Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Login option in AfWatch #543

Open
eoyilmaz opened this issue Jun 6, 2022 · 3 comments
Open

Login option in AfWatch #543

eoyilmaz opened this issue Jun 6, 2022 · 3 comments

Comments

@eoyilmaz
Copy link
Member

eoyilmaz commented Jun 6, 2022

In terms of GUI usability there need to be a "Login" option somewhere in the UI to switch between Visor / God modes. Currently it is too much hidden in the quirks of the UI.

@lithorus
Copy link
Member

lithorus commented Jun 6, 2022

I agree 100%.

Even better if there could be some server side system, with proper authentication. I wouldn't mind creating the ldap system for it. Perhaps keep the authentication system/modules in python?

@timurhai
Copy link
Member

timurhai commented Jun 8, 2022

Hi!

Visor / God modes are not a "re-login", it's more like a "sudo", if the user knows the password, he can change something ("he" - not some other admin).
So, just for Visor / God modes we can create a menu items to make a switch more clean.

Authentication is a more complex thing. And by default it is not needed in most cases.
Also it was in 2.0.0, but for a WebGUI only:
https://cgru.readthedocs.io/en/latest/changes_log/changes_log.html#v2-0-0
WebGUI needs some authentication more than AfWatch, as web browser has no access to user environment, but AfWatch already knows who runs it. Also from a remote network WebGUI is used more ofter that from a local.

But! In 2.1.0 it was disabled (commented), when we switched to a new network workflow:
https://cgru.readthedocs.io/en/latest/changes_log/changes_log.html#v2-1-0
I even did not say it, as nobody has managed to start to use authentication, I have no feedback.
It was not documented, I just used the "htdigest" tool from "apache2-utils" to create a digest file.
And it should be changed much to work on a new network workflow.

ps
Also it was not demanded, as for a remote work ssh and vpn are often preferred by studios.

@sebastianelsner
Copy link
Contributor

Hej, for the web gui this is possible to do in some sort of way.

  1. Setup afserver as usual.
  2. Put a https proxy with authentication in front of it. For example I used Traefik, but you can use nginx as well. Here is a traefik config which might help as a starting point
log:
  level: INFO

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: web-secure

  web-secure:
    address: ":443"

certificatesResolvers:
  letsencrypt:
    acme:
      email: "blubb@blubb.com"
      storage: /etc/traefik/acme/acme.json
      httpChallenge:
        entryPoint: web

http:
  routers:
    afserver:
      rule: "Host(`af.blubb.com`) || Host(`www.af.blubb.com`)"
      entryPoints:
        - web-secure
      middlewares:
        - afserver-auth
      service: afserver
      tls:
        certResolver: letsencrypt

  middlewares:
    afserver-auth:
      basicAuth:
        users:
          - "admin:$aer1$some-hashed-password"

  services:
    afserver:
      loadBalancer:
        servers:
          - url: http://afserver_ip:51000

providers:
  file:
    filename: /etc/traefik/traefik.yml
    watch: true

This uses basic auth as a middleware. But you can also use other auth methods. I think there is a ldap version (which might cost something).
What this does not solve is that afweb does not know WHO you are, just that you are allowed to see your jobs. you still need to setup your gui or use god/visor mode.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants