Skip to content

Extend the Remote User Auth backend with REMOTE_GROUPS ability #311

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
washort merged 2 commits into from
Mar 23, 2018
Merged

Extend the Remote User Auth backend with REMOTE_GROUPS ability #311

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2a0081c
Strip the items off of whitespace when converting comma-separated lis…
jezdez Jan 24, 2018
a84ec1e
Extend the Remote User Auth backend with the ability to pass remote u…
jezdez Jan 24, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions redash/authentication/remote_user_auth.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,21 @@ def login(org_slug=None):
logger.error("Cannot use remote user for login when it's not provided in the request (looked in headers['" + settings.REMOTE_USER_HEADER + "'])")
return redirect(url_for('redash.index', next=next_path, org_slug=org_slug))

# Check if there is a header of user groups and if yes
# check it against a list of allowed user groups from the settings
if settings.REMOTE_GROUPS_ENABLED:
remote_groups = settings.set_from_string(
request.headers.get(settings.REMOTE_GROUPS_HEADER) or ''
)
allowed_groups = settings.REMOTE_GROUPS_ALLOWED
if not allowed_groups.intersection(remote_groups):
logger.error(
"User groups provided in the %s header are not "
"matching the allowed groups.",
settings.REMOTE_GROUPS_HEADER
)
return redirect(url_for('redash.index', next=next_path))

logger.info("Logging in " + email + " via remote user")
create_and_login_user(current_org, email, email)
return redirect(next_path or url_for('redash.index', org_slug=org_slug), code=302)
7 changes: 7 additions & 0 deletions redash/settings/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,13 @@ def all_settings():
REMOTE_USER_LOGIN_ENABLED = parse_boolean(os.environ.get("REDASH_REMOTE_USER_LOGIN_ENABLED", "false"))
REMOTE_USER_HEADER = os.environ.get("REDASH_REMOTE_USER_HEADER", "X-Forwarded-Remote-User")

# When enabled this will match the given remote groups request header with a
# configured list of allowed user groups using UNIX shell-style wildcards such
# as * and ?.
REMOTE_GROUPS_ENABLED = parse_boolean(os.environ.get("REDASH_REMOTE_GROUPS_ENABLED", "false"))
REMOTE_GROUPS_HEADER = os.environ.get("REDASH_REMOTE_GROUPS_HEADER", "X-Forwarded-Remote-Groups")
REMOTE_GROUPS_ALLOWED = set_from_string(os.environ.get("REDASH_REMOTE_GROUPS_ALLOWED", ""))

# If the organization setting auth_password_login_enabled is not false, then users will still be
# able to login through Redash instead of the LDAP server
LDAP_LOGIN_ENABLED = parse_boolean(os.environ.get('REDASH_LDAP_LOGIN_ENABLED', 'false'))
Expand Down
2 changes: 1 addition & 1 deletion redash/settings/helpers.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ def array_from_string(s):
if "" in array:
array.remove("")

return array
return [item.strip() for item in array]


def set_from_string(s):
Expand Down