Welcome to docs.opsview.com


This shows you the differences between two versions of the page.

opsview4.6:webauthentication [2014/09/09 12:19] (current)
Line 1: Line 1:
 +====== Web Authentication ======
 +Opsview uses [[http://www.openfusion.com.au/labs/mod_auth_tkt|mod_auth_tkt]] as the mechanism for granting authentication. This provides Single Sign On (SSO) functionality. If you have a valid ticket, then you should get access to the system.
 +If you do not have a valid ticket, then Opsview will use Catalyst to handle the authentication. By default, authentication occurs based on the password stored for the contact.
 +Other methods available for configuring Opsview include using [[opsview4.6:ldap|LDAP]] as the authentication system or [[opsview4.6:client_ssl_cert|client SSL certificates]].
 +**Note**: There maybe a limitation if you use IPv6 to connect between your web browser and the Opsview Web application. You can [[#ignoring_the_request_ip_address|ignore the IP address]] to overcome this limitation.
 +**Note**: If Opsview Web sees an IPv6 address, it will use the IPv4 portion as the requested address. However, you are recommended to ignore the IP address, as there are reported problems with the Apache auth_tkt module with IPv6 addresses.
 +===== Auth Ticket =====
 +If a cookie is found with the name of ''auth_tkt'', then Opsview will try to validate that this cookie is correct.
 +There are various checks in place:
 +  * Does the cookie exist (called auth_tkt)
 +  * Is it a valid ticket (based on the shared secret)
 +  * Has the ticket expired?
 +  * If there is a session cookie, does the username in the ticket match with the session?
 +  * Is there a contact in the database with the same username?
 +    * If so, create the session
 +    * If not, is [[#mapping_authtkt_to_a_contact|authtkt_default_username]] set in the configuration? Use that contact if set
 +    * Otherwise error
 +If all these pass, then the contact is authenticated. Be aware that some dynamic pages are public access, such as viewports, so authentication is not required.
 +==== Security of AuthTkt ====
 +There are two parts to the security of the auth_tkt:
 +  * The shared secret, controlled via the [[opsview4.6:configuration_files#authtkt_shared_secret|$authtkt_shared_secret]] variable
 +  * The connecting IP address, controlled via the [[opsview4.6:configuration_files#authtkt_ignore_ip|authtkt_ignore_ip]] variable
 +If this secret or the authtkt_ignore_ip is changed and your browser still has the old auth_tkt cookie, then you will get an error in the Opsview login page that says "Invalid authentication ticket". Users will need to log back in to be given a new, valid auth_tkt.
 +==== Contents of Ticket ====
 +The ticket, when created by Opsview Web, will also include a list of tokens. This can be parsed by anything that can read the AuthTkt, such as a [[http://search.cpan.org/dist/Apache-AuthTkt/AuthTkt.pm|perl module]] or the [[http://openfusion.com.au/labs/mod_auth_tkt/|Apache module]].
 +The tokens describe the [[access]] that the user is allowed.
 +==== Creating the ticket from an external source ====
 +You can use any script to create a valid ticket. We recommend the perl module at http://search.cpan.org/dist/Apache-AuthTkt/AuthTkt.pm.
 +You must add the originating IP address into the ticket (which is used to create the hash), otherwise it will get rejected by Opsview. For example, the call using Apache::AuthTkt is:
 +  $cookie_value = $at->ticket( uid => $username, ip_addr => $ip );
 +The name of the cookie is "auth_tkt".
 +==== Mapping authtkt to a contact ====
 +You can map a authtkt user to a specific contact in Opsview. To do this, add this entry into ''/usr/local/opsview-web/opsview_web_local.yml'':
 +authtkt_default_username: guest
 +This means that if a valid authtkt is received by Opsview and the username within the ticket does not map to an existing contact in Opsview, then use the user listed here.
 +===== Authentication Via Opsview Database =====
 +By default, Opsview will authenticate a user based on their password in the Opsview configuration database. This is saved as an Apache hashed password in the database. There are no configuration changes required.
 +===== Authentication Via LDAP =====
 +See [[ldap]] for configuration information.
 +===== Authentication Via Client SSL Certificates =====
 +See [[client_ssl_cert]] for configuration information.