Mailing List Archive: Request Tracker: Devel

Patch to allow alternate REMOTE_USER variable for WebExternalAuth.

Index | Next | Previous | View Threaded

smithj4 at bnl

Sep 24, 2009, 12:08 PM

Post #1 of 6 (1465 views)
Permalink

Patch to allow alternate REMOTE_USER variable for WebExternalAuth.

We are are testing WebAuth with RT and for it to work with
WebExternalAuth, I needed to have RT look for a variable name different
than the default REMOTE_USER. Since Apache reserves REMOTE_USER for its
own purposes, WebAuth cannot use that variable. So, we have our WebAuth
server set a different variable which contains the user's login name.
The attached patch adds an additional config variable and changes the
WebCanonicalizeInfo function to return the value of that variable, if
specified, or the default REMOTE_USER if not set.

I tested this with our WebAuth server and rt-3.8.5.

~Jason

--
/------------------------------------------------------------------\
| Jason A. Smith Email: smithj4 [at] bnl |
| Atlas Computing Facility, Bldg. 510M Phone: +1-631-344-4226 |
| Brookhaven National Lab, P.O. Box 5000 Fax: +1-631-344-7616 |
| Upton, NY 11973-5000, U.S.A. |
\------------------------------------------------------------------/

Attachments:

rt-3.8.5-webauth-remote-user.patch (1.70 KB)

smime.p7s (3.81 KB)

jesse at bestpractical

Sep 24, 2009, 2:37 PM

Post #2 of 6 (1410 views)
Permalink

Re: Patch to allow alternate REMOTE_USER variable for WebExternalAuth. [In reply to]

It's our intent that sites override WebCanonicalizeInfo locally (to do
something like what you have done). Because of that, I'm not sure it
makes a lot of sense to clutter that sub with options.

On Thu, Sep 24, 2009 at 03:08:09PM -0400, Jason A. Smith wrote:
> We are are testing WebAuth with RT and for it to work with
> WebExternalAuth, I needed to have RT look for a variable name different
> than the default REMOTE_USER. Since Apache reserves REMOTE_USER for its
> own purposes, WebAuth cannot use that variable. So, we have our WebAuth
> server set a different variable which contains the user's login name.
> The attached patch adds an additional config variable and changes the
> WebCanonicalizeInfo function to return the value of that variable, if
> specified, or the default REMOTE_USER if not set.
>
> I tested this with our WebAuth server and rt-3.8.5.
>
> ~Jason
>
>
> --
> /------------------------------------------------------------------\
> | Jason A. Smith Email: smithj4 [at] bnl |
> | Atlas Computing Facility, Bldg. 510M Phone: +1-631-344-4226 |
> | Brookhaven National Lab, P.O. Box 5000 Fax: +1-631-344-7616 |
> | Upton, NY 11973-5000, U.S.A. |
> \------------------------------------------------------------------/
>

> diff -urN rt-3.8.5-dist/etc/RT_Config.pm rt-3.8.5/etc/RT_Config.pm
> --- rt-3.8.5-dist/etc/RT_Config.pm 2009-09-14 13:57:24.000000000 -0400
> +++ rt-3.8.5/etc/RT_Config.pm 2009-09-22 10:17:12.000000000 -0400
> @@ -975,6 +975,15 @@
>
> Set($WebExternalAuth, undef);
>
> +=item C<$WebExternalAuthVarName>
> +
> +If C<$WebExternalAuthVarName> is defined, RT will use that environment
> +variable instead of the default REMOTE_USER.
> +
> +=cut
> +
> +Set($WebExternalAuthVarName, undef);
> +
> =item C<$WebFallbackToInternalAuth>
>
> If C<$WebFallbackToInternalAuth> is defined, the user is allowed a chance
> diff -urN rt-3.8.5-dist/etc/RT_Config.pm.in rt-3.8.5/etc/RT_Config.pm.in
> --- rt-3.8.5-dist/etc/RT_Config.pm.in 2009-09-14 13:23:22.000000000 -0400
> +++ rt-3.8.5/etc/RT_Config.pm.in 2009-09-22 10:22:08.000000000 -0400
> @@ -975,6 +975,15 @@
>
> Set($WebExternalAuth, undef);
>
> +=item C<$WebExternalAuthVarName>
> +
> +If C<$WebExternalAuthVarName> is defined, RT will use that environment
> +variable instead of the default REMOTE_USER.
> +
> +=cut
> +
> +Set($WebExternalAuthVarName, undef);
> +
> =item C<$WebFallbackToInternalAuth>
>
> If C<$WebFallbackToInternalAuth> is defined, the user is allowed a chance
> diff -urN rt-3.8.5-dist/lib/RT/Interface/Web.pm rt-3.8.5/lib/RT/Interface/Web.pm
> --- rt-3.8.5-dist/lib/RT/Interface/Web.pm 2009-09-14 13:23:22.000000000 -0400
> +++ rt-3.8.5/lib/RT/Interface/Web.pm 2009-09-22 14:29:28.000000000 -0400
> @@ -123,7 +123,8 @@
> =cut
>
> sub WebCanonicalizeInfo {
> - return $ENV{'REMOTE_USER'}? lc $ENV{'REMOTE_USER'}: $ENV{'REMOTE_USER'};
> + my $var = $RT::WebExternalAuthVarName ? $RT::WebExternalAuthVarName : 'REMOTE_USER';
> + return $ENV{$var}? lc $ENV{$var}: $ENV{$var};
> }
>
> # }}}

