-
Notifications
You must be signed in to change notification settings - Fork 0
Authenticationplugins
ToMaTo has an authentication plugin system that allows to integrate user databases via plugins. The plugins to use can be configured in the backend configuration file.
The configured plugins will be queried one after another and the first one that accepts the credentials will determine the user object. If no plugin accepts the credentials the user will be rejected.
Users that have been accepted by an authentication plugin will be stored in the database along with a password hash so that future logins can be handled without querying the plugin again. This yields an enormous performance increase since each request to the backend must be authenticated and no session is kept. The user records in the database have a timestamp and expire after a configurable timeout so that changes in the user database represented by the plugin will also change the ToMaTo user data.
The ToMaTo user names are a combination of the user name given in the credentials suffixed by the name of the authentication provider (name@provider). This way authentication plugins can be used multiple times with different names.
The dict plugin is a very simple authentication plugin that lists all available users directly in the configuration file. Administrators and users along with their passwords are given as parameters to the authentication plugin. Passwords can either be given as clear-text or as a hash obtained by a configurable hashing algorithm.
Note that the user data will only be loaded on the start of the backend, i.e. when user data changes the backend must be restarted.
This plugin can be useful as a fallback solution to offer administrator access if one of the more complex plugins relying on an external server fails.
The htpasswd plugin uses a htpasswd file that contains user data. The passwords are stored in a hashed form as normal for htpasswd files. One username can be configured to have administrator privileges. For each request the file is reloaded so changes to the file can happen while the backend is running.
Htpasswd files can be edited on the command-line via the htpasswd tool. Also some frontend for editing these files via a web-interface exist.
This plugin is perfect for very small setups or test installations.
This authentication plugin uses an LDAP server to verify login credentials. For each login attempt a connection to the LDAP server is made to obtain the user data and to verify the credentials. User and administrator accounts must be in certain configurable groups.
Note that if the LDAP server is unreachable this plugin will reject all users and might take some time for the requests to time out.
This auth provider uses SQL as an authentication backend. It executes an SQL query to check the user credentials and accepts the login if the query result contains at least one row. If the admin query succeeds the user query will not be checked. In the queries, the keywords :username and :password will be substituted by the login credentials. Before checking the credentials the password is optionally hashed by a configurable hash algorithm.
The database to use can be configured in the configuration file. Any database that Django supports can be used. ToMaTo will not use this database for its own data unless it is named default.
This auth provider uses a Planetlab server as an authentication backend. It uses the login credentials to login to a configurable planet-lab server and to read the user data if he exists. Optionally planetlab users with the admin role will be granted admin privileges.
This auth provider uses a ticket mechanism for authentication. With this auth provider arbitrary users will be accepted as long as their password consists of a valid user ticket or admin ticket. Tickets are calculated as a hash value of the username together with a secret key.
TICKET = hash(USERNAME + SECRET)
Two seperate secret keys exist for admin login and user login. Administrator login can also be disabled.
This plugin allows external entities to grant access to the ToMaTo testbed.