Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Introduce Django to your old friends

Lynn Root
May 17, 2013
Programming
7
1.4k

Introduce Django to your old friends

Leverage Django 1.5’s custom user model to work with corporate/internal authentication networks (Kerberos, Active Directory, LDAP). Associated blog post: http://rogue.ly/circus

Lynn Root

May 17, 2013
Tweet

More Decks by Lynn Root

See All by Lynn Root
The Design of Everyday APIs
roguelynn
0
920
Music Is Just Wiggly Air
roguelynn
0
150
Advanced asyncio: Solving Real-world Production Problems
roguelynn
5
7.1k
asyncio: We Did It Wrong
roguelynn
1
3.9k
Tracing, Fast & Slow: Digging into and improving your web service's performance
roguelynn
0
570
How to spy with Python: So easy, the NSA can do it!
roguelynn
1
1.3k
Spotify's Love/Hate Relationship with DNS
roguelynn
3
830
Diversity: We're Not Done Yet
roguelynn
2
440
Why can't we be friends: do corporations & FOSS really mix?
roguelynn
0
150

Other Decks in Programming

See All in Programming
ゴーファーくんと学ぶGo言語の世界/golang-world-with-gopher
iwasiman
2
530
Androidアプリで安定して動作させ継続的に開発するために設計の原則を利用して開発した話
takahirom
0
680
時間を気にせず普通にカンニングもしつつ ISUCON12 本選問題を PHP でやってみる
sji
0
260
本当に 0 からの 関数型プログラミングの歩き始め方 / How to Walk into Functional Programming from Scratch
guvalif
0
190
Cloudflare 概論 Cloudflare Meetup Kick Off! #CloudflareUG
maroon1st
0
440
Kubernetes as a Service の利用者を支える機能 - Platform Engineering Meetup #1 / pfem01-amsy810-k8s
masayaaoyama
0
1k
Honoの3+1のルーターとそこにつながるPRがプロジェクトにもたらしたもの
usualoma
1
710
オンサイトキックオフでロケットスタート〜貴重なリアル対面を活かすやり方と構造〜
sasakendayo
0
280
たのしいRubyの構文解析ツアー
coe401_
1
630
EmojiPicker触ってみた
napplecomputer
0
200
いろいろなフレームワークの仕組みを index.php から読み解こう / index.php of each framework
okashoi
0
190
ChatGPTによるデータ変換がもたらすインパクト
masahiro_nishimi
3
3k

Featured

See All Featured
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
270
12k
KATA
mclloyd
12
10k
The Illustrated Children's Guide to Kubernetes
chrisshort
23
43k
Thoughts on Productivity
jonyablonski
50
2.8k
Gamification - CAS2011
davidbonilla
75
4.2k
How STYLIGHT went responsive
nonsquared
89
4.2k
Designing the Hi-DPI Web
ddemaree
273
33k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
14
1.2k
Faster Mobile Websites
deanohume
296
29k
Building Your Own Lightsaber
phodgson
96
4.9k
How GitHub Uses GitHub to Build GitHub
holman
466
280k
Navigating Team Friction
lara
177
12k

Transcript

  1. intentionally left blank

    View Slide

  2. getting django
    to play with
    old friends

    View Slide

  3. getting django
    to play with
    old friends
    or foes

    View Slide

  4. engineer @ red hat
    @roguelynn
    roguelynn.com
    Lynn Root

    View Slide

  5. Lynn Root
    freeipa.org

    View Slide

  6. Lynn Root
    freeipa.org
    IPA != India Pale Ale

    View Slide

  7. Lynn Root
    freeipa.org
    IPA == Identity, Policy, Audit

    View Slide

  8. Lynn Root
    freeipa.org
    IPA == Identity, Policy, Audit
    Alpha

    View Slide

  9. Playbill
    Setting up Custom User
    External Authentication
    External Permissions

    View Slide

  10. rogue.ly/circus

    View Slide

  11. View Slide

  12. Problem:
    Make an internal web app.

    View Slide

  13. Question:
    Can I use Postgres
    for auth?

    View Slide

  14. Crap.
    I have to use single sign-on.

    View Slide

  15. new User models
    +
    antiquated authentication

    View Slide

  16. ZOMG
    new user modelzz !1!!
    what does that mean?

    View Slide

  17. allows custom
    user identifiers

    View Slide

  18. ./manage.py startapp
    synegizerApp

    View Slide

  19. user model:

    View Slide

  20. # synergizerApp/models.py
    from django.contrib.auth.models import AbstractBaseUser
    class KerbUser(AbstractBaseUser):
    username = models.CharField(max_length=254, ...)
    first_name = models.CharField(...)
    last_name = models.CharField(...)
    email = models.EmailField(...)
    synergy_level = models.IntegerField()
    is_team_player = models.BooleanField(default=False)
    USERNAME_FIELD = 'username'
    REQUIRED_FIELDS = ['email', 'synergy_level']

    View Slide

  21. user manager:

    View Slide

  22. # synergizerApp/models.py
    from django.contrib.auth.models import (
    AbstractBaseUser, BaseUserManager)
    class KerbUserManager(BaseUserManager):
    def create_user(self, email, synergy_level,
    password=None):
    user = self.model(email=email,
    synergy_level=synergy_level)
    #
    return user
    def create_superuser(self, email, synergy_level,
    password):
    user = self.create_user(email, synergy_level,
    password=password)
    user.is_team_player = True
    user.save()
    return user

    View Slide

  23. # synergizerApp/models.py
    from django.contrib.auth.models import (
    AbstractBaseUser, BaseUserManager)
    ...
    class KerbUser(AbstractBaseUser):
    #
    objects = KerbUserManager()

    View Slide

  24. settings.py

    View Slide

  25. # settings.py
    AUTH_USER_MODEL = 'synergizerApp.KerbUser'
    MIDDLEWARE_CLASSES = (
    ...
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.auth.middleware.RemoteUserMiddleware',
    ...
    )
    AUTHENTICATION_BACKENDS = (
    'django.contrib.auth.backends.RemoteUserBackends',
    )
    team player!

    View Slide

  26. [email protected]
    STRATEGERY.COM

    View Slide

  27. [email protected]
    STRATEGERY.COM

    View Slide

  28. client-centric!!1!
    # synergizerApp/krb5.py
    from django.contrib.auth.backends import (
    RemoteUserBackend)
    class Krb5RemoteUserBackend(RemoteUserBackend):
    def clean_username(self, username):
    # remove @REALM from username
    return username.split("@")[0]

    View Slide

  29. # settings.py
    AUTH_USER_MODEL = 'synergizerApp.KerbUser'
    MIDDLEWARE_CLASSES = (
    ...
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.auth.middleware.RemoteUserMiddleware',
    ...
    )
    AUTHENTICATION_BACKENDS = (
    'synergizerApp.krb5.Krb5RemoteUserBackend',
    )
    a streamlining team player!

    View Slide

  30. how do I
    Apache?

    View Slide

  31. environment:
    Kerberos + Apache

    View Slide

  32. # /etc/httpd/conf.d/remote_user.conf
    LoadModule auth_kerb_module modules/mod_auth_kerb.so

    AuthName "DjangoConKerberos"
    AuthType Kerberos
    KrbMethodNegotiate On
    KrbMethodK5Passwd Off
    KrbServiceName HTTP/djangocon.rootcloud.com
    KrbAuthRealms ROOTCLOUD.COM
    Krb5KeyTab /etc/http.keytab
    Require valid-user
    Order Deny,Allow
    Deny from all
    Satisfy any

    View Slide

  33. # /etc/httpd/conf.d/remote_user.conf
    LoadModule auth_kerb_module modules/mod_auth_kerb.so

    AuthName "DjangoConKerberos"
    AuthType Kerberos
    KrbMethodNegotiate On
    KrbMethodK5Passwd Off
    KrbServiceName HTTP/djangocon.rootcloud.com
    KrbAuthRealms ROOTCLOUD.COM
    Krb5KeyTab /etc/http.keytab
    Require valid-user
    Order Deny,Allow
    Deny from all
    Satisfy any

    View Slide

  34. # /etc/httpd/conf.d/remote_user.conf
    LoadModule auth_kerb_module modules/mod_auth_kerb.so

    AuthName "DjangoConKerberos"
    AuthType Kerberos
    KrbMethodNegotiate On
    KrbMethodK5Passwd Off
    KrbServiceName HTTP/djangocon.rootcloud.com
    KrbAuthRealms ROOTCLOUD.COM
    Krb5KeyTab /etc/http.keytab
    Require valid-user
    Order Deny,Allow
    Deny from all
    Satisfy any

