591,7 @@ def get_configs_cluster(nodes, cluster_name)
nodes.each { |node|
threads << Thread.new {
code, out = send_request_with_token(
@session, node, 'get_configs', false, data
@auth_user, node, 'get_configs', false, data
)
if 200 == code
begin
@@ -700,13 +700,13 @@ def self.save_sync_new_version(config, nodes, cluster_name, fetch_on_conflict, t
else
# we run in a cluster so we need to sync the config
publisher = ConfigPublisher.new(
PCSAuth.getSuperuserSession(), [config], nodes, cluster_name, tokens
PCSAuth.getSuperuserAuth(), [config], nodes, cluster_name, tokens
)
old_configs, node_responses = publisher.publish()
if old_configs.include?(config.class.name)
if fetch_on_conflict
fetcher = ConfigFetcher.new(
PCSAuth.getSuperuserSession(), [config.class], nodes, cluster_name
PCSAuth.getSuperuserAuth(), [config.class], nodes, cluster_name
)
cfgs_to_save, _ = fetcher.fetch()
cfgs_to_save.each { |cfg_to_save|
@@ -751,7 +751,7 @@ def self.save_sync_new_tokens(config, new_tokens, nodes, cluster_name)
end
# we run in a cluster so we need to sync the config
publisher = ConfigPublisher.new(
PCSAuth.getSuperuserSession(), [config_new], nodes, cluster_name,
PCSAuth.getSuperuserAuth(), [config_new], nodes, cluster_name,
new_tokens
)
old_configs, node_responses = publisher.publish()
@@ -761,7 +761,7 @@ def self.save_sync_new_tokens(config, new_tokens, nodes, cluster_name)
end
# get tokens from all nodes and merge them
fetcher = ConfigFetcher.new(
PCSAuth.getSuperuserSession(), [config_new.class], nodes, cluster_name
PCSAuth.getSuperuserAuth(), [config_new.class], nodes, cluster_name
)
fetched_tokens = fetcher.fetch_all()[config_new.class.name]
config_new = Cfgsync::merge_tokens_files(config, fetched_tokens, new_tokens)
@@ -1018,7 +1018,7 @@ def initialize
@pcsd_enabled = false
end

def self.load_current_node(session, crm_dom=nil)
def self.load_current_node(crm_dom=nil)
node = ClusterEntity::Node.new
node.corosync = corosync_running?
node.corosync_enabled = corosync_enabled?
@@ -1,4 +1,4 @@
def getFenceAgents(session, fence_agent = nil)
def getFenceAgents(auth_user, fence_agent = nil)
fence_agent_list = {}
agents = Dir.glob('/usr/sbin/fence_' + '*')
agents.each { |a|
@@ -7,7 +7,7 @@ def getFenceAgents(session, fence_agent = nil)
next if fa.name == "fence_ack_manual"

if fence_agent and a.sub(/.*\//,"") == fence_agent.sub(/.*:/,"")
required_options, optional_options, advanced_options, info = getFenceAgentMetadata(session, fa.name)
required_options, optional_options, advanced_options, info = getFenceAgentMetadata(auth_user, fa.name)
fa.required_options = required_options
fa.optional_options = optional_options
fa.advanced_options = advanced_options
@@ -18,7 +18,7 @@ def getFenceAgents(session, fence_agent = nil)
fence_agent_list
end

def getFenceAgentMetadata(session, fenceagentname)
def getFenceAgentMetadata(auth_user, fenceagentname)
options_required = {}
options_optional = {}
options_advanced = {
@@ -43,7 +43,7 @@ def getFenceAgentMetadata(session, fenceagentname)
return [options_required, options_optional, options_advanced]
end
stdout, stderr, retval = run_cmd(
session, "/usr/sbin/#{fenceagentname}", '-o', 'metadata'
auth_user, "/usr/sbin/#{fenceagentname}", '-o', 'metadata'
)
metadata = stdout.join
begin

0 comments on commit bc6ad90

Please sign in to comment.
You can’t perform that action at this time.