-
Notifications
You must be signed in to change notification settings - Fork 59
Authentication
Shib's authentication is used for 2 purposes:
- to log username who executes queries
- to control accesses for databases/tables
Authentication will be enabled if you write auth item in your configuration file.
var servers = exports.servers = {
/*
basic configurations here.
*/
auth: {
type: 'http_basic_auth',
require_always: false,
realm: 'my company',
// auth module settings...
}
};Common attributes for all auth modules are type, require_always and realm.
String value to specify auth module name, options are:
http_basic_modulehttp_custom_header
Specify boolean to control to allow or deny query execution for non-authenticated users.
If you are using Shib as HTTP-Hive-Proxy and HTTP clients cannot do authentication steps, you should permit query executions without authentication.
It means that users also can avoid authentication for query execution. So require_always: false weaken security of logging.
Specify label string to show authentication area/realm to both of users and logs.
HTTP Basic Auth module does authentication with specified website as username-password dictionary. By this module, shib proxies username/password to specified site over HTTP Basic Authentication headers, and allow/deny users' authentication requests by responses from remote site.
auth: {
type: 'http_basic_auth',
require_always: false,
url: 'http://internal.page.local/',
realm: '@hourdomain.example.com'
},-
url: string - specify URL of site to be used for HTTP requests
- specify an internal site of your organization
If you have any reverse proxy server for shib instance, and that reverse proxy server provides HTTP level authentication, you can use it for shib too.
Shib HTTP Custom Header module can handle any HTTP headers as username (and groupname), and Shib allow query execution with username.
auth: {
type: 'http_custom_header',
realm: 'my company',
require_always: true,
username: 'X-Shib-Auth-User', // default
groupname: 'X-Shib-Auth-Group' // default
}At your reverse proxy servers, set username on HTTP header X-Shib-Auth-User just after authentication, before proxied requests.
For example with Apache HTTPd, authnz_ldap module and ActiveDirectory-like LDAP servers:
ProxyPass / http://localhost:3000/
ProxyPassReverse / http://localhost:3000/
<Proxy *>
AllowOverride None
AuthName "shib auth"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPUrl "ldap://ldapserver:389/ou=Users,dc=example,dc=com?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN "cn=bindname,dc=example,dc=com"
AuthLDAPBindPassword SECRET
Require valid-user
RequestHeader set X-Shib-Auth-User %{AUTHENTICATE_SAMACCOUNTNAME}e
### Using 'FOOBAR' attribute of LDAP entry as group name
# RequestHeader set X-Shib-Auth-Group %{AUTHENTICATE_FOOBAR}e
</Proxy>See document for more details of Apache mod_authnz_ldap.
Shib provides access controls by user names (and group names) from authentication, by specifying access_control attribute in auth section.
auth: {
type: 'http_custom_header',
require_always: true,
realm: 'mycompany',
username: 'X-Shib-Auth-User',
groupname: 'X-Shib-Auth-Group',
access_control: {
users: {
tagomoris: {
default: "deny",
databases: {
default: { default: "allow" },
oneservice: { default: "deny", allow: ["access_logs"] }
}
}
},
groups: {
superuser: { default: "allow" },
normaluser: {
default: "deny",
databases: {
default: { default: "allow" } // and only
}
}
},
order: ["user", "group"],
default: "deny"
}
},Module features are different:
-
http_basic_authmodule providesusersonly. -
http_custom_headermodule providesusers,groupsandorder.
For more details, see Access Control.