Details
-
New Feature
-
Resolution: Fixed
-
Minor
-
None
-
Professional Edition
Description
We have a need for Observium to trust users that have already been authenticated by the web server. It seems unnecessary to build support for myriad authentication methods into Observium when Apache already has many available. In our case, users are already authenticated via SAML by mod_auth_mellon.
The "http-auth" authentication module does not do this. It prompts for basic auth, and requires that user and password to already exist in the MySQL database. In effect, all it really does is replace the pretty Observium login screen with a Basic auth popup. The user already has to exist in Observium, plus the webserver authentication module needs to provide a password, which is impossible in many cases.
I chose not to "fix" this module to the way I would have expected it to work, because possibly someone is already relying on the way it works.
Instead, I created a new module "remote" which basically trusts that the webserver has already authenticated the user.
It takes various config options, documented in the file:
auth_remote_variable - what server variable to use (defaults to REMOTE_USER).
auth_remote_userlevel - what user level to give to remotely authenticated users. All users are automatically given this privilege level. (A future improvement to this module could instead actually create users in MySQL and back-end the user privileges to MySQL, however for my use case, simply giving them a fixed privilege is sufficient.)
auth_remote_logout_url - what URL to redirect the user to in order to perform a logout. Because even if we clear our session variable, the user will just get logged back in on the next pageview. If this variable is not set, the logout button is not available.
Please note that I have also had to make a few changes to the Observium core (against r9962/STABLE):
authenticate.inc.php - I centralised all the places that do session_set_var('auth_message') followed by redirect to the front page. Because redirecting to the front page when the user is already logged in from outside just creates an infinite loop. This new function is reauth_with_message, and for all existing auth methods, sets the variable and redirects as before, but for 'remote' it just prints the message and exits.
authenticate.inc.php - logout - Where Observium can't fully perform the logout itself, if the authentication method provides the method _auth_logout_url() it will redirect to that URL instead.
authenticate-functions.inc.php - Added a new hook _auth_logout_url(), which defaults to null if Observium can perform the logout on its own.
index.php - as with CAS, this is a failsafe in the case that a pageview somehow arrives that is not authenticated. As the default case of redirecting to the login page makes no sense, just die as CAS does.
I attach a patch.