[Buildbot-devel] [RFC] rework the authentication system

Dustin J. Mitchell dustin at v.igoro.us
Sat Sep 3 18:12:02 UTC 2011


On Tue, Aug 30, 2011 at 8:29 AM, Pierre Tardy <tardyp at gmail.com> wrote:
> Hello,
> AFAIK, the buildbot authentication system is very basic. Each web form
> that needs to be restricted needs will get ugly user/password entries.
>
> I would like to rework that and have a more classic authentication.

I like this idea - and Dmitry had a good start in pull 45.  A few
concerns, below.

> My personal requirements would be:
>
> - Compatible with existing BasicAuth, and HTAccessAuth config file.
> (no need to rewrite existing configs)
> - LDAP support
> - Custom Plugin authentication support (I'm thinking of using gerrit's
> database to manage my users)
> - Cookie based one-time authentication

These all sound good, and should be pluggable IAuth implementations.
Note that Buildbot just grew its own user database, too.  It will be
good if any plugins like gerrit or LDAP can also correlate with
buildbot userids, so that actions via the web interface can be
correlated with actions via IRC, version control, try, etc.

> - Group based permission. authz will be configured to allow access to
> one group, and not to that many users. What groups belongs what user
> belongs to auth plugin, and not authz config.
>
> I would probably implement this that way:
> - A login form will be available at the right of the buildbot web header.
> - Submitting this form will call the auth plugin, and setup the cookie
> - dictionnary of logged user will be kept by authz with LoggedUser
> class that contains:
>   * login
>   * email
>   * full username
>   * groups

Authz shouldn't be tracking who is logged in -- that should be done in IAuth.

So, have at it!

Dustin




More information about the devel mailing list