cgru icon indicating copy to clipboard operation
cgru copied to clipboard

Published 20 hours ago verified publisher icon CGRU

Login option in AfWatch

Open eoyilmaz opened this issue 2 years ago • 3 comments

In terms of GUI usability there need to be a "Login" option somewhere in the UI to switch between Visor / God modes. Currently it is too much hidden in the quirks of the UI.

eoyilmaz avatar Jun 06 '22 10:06 eoyilmaz

I agree 100%.

Even better if there could be some server side system, with proper authentication. I wouldn't mind creating the ldap system for it. Perhaps keep the authentication system/modules in python?

lithorus avatar Jun 06 '22 20:06 lithorus

Hi!

Visor / God modes are not a "re-login", it's more like a "sudo", if the user knows the password, he can change something ("he" - not some other admin). So, just for Visor / God modes we can create a menu items to make a switch more clean.

Authentication is a more complex thing. And by default it is not needed in most cases. Also it was in 2.0.0, but for a WebGUI only: https://cgru.readthedocs.io/en/latest/changes_log/changes_log.html#v2-0-0 WebGUI needs some authentication more than AfWatch, as web browser has no access to user environment, but AfWatch already knows who runs it. Also from a remote network WebGUI is used more ofter that from a local.

But! In 2.1.0 it was disabled (commented), when we switched to a new network workflow: https://cgru.readthedocs.io/en/latest/changes_log/changes_log.html#v2-1-0 I even did not say it, as nobody has managed to start to use authentication, I have no feedback. It was not documented, I just used the "htdigest" tool from "apache2-utils" to create a digest file. And it should be changed much to work on a new network workflow.

ps Also it was not demanded, as for a remote work ssh and vpn are often preferred by studios.

timurhai avatar Jun 08 '22 09:06 timurhai

Hej, for the web gui this is possible to do in some sort of way.

  1. Setup afserver as usual.
  2. Put a https proxy with authentication in front of it. For example I used Traefik, but you can use nginx as well. Here is a traefik config which might help as a starting point
log:
  level: INFO

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: web-secure

  web-secure:
    address: ":443"

certificatesResolvers:
  letsencrypt:
    acme:
      email: "[email protected]"
      storage: /etc/traefik/acme/acme.json
      httpChallenge:
        entryPoint: web

http:
  routers:
    afserver:
      rule: "Host(`af.blubb.com`) || Host(`www.af.blubb.com`)"
      entryPoints:
        - web-secure
      middlewares:
        - afserver-auth
      service: afserver
      tls:
        certResolver: letsencrypt

  middlewares:
    afserver-auth:
      basicAuth:
        users:
          - "admin:$aer1$some-hashed-password"

  services:
    afserver:
      loadBalancer:
        servers:
          - url: http://afserver_ip:51000

providers:
  file:
    filename: /etc/traefik/traefik.yml
    watch: true

This uses basic auth as a middleware. But you can also use other auth methods. I think there is a ldap version (which might cost something). What this does not solve is that afweb does not know WHO you are, just that you are allowed to see your jobs. you still need to setup your gui or use god/visor mode.

sebastianelsner avatar Mar 25 '23 11:03 sebastianelsner