RhodeCode accepts pass-through user identity

Issue #252 resolved
Sean Russell created an issue

I'd like to see RhodeCode accept the value of X-Forwarded-User that can be passed through by the front-end proxy -- or some similar mechanism. The use case for this is the dizzying array of use authentication mechanisms that RhodeCode doesn't support, but that Apache (for example) does.

A suggestion for a high-level design would first be a setting to enable external authentication. If this is not set, RhodeCode uses it's normal authentication mechanism. If it //is// set, RhodeCode takes the appropriate header (e.g., X-Forwarded-User) and (a) creates the user account in the RhodeCode DB if it doesn't exist, and (b) uses that value as the user ID. If the header is not provided, RhodeCode uses the "default" user ID.

Comments (7)

  1. Sean Russell reporter

    It certainly looks like it! I'll need to check to see if this is a proxy pass-through, or a CGI solution... but either way, it should serve admirably. Are you considering pulling this change into your repo?

  2. liads

    Glad you found it useful :)

    I've implemented and tested it on a WSGI setup under Apache. It currently reads REMOTE_USER and works nicely for both web and the hg middleware.

    Unless the Paste server can be configured to use X-Forwarded-User as REMOTE_USER, it currently won't work on a proxy pass-through setup. However, It shouldn't be too difficult to add this to the current solution. If you prefer to run a proxy pass-through setup, I'm ready to take a look into implementing it. Although, #225 is expected to replace all of this anyway...

    Also, please note that currently my patch doesn't create accounts in RhodeCode's DB. If the externally-authenticated user doesn't exist in RhodeCode (or no user was provided by the container), it simply falls back to its regular user management. Since silently creating an account without data such as e-mail and name might present a problem to some of RhodeCode's features, I refrained from doing that for the time being. It might be possible to use the registration page in that case, but then again, #225...

  3. Kevin Bell

    I also applied liads changes locally, and its exactly what I wanted and works great. I already have LDAP/Active Directory authentication configured in Apache for hgweb, subversion, and a few other tools, so the patch makes RhodeCode pretty much a drop-in replacement for hgweb with minimal configuration required.

  4. Log in to comment