Skip to content

Basic Auth in your LA node without CAS

Jump to bottom Edit New page
vjrj edited this page May 8, 2019 · 7 revisions

If you need to use LA software without CAS Authentication System (for instance in an initial deploy) you need two main steps to protect your /admin/ web interfaces:

  • Configure a Basic Auth in your proxy
  • Disable CAS in the different services you are deploying

Take into account that without CAS there are several things that nowadays will not work in your services like:

  • the new download plugin
  • some functionality in image-service like select/delete & albums
  • some lists species actions like deletion, setting 'authoritative' flag, ...
  • some spatial admin tasks
  • etc

Basic Apache Authentication in LA

Lets use collectory service as a sample. You have to get what is authenticated by default via CAS, so we do:

$ grep uri_filter_pattern ansible/roles/collectory/templates/config/*
security.cas.uriFilterPattern={{ collectory_uri_filter_pattern | default('/admin.*,/admin/.*,/admin/.*/.*,/collection.*,/institution.*,/contact.*,/reports.*,/providerCode.*,/providerMap.*,/dataProvider.*,/dataResource.*,/dataHub.*,/manage/.*') }}

and transform this filter in some Basic Auth (in this example using Apache).

You need to a2enmod include for using includes.

Use passwd to create a manage users in, for instance, in /etc/apache2/la-users-password.

Later create /etc/la directory and something like:

# /etc/la/basic-auth.conf
AuthType Basic
AuthName "Authentication Required"
AuthUserFile /etc/apache2/la-users-password
<RequireAny>
  Require env noauth
  Require env REDIRECT_noauth
  Require valid-user
</RequireAny>

And create an admin-collectory.conf file requesting auth for each previous CAS filter.

# /etc/la/admin-collectory.conf
<Location /admin>
  Include /etc/la/basic-auth.conf
</Location>
<Location /collection>
  Include /etc/la/basic-auth.conf
</Location>
<Location /institution>
  Include /etc/la/basic-auth.conf
</Location>
(...)
<Location /manage>
  Include /etc/la/basic-auth.conf
</Location>

this sample is truncated.

Later you have to include /etc/la/admin-collectory.conf in your collectory vhost configuration, like:

<VirtualHost *:443>
  ServerName collectory.yourlivingatlas.org
  (...)
  Include /etc/la/admin-collectory.conf

  ErrorLog ${APACHE_LOG_DIR}/error.log
  (...)
</VirtualHost>

Disabling CAS in your inventories

Later you have to leave blank the previous security.cas.uriFilterPattern in each service and disable CAS.

For instance in collectory, after running ansible you should get something like:

security.cas.uriFilterPattern=
security.cas.bypass=true
disableCAS=true

in your /data/ala-collectory/config/ala-collectory-config.properties.

Take into account that each service has a different ansible var name for this filter. So with:

bie_base_uri_filter_pattern=
bie_index_uri_filter_pattern=
collectory_uri_filter_pattern=
images_uri_filter_pattern=
specieslist_uri_filter_pattern=
logger_uri_filter_pattern=
regions_uri_filter_pattern=
biocache_hub_uri_filter_pattern=
bypass_cas=true

adapted to your inventory/ies you'll disable CAS in these services.

In the future, if you install a CAS system, you can comment these filters (son ansible will use the default filter value), and set bypass_cas=false to enable CAS authentication.

End

Index

Clone this wiki locally