[Buildbot-devel] [RFC] rework the authentication system
Dmitry Nezhevenko
dion at dion.org.ua
Tue Aug 30 14:01:47 UTC 2011
On Tue, Aug 30, 2011 at 03:29:04PM +0200, Pierre Tardy wrote:
> Hello,
> AFAIK, the buildbot authentication system is very basic. Each web form
> that needs to be restricted needs will get ugly user/password entries.
>
> I would like to rework that and have a more classic authentication.
>
> My personal requirements would be:
>
> - Compatible with existing BasicAuth, and HTAccessAuth config file.
> (no need to rewrite existing configs)
> - LDAP support
> - Custom Plugin authentication support (I'm thinking of using gerrit's
> database to manage my users)
> - Cookie based one-time authentication
> - Group based permission. authz will be configured to allow access to
> one group, and not to that many users. What groups belongs what user
> belongs to auth plugin, and not authz config.
>
> I would probably implement this that way:
> - A login form will be available at the right of the buildbot web header.
> - Submitting this form will call the auth plugin, and setup the cookie
Some times ago I've tried to contribute a few changes that fixes issues
with HTTP-based authentication.
The idea is to have some "frontend" server (lighttpd, nginx, etc) that
will ask for credentials itself.
In such cases buildbot just needs to hide all "username" fields in
WebStatus and get current username from HTTP headers.
The advantage of this approach is that authentication-related stuff is
placed in one place for all intranet resources (buildbot, VCS. bugtracker, wiki,
file server). It just nicely integrates with existing infrastructure.
Here is my old pull request for this:
https://github.com/buildbot/buildbot/pull/45/files
While it works, it was rejected because it has some coding issues. Here is
link to Dustin's comments:
https://github.com/buildbot/buildbot/pull/45
I'm totally agreed with them but has not addressed them due to lack of time.
It'll be great if buildbot will be able to handle this some how. Probably
I'll be able to help/contribute it some how.
What do you think about this?
--
WBR, Dmitry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://buildbot.net/pipermail/devel/attachments/20110830/6ba51de0/attachment.bin>
More information about the devel
mailing list