You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@whimsical.apache.org by sebb <se...@gmail.com> on 2016/03/17 12:59:25 UTC
Auth required for status/passenger
The status page says that passenger status is restricted to "ASF
committer only", however the code uses the realm "ASF Members and
Officers".
Which is correct?
Re: Auth required for status/passenger
Posted by sebb <se...@gmail.com>.
On 17 March 2016 at 16:14, Sam Ruby <ru...@intertwingly.net> wrote:
> On Thu, Mar 17, 2016 at 11:24 AM, sebb <se...@gmail.com> wrote:
>> On 17 March 2016 at 13:03, Sam Ruby <ru...@intertwingly.net> wrote:
>>> On Thu, Mar 17, 2016 at 7:59 AM, sebb <se...@gmail.com> wrote:
>>>> The status page says that passenger status is restricted to "ASF
>>>> committer only", however the code uses the realm "ASF Members and
>>>> Officers".
>>>>
>>>> Which is correct?
>>>
>>> At, the moment, the code obviously. :-)
But see below ...
>>>
>>> Originally, passenger status was open, and authentication was only
>>> required when you clicked a button to restart a process. I got
>>> feedback that showing a button which a person could not use was not
>>> ideal.
>>>
>>> I don't have a strong opinion as to whether committers should be able
>>> to restart processes. At a minimum, I would like members to be able
>>> to do so.
>>
>> In which case maybe the code can check karma before displaying the button.
>>
>> This assumes that ASF Committers have a need to see the Passenger status.
>
> Initially it had no authentication, which made checking karma kinda difficult.
If the user has authenticated already, I think the HTTP server will
set HTTP_X_AUTHENTICATED_USER.
If that was set, it could be checked to see if the user was in the
appropriate group.
Note that the code currently checks if it can login to LDAP via
HTTP_AUTHORIZATION.
If that is the case then the auth popup is not shown.
However it does not check whether the login belongs to any specific
group, so there is a slight disconnect here.
If the check fails, the auth pop-up is shown, and it looks like that
requires Member or Officer karma.
This is inconsistent.
I wonder whether it would be better to protect apps via HTTP auth,
rather than adding auth checks to specific apps.
> - Sam Ruby
Re: Auth required for status/passenger
Posted by Sam Ruby <ru...@intertwingly.net>.
On Thu, Mar 17, 2016 at 11:24 AM, sebb <se...@gmail.com> wrote:
> On 17 March 2016 at 13:03, Sam Ruby <ru...@intertwingly.net> wrote:
>> On Thu, Mar 17, 2016 at 7:59 AM, sebb <se...@gmail.com> wrote:
>>> The status page says that passenger status is restricted to "ASF
>>> committer only", however the code uses the realm "ASF Members and
>>> Officers".
>>>
>>> Which is correct?
>>
>> At, the moment, the code obviously. :-)
>>
>> Originally, passenger status was open, and authentication was only
>> required when you clicked a button to restart a process. I got
>> feedback that showing a button which a person could not use was not
>> ideal.
>>
>> I don't have a strong opinion as to whether committers should be able
>> to restart processes. At a minimum, I would like members to be able
>> to do so.
>
> In which case maybe the code can check karma before displaying the button.
>
> This assumes that ASF Committers have a need to see the Passenger status.
Initially it had no authentication, which made checking karma kinda difficult.
- Sam Ruby
Re: Auth required for status/passenger
Posted by sebb <se...@gmail.com>.
On 17 March 2016 at 13:03, Sam Ruby <ru...@intertwingly.net> wrote:
> On Thu, Mar 17, 2016 at 7:59 AM, sebb <se...@gmail.com> wrote:
>> The status page says that passenger status is restricted to "ASF
>> committer only", however the code uses the realm "ASF Members and
>> Officers".
>>
>> Which is correct?
>
> At, the moment, the code obviously. :-)
>
> Originally, passenger status was open, and authentication was only
> required when you clicked a button to restart a process. I got
> feedback that showing a button which a person could not use was not
> ideal.
>
> I don't have a strong opinion as to whether committers should be able
> to restart processes. At a minimum, I would like members to be able
> to do so.
In which case maybe the code can check karma before displaying the button.
This assumes that ASF Committers have a need to see the Passenger status.
> - Sam Ruby
Re: Auth required for status/passenger
Posted by Sam Ruby <ru...@intertwingly.net>.
On Thu, Mar 17, 2016 at 7:59 AM, sebb <se...@gmail.com> wrote:
> The status page says that passenger status is restricted to "ASF
> committer only", however the code uses the realm "ASF Members and
> Officers".
>
> Which is correct?
At, the moment, the code obviously. :-)
Originally, passenger status was open, and authentication was only
required when you clicked a button to restart a process. I got
feedback that showing a button which a person could not use was not
ideal.
I don't have a strong opinion as to whether committers should be able
to restart processes. At a minimum, I would like members to be able
to do so.
- Sam Ruby