[LON-CAPA-cvs] cvs: doc /loncapafiles loncapafiles.lpml loncom loncapa_apache.conf loncom/auth lonstatusacc.pm
raeburn
raeburn@source.lon-capa.org
Fri, 28 Nov 2008 19:38:18 -0000
This is a MIME encoded message
--raeburn1227901098
Content-Type: text/plain
raeburn Fri Nov 28 19:38:18 2008 EDT
Added files:
/loncom/auth lonstatusacc.pm
Modified files:
/loncom loncapa_apache.conf
/doc/loncapafiles loncapafiles.lpml
Log:
- Retire use of Apache Basic Auth for status files in /cgi-bin, /lon-status,
and /adm/test.
- Add lonstatusacc.pm as an access handler for /lon-status/* and /server-status
--raeburn1227901098
Content-Type: text/plain
Content-Disposition: attachment; filename="raeburn-20081128193818.txt"
Index: loncom/loncapa_apache.conf
diff -u loncom/loncapa_apache.conf:1.180 loncom/loncapa_apache.conf:1.181
--- loncom/loncapa_apache.conf:1.180 Tue Nov 4 21:06:21 2008
+++ loncom/loncapa_apache.conf Fri Nov 28 19:38:05 2008
@@ -1,7 +1,7 @@
##
## loncapa_apache.conf -- Apache HTTP LON-CAPA configuration file
##
-## $Id: loncapa_apache.conf,v 1.180 2008/11/04 21:06:21 www Exp $
+## $Id: loncapa_apache.conf,v 1.181 2008/11/28 19:38:05 raeburn Exp $
##
#
@@ -1248,69 +1248,9 @@
# ------------------------------------------------- Backdoor Adm Tests/Programs
-<Location /cgi-bin/loncron.pl>
-AuthName "LON-CAPA Network Administration"
-AuthType Basic
-AuthUserFile /home/httpd/lonTabs/htpasswd
-require user lonadm
-</Location>
-
-<Location /cgi-bin/userstatus.pl>
-AuthName "LON-CAPA Network Administration"
-AuthType Basic
-AuthUserFile /home/httpd/lonTabs/htpasswd
-require user lonadm
-</Location>
-
-<Location /cgi-bin/lonversions.pl>
-AuthName "LON-CAPA Network Administration"
-AuthType Basic
-AuthUserFile /home/httpd/lonTabs/htpasswd
-require user lonadm
-</Location>
-
-<Location /cgi-bin/clusterstatus.pl>
-AuthName "LON-CAPA Network Administration"
-AuthType Basic
-AuthUserFile /home/httpd/lonTabs/htpasswd
-require user lonadm
-</Location>
-
-<Location /cgi-bin/metadata_keywords.pl>
-AuthName "LON-CAPA Network Administration"
-AuthType Basic
-AuthUserFile /home/httpd/lonTabs/htpasswd
-require user lonadm
-</Location>
-
-<Location /cgi-bin/metadata_harvest.pl>
-AuthName "harvest"
-AuthType Basic
-AuthUserFile /home/httpd/lonTabs/htpasswd
-require user reaper
-</Location>
-
-<Location /cgi-bin/takeoffline.pl>
-AuthName "Offline"
-AuthType Basic
-AuthUserFile /home/httpd/lonTabs/htpasswd
-require user offline
-</Location>
-
-<Location /cgi-bin/takeonline.pl>
-AuthName "Offline"
-AuthType Basic
-AuthUserFile /home/httpd/lonTabs/htpasswd
-require user offline
-</Location>
-
<Location /adm/test>
-AuthName "LON-CAPA Network Administration"
-AuthType Basic
-AuthUserFile /home/httpd/lonTabs/htpasswd
-require user lonadm
+PerlAccessHandler Apache::lonstatusacc
SetHandler perl-script
-PerlAuthzHandler Apache::lonacc
PerlHandler Apache::lontest
</Location>
@@ -1399,20 +1339,16 @@
# ------------------------------------------------- Allow server-status reports
<Location /server-status>
+PerlAccessHandler Apache::lonstatusacc
SetHandler server-status
-AuthName "LON-CAPA Network Administration"
-AuthType Basic
-AuthUserFile /home/httpd/lonTabs/htpasswd
-require user lonadm
</Location>
# ------------------------ Allow LON-CAPA "low-level" connection status reports
-<Location /lon-status>
-AuthName "LON-CAPA Network Administration"
-AuthType Basic
-AuthUserFile /home/httpd/lonTabs/htpasswd
-require user lonadm
-</Location>
+<LocationMatch "^/+lon-status/.*">
+PerlAccessHandler Apache::lonstatusacc
+ErrorDocument 406 /adm/roles
+ErrorDocument 500 /adm/errorhandler
+</LocationMatch>
# ------------------- Allow access to local system documentation from localhost
Alias /doc /usr/doc
Index: doc/loncapafiles/loncapafiles.lpml
diff -u doc/loncapafiles/loncapafiles.lpml:1.615 doc/loncapafiles/loncapafiles.lpml:1.616
--- doc/loncapafiles/loncapafiles.lpml:1.615 Wed Nov 19 15:03:33 2008
+++ doc/loncapafiles/loncapafiles.lpml Fri Nov 28 19:38:17 2008
@@ -2,7 +2,7 @@
"http://lpml.sourceforge.net/DTD/lpml.dtd">
<!-- loncapafiles.lpml -->
-<!-- $Id: loncapafiles.lpml,v 1.615 2008/11/19 15:03:33 amueller Exp $ -->
+<!-- $Id: loncapafiles.lpml,v 1.616 2008/11/28 19:38:17 raeburn Exp $ -->
<!--
@@ -4985,6 +4985,18 @@
</dependencies>
</file>
<file>
+<source>loncom/auth/lonstatusacc.pm</source>
+<target dist='default'>home/httpd/lib/perl/Apache/lonstatusacc.pm</target>
+<categoryname>handler</categoryname>
+<description>
+This module provides access to server status - Apache's server-status and
+files in the /home/httpd/html/lon-status directory, for which it is invoked
+by the URL-related pattern syntax:
+<tt>LocationMatch "^/+lon-status/.*"</tt>.