> _______________________________________________
> List info: http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-devel

--
_______________________________________________
List info: http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-devel

smithj4 at bnl

Sep 24, 2009, 4:43 PM

Post #3 of 6 (1393 views)
Permalink

Re: Patch to allow alternate REMOTE_USER variable for WebExternalAuth. [In reply to]

On Thu, 2009-09-24 at 17:37 -0400, Jesse Vincent wrote:
> It's our intent that sites override WebCanonicalizeInfo locally (to do
> something like what you have done). Because of that, I'm not sure it
> makes a lot of sense to clutter that sub with options.

Hi Jesse,

Ok, I understand, although it is much easier for a sysadmin to modify a
config setting than create their own Mason file to override an internal
RT function. Also, consider the fact that single sign-on systems
outside of apache (which therefore can't use REMOTE_USER) are becoming
more popular, maybe it would be worth it to add an additional config
option. There may be more people in the future who encounter the same
problem I did when trying to put RT behind their local SSO, and wonder
how to get RT to read the username. Either way, I now know how to fix
it for us now.

Thanks,
~Jason

> On Thu, Sep 24, 2009 at 03:08:09PM -0400, Jason A. Smith wrote:
> > We are are testing WebAuth with RT and for it to work with
> > WebExternalAuth, I needed to have RT look for a variable name different
> > than the default REMOTE_USER. Since Apache reserves REMOTE_USER for its
> > own purposes, WebAuth cannot use that variable. So, we have our WebAuth
> > server set a different variable which contains the user's login name.
> > The attached patch adds an additional config variable and changes the
> > WebCanonicalizeInfo function to return the value of that variable, if
> > specified, or the default REMOTE_USER if not set.
> >
> > I tested this with our WebAuth server and rt-3.8.5.
> >
> > ~Jason

--
/------------------------------------------------------------------\
| Jason A. Smith Email: smithj4 [at] bnl |
| Atlas Computing Facility, Bldg. 510M Phone: +1-631-344-4226 |
| Brookhaven National Lab, P.O. Box 5000 Fax: +1-631-344-7616 |
| Upton, NY 11973-5000, U.S.A. |
\------------------------------------------------------------------/

Attachments:

smime.p7s (3.81 KB)

jesse at bestpractical

Sep 25, 2009, 6:45 AM

Post #4 of 6 (1389 views)
Permalink

Re: Patch to allow alternate REMOTE_USER variable for WebExternalAuth. [In reply to]

On Thu, Sep 24, 2009 at 07:43:02PM -0400, Jason A. Smith wrote:
> On Thu, 2009-09-24 at 17:37 -0400, Jesse Vincent wrote:
> > It's our intent that sites override WebCanonicalizeInfo locally (to do
> > something like what you have done). Because of that, I'm not sure it
> > makes a lot of sense to clutter that sub with options.
>
> Hi Jesse,
>
> Ok, I understand, although it is much easier for a sysadmin to modify a
> config setting than create their own Mason file to override an internal
> RT function.

Right, but the range of what users want here turns out to end up at
"write a local-specific subroutine" far more often than, say, the code
you propose. There's just too wide a variation in how these systems
work.