    View Slide

  35. mod_auth_kerb
    Enrolled host + service
    chown apache

    View Slide

  36. # /etc/httpd/conf.d/remote_user.conf
    LoadModule auth_kerb_module modules/mod_auth_kerb.so

    AuthName "DjangoConKerberos"
    AuthType Kerberos
    KrbMethodNegotiate On
    KrbMethodK5Passwd Off
    KrbServiceName HTTP/djangocon.rootcloud.com
    KrbAuthRealms ROOTCLOUD.COM
    Krb5KeyTab /etc/http.keytab
    Require valid-user
    Order Deny,Allow
    Deny from all
    Satisfy any

    View Slide

  37. does it negotiate?

    View Slide

  38. cURL
    requests.py
    browsers

    View Slide

  39. $ curl --negotiate
    -u : $FQDN

    View Slide

  40. [[email protected]]# kinit roguelynn
    Password for [email protected]:
    [[email protected]]# curl -I --negotiate -u : \
    https://synergizeapp.strategery.com
    HTTP/1.1 401 Unauthorized
    Date: Wed, 15 May 2013 09:10:18 GMT
    Server: Apache/2.4.4 (Fedora)
    WWW-Authenticate: Negotiate
    Content-type text/html; charset=iso-8859-1
    HTTP/1.1 200
    Date: Wed, 15 May 2013 09:10:18 GMT
    Server: Apache/2.4.4 (Fedora)
    WWW-Authenticate: Negotiate sOmE_RanDom_T0k3n

    View Slide

  41. [[email protected]]# kinit roguelynn
    Password for [email protected]:
    [[email protected]]# curl -I --negotiate -u : \
    https://synergizeapp.strategery.com
    HTTP/1.1 401 Unauthorized
    Date: Wed, 15 May 2013 09:10:18 GMT
    Server: Apache/2.4.4 (Fedora)
    WWW-Authenticate: Negotiate
    Content-type text/html; charset=iso-8859-1
    HTTP/1.1 200
    Date: Wed, 15 May 2013 09:10:18 GMT
    Server: Apache/2.4.4 (Fedora)
    WWW-Authenticate: Negotiate sOmE_RanDom_T0k3n

    View Slide

  42. [[email protected]]# kinit roguelynn
    Password for [email protected]:
    [[email protected]]# curl -I --negotiate -u : \
    https://synergizeapp.strategery.com
    HTTP/1.1 401 Unauthorized
    Date: Wed, 15 May 2013 09:10:18 GMT
    Server: Apache/2.4.4 (Fedora)
    WWW-Authenticate: Negotiate
    Content-type text/html; charset=iso-8859-1
    HTTP/1.1 200
    Date: Wed, 15 May 2013 09:10:18 GMT
    Server: Apache/2.4.4 (Fedora)
    WWW-Authenticate: Negotiate sOmE_RanDom_T0k3n
    ticket cache

    View Slide

  43. [[email protected]]# kinit roguelynn
    Password for [email protected]:
    [[email protected]]# curl -I --negotiate -u : \
    https://synergizeapp.strategery.com
    HTTP/1.1 401 Unauthorized
    Date: Wed, 15 May 2013 09:10:18 GMT
    Server: Apache/2.4.4 (Fedora)
    WWW-Authenticate: Negotiate
    Content-type text/html; charset=iso-8859-1
    HTTP/1.1 200
    Date: Wed, 15 May 2013 09:10:18 GMT
    Server: Apache/2.4.4 (Fedora)
    WWW-Authenticate: Negotiate sOmE_RanDom_T0k3n
    two responses

    View Slide

  44. cURL
    requests.py
    browsers

    View Slide

  45. authentication
    vs
    authorization

    View Slide

  46. authentication
    vs
    authorization

    View Slide

  47. accessing permissions

    View Slide

  48. is user a member of
    “admins”, or
    “team players”, or
    “movers and shakers”, ...

    View Slide

  49. your own
    kerberos environment

    View Slide

  50. Crap.
    Now I’m the point person
    for this.

    View Slide

  51. rogue.ly/circus
    @roguelynn

    View Slide

  52. Background image:
    http://www.animalhi.com/Mammals/elephants/
    abstract_flying_elephants_circus_simplistic_simple_1920x1080_wallpaper_29579

    View Slide