You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@couchdb.apache.org by GitBox <gi...@apache.org> on 2018/02/19 20:14:49 UTC
[GitHub] nickva opened a new pull request #1176: Implement pluggable authentication and session support for replicator
nickva opened a new pull request #1176: Implement pluggable authentication and session support for replicator
URL: https://github.com/apache/couchdb/pull/1176
### Overview
Previously replicator only used basic authentication. It was simple and
straightforward. However with PBKDF2 hashing becoming the default it would be
nice not to do all the password verification work with every
single request, and instead take advantage of session (cookie) based
authentication.
### Description
This commit implements session based authentication via a plugin mechanism.
This is somewhat similar to how server-side authentication plugins work. The
list of available replicator auth modules is configurable:
```
[replicator]
auth_plugins = couch_replicator_auth_session,couch_replicator_auth_basic
```
These plugins will be tried in order. The first one to successfully initialize
will end up being used for that endpoint (source or target). A plugin can
determine during initialization that it cannot be used and in that case it
signals to the plugin framework to be "ignored" and that other plugins
following in the list should be tried.
`couch_replicator_auth_basic` effectively implements the current behavior. It
is the simplest one and should normally be used as a default catch-all at the
end of the plugin list. In some case, though it might be useful to enforce
exclusive use of session-based auth fail replication jobs if it is not
available.
`couch_replicator_auth_session` does most of the work of handling session based
authentication. On initialization it strips away basic auth credential from
headers and url to avoid basic auth being used on the server. Then is in charge
of issuing POST requests to `_session` periodically, updating the headers of
each request with the latest cookie value. If it cannot find credentials for
its url endpoint, it asks to be "ignored".
As discussed in https://github.com/apache/couchdb/issues/1153 this work also
removes OAuth 1.0 support. After server side support was removed, it had
stopped working anyway since the main oauth app was removed. However with the
plugin framework in place it would be possible for someone to implement it a
fairly straightforward way. It also opens the posibility of having an OAuth 2.0
or other custom authentication methods.
Fixes #1153
### Checklist
- [x] Code is written and works correctly;
- [x] Changes are covered by tests;
- [ ] Documentation reflects the changes[*];
[*] Will do it after the review stage.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services