That said, you _can_ do this entirely from the config file.

in RT_SiteConfig;

use RT::Interface::Web;
{ no warnings 'redefine';
sub RT::Interface::Web::CanonicalizeUserInfo {
my $self = shift;
# do some stuff

}
}

> Also, consider the fact that single sign-on systems
> outside of apache (which therefore can't use REMOTE_USER) are becoming
> more popular, maybe it would be worth it to add an additional config
> option. There may be more people in the future who encounter the same
> problem I did when trying to put RT behind their local SSO, and wonder
> how to get RT to read the username. Either way, I now know how to fix
> it for us now.
>
> Thanks,
> ~Jason
>
> > On Thu, Sep 24, 2009 at 03:08:09PM -0400, Jason A. Smith wrote:
> > > We are are testing WebAuth with RT and for it to work with
> > > WebExternalAuth, I needed to have RT look for a variable name different
> > > than the default REMOTE_USER. Since Apache reserves REMOTE_USER for its
> > > own purposes, WebAuth cannot use that variable. So, we have our WebAuth
> > > server set a different variable which contains the user's login name.
> > > The attached patch adds an additional config variable and changes the
> > > WebCanonicalizeInfo function to return the value of that variable, if
> > > specified, or the default REMOTE_USER if not set.
> > >
> > > I tested this with our WebAuth server and rt-3.8.5.
> > >
> > > ~Jason
>
> --
> /------------------------------------------------------------------\
> | Jason A. Smith Email: smithj4 [at] bnl |
> | Atlas Computing Facility, Bldg. 510M Phone: +1-631-344-4226 |
> | Brookhaven National Lab, P.O. Box 5000 Fax: +1-631-344-7616 |
> | Upton, NY 11973-5000, U.S.A. |
> \------------------------------------------------------------------/

--
_______________________________________________
List info: http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-devel

smithj4 at bnl

Sep 25, 2009, 8:31 AM

Post #5 of 6 (1391 views)
Permalink

Re: Patch to allow alternate REMOTE_USER variable for WebExternalAuth. [In reply to]

On Fri, 2009-09-25 at 09:45 -0400, Jesse Vincent wrote:
>
> Right, but the range of what users want here turns out to end up at
> "write a local-specific subroutine" far more often than, say, the code
> you propose. There's just too wide a variation in how these systems
> work.
>
> That said, you _can_ do this entirely from the config file.
>
> in RT_SiteConfig;
>
> use RT::Interface::Web;
> { no warnings 'redefine';
> sub RT::Interface::Web::CanonicalizeUserInfo {
> my $self = shift;
> # do some stuff
>
> }
> }

Hi Jesse,

Thanks for the suggestion, I hadn't thought of doing it that way, I will
try it out. Did you see my other email about "ExternalAuth fallback to
InternalAuth behavior"? If I understand the code correctly, it looks
like when WebExternalAuth is enabled, the existing $session data is
always ignored and reloaded from scratch for every RT access. In
addition there are a few redundant calls to create the session object in
rt-3.8.5/share/html/autohandler:

$session{'CurrentUser'} = RT::CurrentUser->new;

~Jason

--
/------------------------------------------------------------------\
| Jason A. Smith Email: smithj4 [at] bnl |
| Atlas Computing Facility, Bldg. 510M Phone: +1-631-344-4226 |
| Brookhaven National Lab, P.O. Box 5000 Fax: +1-631-344-7616 |
| Upton, NY 11973-5000, U.S.A. |
\------------------------------------------------------------------/

Attachments:

smime.p7s (3.81 KB)

jesse at bestpractical

Sep 28, 2009, 12:51 PM

Post #6 of 6 (1361 views)
Permalink

Re: Patch to allow alternate REMOTE_USER variable for WebExternalAuth. [In reply to]

> try it out. Did you see my other email about "ExternalAuth fallback to
> InternalAuth behavior"? If I understand the code correctly, it looks
> like when WebExternalAuth is enabled, the existing $session data is
> always ignored and reloaded from scratch for every RT access. In
> addition there are a few redundant calls to create the session object in
> rt-3.8.5/share/html/autohandler:
>
> $session{'CurrentUser'} = RT::CurrentUser->new;

That's going to be the user in the session, not the session itself.

>
> ~Jason
>
>
> --
> /------------------------------------------------------------------\
> | Jason A. Smith Email: smithj4 [at] bnl |
> | Atlas Computing Facility, Bldg. 510M Phone: +1-631-344-4226 |
> | Brookhaven National Lab, P.O. Box 5000 Fax: +1-631-344-7616 |
> | Upton, NY 11973-5000, U.S.A. |
> \------------------------------------------------------------------/
>

--
_______________________________________________
List info: http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-devel

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads