[Buildbot-devel] [RFC] rework the authentication system

Pierre Tardy tardyp at gmail.com
Tue Aug 30 13:29:04 UTC 2011


Hello,
AFAIK, the buildbot authentication system is very basic. Each web form
that needs to be restricted needs will get ugly user/password entries.

I would like to rework that and have a more classic authentication.

My personal requirements would be:

- Compatible with existing BasicAuth, and HTAccessAuth config file.
(no need to rewrite existing configs)
- LDAP support
- Custom Plugin authentication support (I'm thinking of using gerrit's
database to manage my users)
- Cookie based one-time authentication
- Group based permission. authz will be configured to allow access to
one group, and not to that many users. What groups belongs what user
belongs to auth plugin, and not authz config.

I would probably implement this that way:
- A login form will be available at the right of the buildbot web header.
- Submitting this form will call the auth plugin, and setup the cookie
- dictionnary of logged user will be kept by authz with LoggedUser
class that contains:
   * login
   * email
   * full username
   * groups
- authz config will allow a dictionnary to be passed instead of
already available boolean and callback. So that config would be:

authz_cfg=authz.Authz(
    # change any of these to True to enable; see the manual for more
    # options
    auth=LDAPAuth(server="ldap.sample.com",port=3269, dn="DN"),
    gracefulShutdown = {"*": "admins"},
    forceBuild =
{"basic_builder":"developers","maintainer_builder":"maintainers"},
    forceAllBuilds = {"*":"admins"},
    pingBuilder = True,
    stopBuild =
{"basic_builder":"developers","maintainer_builder":"maintainers"},
    stopAllBuilds = {"*":"admins"},
    cancelPendingBuild = {"*":"admins"})

Any better idea, or additional requirement is much apreciated.

Regards,
Pierre




More information about the devel mailing list