Apache mod_auth_tkt and Python AuthTkt

Information freshness

Background

About related documents

First of all, it is a document fishing to get an overview of "ticket authentication" provided by mod_auth_tkt. However, there is not much documentation for both modules.

However, the information contained in the cookie itself is simple, so it didn't seem too much trouble.

It's the main source of information ...

In this article, I will write only an overview.

mod_auth_tkt / AuthTkt is good!

Ticket issuers (this time on django's site) and ticket consumers (this time on a specific Apache directory) Share the following:

While sharing these two, the ticket issuer

Save the ticket as a cookie based on. They are listed side by side, but to explain it properly, the "common secret" and "hash algorithm" are necessary when making a ticket. On the other hand, "user name" and "IP address" are the information contained in the ticket (cookie).

Apache uses the name of the cookie and a common secret to verify the ticket and

Confirm such as, and perform authentication / authorization.

You can specify multiple Tokens on both sides (it is not necessary). If the consumer of the "admin" Token expects, The issuer must have the "admin" Token embedded in the ticket. I think we can achieve some access control. (However, since I can only have one common secret, it feels like something is crazy even if I do a Gatchigachi ACL with this.)

It seems that you can specify the validity range and expiration date of the ticket in some detail, It is not the scope of this article.

Preparing the environment

# apt-get install mod_auth_tkt
# pip install -U AuthTkt

Apache side setting example

There are quite a few examples on the mod_auth_tkt man page, so I think it's better to see it ...

TKTAuthSecret "Ukaga"

<Directory /opt/griflet/data/result/>
    AuthType None
    TKTAuthLoginURL http://example.com/django/issue_ticket
    TKTAuthDomain example.com
    TKTAuthDebug 3
</Directory>

For Debian, there is a section in /etc/apache2/mods-enabled/auth_tkt.conf that is expected to write a TKTAuthSecret.

If TKTAuthDebug is attached, an error will appear in error.log. All explanations are thrown to man pages.

django side implementation example

In particular, there is a high possibility that the cookie settings are rather sloppy, but for the time being. (urls.py or everything else omitted)

@login_required
def issue_ticket(request):
    user = request.user
    # http://stackoverflow.com/questions/4581789/how-do-i-get-user-ip-address-in-django
    ip = utils.get_client_ip(request)
    token = authtkt.AuthTicket(TKT_AUTH_SECRET,
                               user.username,
                               ip,
                               tokens=['user'])
    # TODO:Let's Redirect
    response = render(request, '{}/hello.html'.format(NAMESPACE), {})
    response.set_cookie('auth_tkt', token.cookie_value(),
                        domain=TKT_AUTH_DOMAIN)
    return response

Although it is written in TODO, when you access "TKTAuthLoginURL" without a ticket, you will be redirected to this page with the return URL "back" set in the query. Let's redirect for the user

reference

There are a lot of confusing modules, especially on the Python implementation side

Please decide which one is better. However, if the specifications on the consumer side (Apache) have not changed, there should be virtually no difference in what to do.

Challenges I felt

It seems that there are many people who think that the small scale that we are thinking about this time is okay, but that it is a large scale.

Summary

It will be easier to find out if you remember that you can do that as well.

Postscript (2014-01-10)

As a result of a little more research, I also report that it did not suit my purpose.

For example, suppose you build a django website that dynamically creates and disappears multiple projects (for example, project management). At that time, I would like to issue different types of tickets for each project and change the files that can be downloaded according to the type of ticket.

This cannot be done with Apache mod_auth_tkt alone.

Specifically, the current implementation of mod_auth_tkt does not allow variables in TKTAuthToken in any way. Even if you set the environment variable of Apache with SetEnvIf, it seems that you can not get it at least in the verified version. I looked at the source code, but again there is no logic to handle it.

I heard about X-SendFile, so I'll try it.

Recommended Posts

Apache mod_auth_tkt and Python AuthTkt
CentOS 6.4 with Python 2.7.3 with Apache with mod_wsgi and Django
[python] Compress and decompress
Batch design and python
Python iterators and generators
Python packages and modules
Vue-Cli and Python integration
Ruby, Python and map
Integrate Apache and Tomcat
python input and output
Python and Ruby split
Python3, venv and Ansible
Python asyncio and ContextVar
Investigate Java and python data exchange with Apache Arrow
Encryption and decryption with Python
Word Count with Apache Spark and python (Mac OS X)
3-3, Python strings and character codes
Python 2 series and 3 series (Anaconda edition)
Python and hardware-Using RS232C with Python-
Python on Ruby and angry Ruby on Python
Python indentation and string format
Python real division (/) and integer division (//)
Å (Ongustromu) and NFC @ Python
Python3 + Django ~ Mac ~ with Apache
Understand Python packages and modules
# 2 [python3] Separation and comment out
Python shallow copy and deep copy
Python and ruby slice memo
Python installation and basic grammar
I compared Java and Python!
Python shallow and deep copy
Apache Flink Challenges and Opportunities
About Python, len () and randint ()
About Python datetime and timezone
macports Apache, Python 3.3 + non-macports mod_wsgi3.4
Install Python 3.7 and Django 3.0 (CentOS)
Python environment construction and TensorFlow
Python class variables and instance variables
Ruby and Python syntax ~ branch ~
[Python] Python and security-① What is Python?
Stack and Queue in Python
python metaclass and sqlalchemy declareative
Fibonacci and prime implementations (python)
Python basics: conditions and iterations
Python bitwise operator and OR
Python debug and test module
Python list and tuples and commas
Python variables and object IDs
Touch Apache Beam in Python
Python list comprehensions and generators
About Python and regular expressions
python with pyenv and venv
Unittest and CI in Python
Maxout description and implementation (Python)
[python] Get quotient and remainder
Python 3 sorted and comparison functions
[Python] Depth-first search and breadth-first search
Identity and equivalence Python is and ==
Source installation and installation of Python
Python or and and operator trap
Challenge Python3 and Selenium Webdriver