Commit 0c5332bf authored by Peter V. Saveliev's avatar Peter V. Saveliev

ndb: radius auth example + docs

parent 2cba6d95
......@@ -5,5 +5,30 @@ Authorization plugins
.. automodule:: pyroute2.ndb.auth_manager
Usecase: OpenStack Keystone auth
--------------------------------
Say we have a public service that provides access to NDB instance via
HTTP, and authenticates users via Keystone. Then the auth flow could be:
1. Accept a connection from a client
2. Create custom auth manager object A
3. A.__init__() validates X-Auth-Token against Keystone (Authentication)
4. A.check() checks that X-Auth-Token is not expired (Authorization)
5. The auth result is being logged (Accounting)
An example AuthManager with OpenStack APIv3 support you may find in the
`/examples/ndb/` directory.
.. literalinclude:: ../examples/ndb/keystone_auth.py
:language: python
:caption: keystone_auth.py
:name: keystone_auth
Usecase: RADIUS auth
--------------------
.. literalinclude:: ../examples/ndb/radius_auth.py
:language: python
:caption: radius_auth.py
:name: radius_auth
'''
An example of using RADIUS authentication with NDB.
In order to run the example you can setup a FreeRADIUS server::
# /etc/raddb/clients
client test {
ipaddr = 192.168.122.101 # IP addr of your client
secret = s3cr3t
}
# /etc/raddb/users
testing Cleartext-Password := "secret"
Then setup your client::
# download RADIUS dictionaries
$ export GITSERVER=https://raw.githubusercontent.com
$ export DICTPATH=pyradius/pyrad/master/example
$ wget $GITSERVER/$DICTPATH/dictionary
$ wget $GITSERVER/$DICTPATH/dictionary.freeradius
# setup the environment
$ cat radius.rc
export RADIUS_SERVER=192.168.122.1
export RADIUS_SECRET=s3cr3t
export PYTHONPATH=`pwd`
$ . radius.rc
$ python examples/ndb/radius_auth.py testing secret
'''
import os
import sys
from pyrad.client import Client
from pyrad.dictionary import Dictionary
import pyrad.packet
from pyroute2 import NDB
class RadiusAuthManager(object):
def __init__(self, user, password, log):
client = Client(server=os.environ.get('RADIUS_SERVER'),
secret=os.environ.get('RADIUS_SECRET').encode('ascii'),
dict=Dictionary('dictionary'))
req = client.CreateAuthPacket(code=pyrad.packet.AccessRequest,
User_Name=user)
req['User-Password'] = req.PwCrypt(password)
reply = client.SendPacket(req)
self.auth = reply.code
self.log = log
def check(self, obj, tag):
#
self.log.info('%s access' % (tag, ))
return self.auth == pyrad.packet.AccessAccept
with NDB(log='debug') as ndb:
# create a utility log channel
log = ndb.log.channel('main')
# create an AuthManager-compatible object
log.info('request radius auth')
am = RadiusAuthManager(sys.argv[1],
sys.argv[2],
ndb.log.channel('radius'))
log.info('radius auth complete')
# create an auth proxy for these credentials
ap = ndb.auth_proxy(am)
# validate access via that proxy
print(ap.interfaces['lo'])
......@@ -50,20 +50,6 @@ You can implement custom AuthManager classes, the only requirement -- they
must provide `.check(self, obj, tag)` routine, which returns `True` or
`False` or raises an exception.
Usecase: OpenStack Keystone auth
--------------------------------
Say we have a public service that provides access to NDB instance via
HTTP, and authenticates users via Keystone. Then the auth flow could be:
1. Accept a connection from a client
2. Create custom auth manager object A
3. A.__init__() validates X-Auth-Token against Keystone (Authentication)
4. A.check() checks that X-Auth-Token is not expired (Authorization)
5. The auth result is being logged (Accounting)
An example AuthManager with OpenStack APIv3 support you may find in the
`/examples/ndb/` directory.
'''
from pyroute2.common import PermissionError
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment