Introduce Django to your old friends

Slide 1

Slide 1 text

intentionally left blank

Slide 2

Slide 2 text

getting django to play with old friends

Slide 3

Slide 3 text

getting django to play with old friends or foes

Slide 4

Slide 4 text

engineer @ red hat @roguelynn roguelynn.com Lynn Root

Slide 5

Slide 5 text

Lynn Root freeipa.org

Slide 6

Slide 6 text

Lynn Root freeipa.org IPA != India Pale Ale

Slide 7

Slide 7 text

Lynn Root freeipa.org IPA == Identity, Policy, Audit

Slide 8

Slide 8 text

Lynn Root freeipa.org IPA == Identity, Policy, Audit Alpha

Slide 9

Slide 9 text

Playbill Setting up Custom User External Authentication External Permissions

Slide 10

Slide 10 text

rogue.ly/circus

Slide 11

Slide 11 text

No content

Slide 12

Slide 12 text

Problem: Make an internal web app.

Slide 13

Slide 13 text

Question: Can I use Postgres for auth?

Slide 14

Slide 14 text

Crap. I have to use single sign-on.

Slide 15

Slide 15 text

new User models + antiquated authentication

Slide 16

Slide 16 text

ZOMG new user modelzz !1!! what does that mean?

Slide 17

Slide 17 text

allows custom user identifiers

Slide 18

Slide 18 text

./manage.py startapp synegizerApp

Slide 19

Slide 19 text

user model:

Slide 20

Slide 20 text

# synergizerApp/models.py from django.contrib.auth.models import AbstractBaseUser class KerbUser(AbstractBaseUser): username = models.CharField(max_length=254, ...) first_name = models.CharField(...) last_name = models.CharField(...) email = models.EmailField(...) synergy_level = models.IntegerField() is_team_player = models.BooleanField(default=False) USERNAME_FIELD = 'username' REQUIRED_FIELDS = ['email', 'synergy_level']

Slide 21

Slide 21 text

user manager:

Slide 22

Slide 22 text

# synergizerApp/models.py from django.contrib.auth.models import ( AbstractBaseUser, BaseUserManager) class KerbUserManager(BaseUserManager): def create_user(self, email, synergy_level, password=None): user = self.model(email=email, synergy_level=synergy_level) # <--snip--> return user def create_superuser(self, email, synergy_level, password): user = self.create_user(email, synergy_level, password=password) user.is_team_player = True user.save() return user

Slide 23

Slide 23 text

# synergizerApp/models.py from django.contrib.auth.models import ( AbstractBaseUser, BaseUserManager) ... class KerbUser(AbstractBaseUser): # <--snip--> objects = KerbUserManager()

Slide 24

Slide 24 text

settings.py

Slide 25

Slide 25 text

# settings.py AUTH_USER_MODEL = 'synergizerApp.KerbUser' MIDDLEWARE_CLASSES = ( ... 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.auth.middleware.RemoteUserMiddleware', ... ) AUTHENTICATION_BACKENDS = ( 'django.contrib.auth.backends.RemoteUserBackends', ) team player!

Slide 26

Slide 26 text

pointyhairedboss@ STRATEGERY.COM

Slide 27

Slide 27 text

pointyhairedboss@ STRATEGERY.COM

Slide 28

Slide 28 text

client-centric!!1! # synergizerApp/krb5.py from django.contrib.auth.backends import ( RemoteUserBackend) class Krb5RemoteUserBackend(RemoteUserBackend): def clean_username(self, username): # remove @REALM from username return username.split("@")[0]

Slide 29

Slide 29 text

# settings.py AUTH_USER_MODEL = 'synergizerApp.KerbUser' MIDDLEWARE_CLASSES = ( ... 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.auth.middleware.RemoteUserMiddleware', ... ) AUTHENTICATION_BACKENDS = ( 'synergizerApp.krb5.Krb5RemoteUserBackend', ) a streamlining team player!

Slide 30

Slide 30 text

how do I Apache?

Slide 31

Slide 31 text

environment: Kerberos + Apache

Slide 32

Slide 32 text

# /etc/httpd/conf.d/remote_user.conf LoadModule auth_kerb_module modules/mod_auth_kerb.so AuthName "DjangoConKerberos" AuthType Kerberos KrbMethodNegotiate On KrbMethodK5Passwd Off KrbServiceName HTTP/djangocon.rootcloud.com KrbAuthRealms ROOTCLOUD.COM Krb5KeyTab /etc/http.keytab Require valid-user Order Deny,Allow Deny from all Satisfy any

Slide 33

Slide 33 text

Slide 34

Slide 34 text

Slide 35

Slide 35 text

mod_auth_kerb Enrolled host + service chown apache

Slide 36

Slide 36 text

Slide 37

Slide 37 text

does it negotiate?

Slide 38

Slide 38 text

cURL requests.py browsers

Slide 39

Slide 39 text

$ curl --negotiate -u : $FQDN

Slide 40

Slide 40 text

[vagrant@client]# kinit roguelynn Password for roguelynn@ROOTCLOUD.COM: [vagrant@client]# curl -I --negotiate -u : \ https://synergizeapp.strategery.com HTTP/1.1 401 Unauthorized Date: Wed, 15 May 2013 09:10:18 GMT Server: Apache/2.4.4 (Fedora) WWW-Authenticate: Negotiate Content-type text/html; charset=iso-8859-1 HTTP/1.1 200 Date: Wed, 15 May 2013 09:10:18 GMT Server: Apache/2.4.4 (Fedora) WWW-Authenticate: Negotiate sOmE_RanDom_T0k3n

Slide 41

Slide 41 text

Slide 42

Slide 42 text

Slide 43

Slide 43 text

Slide 44

Slide 44 text

cURL requests.py browsers

Slide 45

Slide 45 text

authentication vs authorization

Slide 46

Slide 46 text

authentication vs authorization

Slide 47

Slide 47 text

accessing permissions

Slide 48

Slide 48 text

is user a member of “admins”, or “team players”, or “movers and shakers”, ...

Slide 49

Slide 49 text

your own kerberos environment

Slide 50

Slide 50 text

Crap. Now I’m the point person for this.

Slide 51

Slide 51 text

rogue.ly/circus @roguelynn

Slide 52

Slide 52 text

Background image: http://www.animalhi.com/Mammals/elephants/ abstract_ﬂying_elephants_circus_simplistic_simple_1920x1080_wallpaper_29579