+</description>
+<status>works/unverified</status>
+</file>
+<file>
<source>loncom/auth/lonauth.pm</source>
<target dist='default'>home/httpd/lib/perl/Apache/lonauth.pm</target>
<categoryname>handler</categoryname>
Index: loncom/auth/lonstatusacc.pm
+++ loncom/auth/lonstatusacc.pm
#
# LON-CAPA authorization for pages generated by server-status reports
#
# $Id: lonstatusacc.pm,v 1.1 2008/11/28 19:38:11 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
# This file is part of the LearningOnline Network with CAPA (LON-CAPA).
#
# LON-CAPA is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# LON-CAPA is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with LON-CAPA; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# /home/httpd/html/adm/gpl.txt
#
# http://www.lon-capa.org/
#
#############################################
#############################################
package Apache::lonstatusacc;
use strict;
use Apache::Constants qw(:common :remotehost);
use Apache::lonnet;
use LONCAPA::loncgi;
sub handler {
my $r = shift;
my $reqhost = $r->get_remote_host(REMOTE_NOLOOKUP);
my $page = 'serverstatus';
if ($r->uri eq '/adm/test') {
$page = 'showenv';
if (&LONCAPA::loncgi::check_cookie_and_load_env()) {
if (&LONCAPA::loncgi::can_view($page)) {
return OK;
} elsif (&LONCAPA::loncgi::check_ipbased_access($page,$reqhost)) {
return OK;
}
}
} elsif ($r->uri ne '/server-status') {
$page = 'lonstatus';
if (!-e $r->filename) {
return NOT_FOUND;
}
}
if ($reqhost eq '127.0.0.1') {
return OK;
}
my @hostids= &Apache::lonnet::get_hosts_from_ip($reqhost);
my @poss_domains = &Apache::lonnet::current_machine_domains();
if (@hostids > 0) {
foreach my $id (@hostids) {
if ($id ne '') {
my $dom = &Apache::lonnet::host_domain($id);
if ($dom ne '') {
if (grep(/^\Q$dom\E$/,@poss_domains)) {
return OK;
}
}
}
}
} elsif (&LONCAPA::loncgi::check_ipbased_access($page,$reqhost)) {
return OK;
} else {
if (&LONCAPA::loncgi::check_cookie_and_load_env($page)) {
if (&LONCAPA::loncgi::can_view($page)) {
return OK;
}
}
}
$r->log_reason("Invalid request for server status from $reqhost",
$r->uri);
return FORBIDDEN;
}
1;
__END__
=head1 NAME
Apache::lonstatusacc - Access Handler for Apache's server-status page
and also pages in lon-status directory.
=head1 SYNOPSIS
Invoked (for appropriate locations) by /etc/httpd/conf/loncapa_apache.conf
PerlAccessHandler Apache::lonstatusacc
=head1 INTRODUCTION
This module can support access control based on IP
address, or based on Domain Configuration settings
for authenticated users (via cookie).
The module is used for control of access to
(a) Apache's server-status page
(b) Status pages in the /home/httpd/html/lon-status directory
which were generated as follows:
(i) when loncron was last run
(index.html, loncron_simple.txt, loncstatus.txt, and londstatus.txt),
(ii) when lonsql was last started
(mysql.txt - only on connection failure),
(iii) when /usr/local/loncapa/bin/CHECKRPMS was last run
(checkrpms.txt),
(iv) when ./UPDATE was run to install/update
(version.txt).
(c) User environment information reported by /adm/test
This is part of the LearningOnline Network with CAPA project
described at http://www.lon-capa.org.
=head1 HANDLER SUBROUTINE
This routine is called by Apache and mod_perl.
The check for whether access is allowed for a specific page proceeds as follows:
(a) Access allowed for request from loopback address for any page.
(b) For any page except /adm/test, access allowed if at least one of the following applies:
(a) If request is from a LON-CAPA server, if at least one domain hosted on
requesting machine is also a domain hosted on this server.
(b) IP address of requesting server is listed in domain configuration list
of allowed machines for any of the domains hosted on this server
(c) If requestor has an active LON-CAPA session -- checked using
LONCAPA::loncgi::check_cookie_and_load_env() -- access allowed
AND one of the following is true:
(i) Requestor has LON-CAPA superuser role
(ii) Requestor's role is Domain Coordinator in one of the domains
hosted on this server
(iii) Domain configurations for domains hosted on this server include
the requestor as one of the named users (username:domain) with access
to the page.
(c) /adm/test
Access requires a valid session - checked using
LONCAPA::loncgi::check_cookie_and_load_env().
If so, access is allowed if one of the following is true:
(i) Requestor has LON-CAPA superuser role, or
(ii) Requestor's role is Domain Coordinator in one of the domains
hosted on this server
(iii) Domain configurations for domains hosted on this server include
the requestor as one of the named users (username:domain) with access
to the page.
(iv) IP address of requestor is listed in domain configuration list
of allowed machines for any of the domains hosted on this server
=cut
--raeburn1227901098--