tunapanda / provision

System for provisioning a new virtual machine with Tunapanda Edubuntu
7 stars 12 forks source link

Common account management tool #54

Open usernamenumber opened 9 years ago

usernamenumber commented 9 years ago

_Background_

_What needs to be done_

  1. Determine the best way to set up authentication with a common set of users for a broad set of applications all running on one machine.
    • I think we'll find that most single-signon solutions are overkill for us. They're designed to share authentication between systems, but we're only talking about services all running on the same machine, so a simpler, more light-weight solution (important since we need our stuff to work on low-end devices like the Cubietruck) should work for us.
  2. Write ansible plays to implement it.
  3. Make any modifications needed to the configuration of edX, etc to use it (these must also be automated, of course)

_One option for how to proceed_ In the usernamenumber/accounts branch, I've been experimenting with a role that implements a system I call Handoff. Handoff works like this:

  1. Install and configure incron, a Linux service that monitors activity on a directory and runs a script when a file in it is added or changed.
  2. Configure incron to monitor a directory that is expected to contain json files, with each file representing a user account.
    • In the future, files in other directories could be used to represent other things, not just users.
  3. When a file is added, modified, or removed, incron runs this script, which adds, modifies, or removes the corresponding account in the local userbase.
  4. The monitor script can be extended to also create/modify/delete users in whatever databases our apps use.
    • ...but for anything that can authenticate against the OS userbase via PAM, it should Just Work!

Result: local accounts are managed by a form, which stores its data as json files in the monitored directory. Changes are the immediately synced to the resources used by whatever apps we care about.

To be clear, Handoff is about account management, not authentication. It updates the database(s) used by the app(s), which do authentication exactly as they normally would with no extra configuration.

...that said, I am still unsure whether this approach is brilliant, or a horrible kludge of which I should be ashamed. :P If you think the latter, I'm open to alternatives.

As a proof-of-concept I wrote a simple django app, which drops the JSON file into a directory monitored by Handoff. It also creates a Django account that can be shared by other Django apps, but in the future, this would be done by a separate script run by Handoff.

To try it out, do the following:

  1. Clone this repo, but use the usernamenumber/accounts branch:
    1. git clone -b usernamenumber/accounts https://github.com/tunapanda/provision
    2. cd provision
  2. Configure it to just install the Handoff-related stuff
    1. cp localconfig.yml.defaults localconfig.yml
    2. Edit localconfig.yml and set profile to test_handoff
  3. Provision a virtual machine and connect to it
    1. vagrant up # This will take several minutes to complete
    2. vagrant ssh
  4. Set up and start the django app
    1. sudo -i # I haven't set up all the filesystem perms, so just be root
    2. cd /usr/local/tunapanda/provision/vm_data/django
    3. pip install -r requirements.txt
    4. ./manage.py migrate
    5. ./manage.py 0.0.0.0:8000
  5. Open http://IP.OF.THE.VM:8000 in your browser