REMOTE_USER change

I'm looking to modify the default trac install to pull a
different  
ENV variable from Apache instead of REMOTE_USER. Trac is
installed  
and running under mod_python.

I've found the auth routines in web/auth.py as well as the
lines  
setting stuff in modpython_frontend.py. I haven't found
exactly where  
the REMOTE_USER is accessed. I admit to not being an expect
with  
Python, so I might be missing something that happens in
mod_python  
automatically.

Thanks,
Steve Cochran


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the
Google Groups "Trac Development" group.
To post to this group, send email to trac-devgooglegroups.com
To unsubscribe from this group, send email to
trac-dev-unsubscribegooglegroups.com
For more options, visit this group at http://
groups.google.com/group/trac-dev?hl=en
-~----------~----~----~----~------~----~------~--~---

What exactly is your goal?

--Noah

On Jul 31, 2007, at 2:27 PM, Stephen A. Cochran Lists
wrote:

>
>
> I'm looking to modify the default trac install to pull
a different
> ENV variable from Apache instead of REMOTE_USER. Trac
is installed
> and running under mod_python.
>
> I've found the auth routines in web/auth.py as well as
the lines
> setting stuff in modpython_frontend.py. I haven't found
exactly where
> the REMOTE_USER is accessed. I admit to not being an
expect with
> Python, so I might be missing something that happens in
mod_python
> automatically.
>
> Thanks,
> Steve Cochran
>
>
> >
>


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the
Google Groups "Trac Development" group.
To post to this group, send email to trac-devgooglegroups.com
To unsubscribe from this group, send email to
trac-dev-unsubscribegooglegroups.com
For more options, visit this group at http://
groups.google.com/group/trac-dev?hl=en
-~----------~----~----~----~------~----~------~--~---

On Jul 31, 2007, at 2:43 PM, Noah Kantrowitz wrote:

> What exactly is your goal?

I'm simply looking to pull the user name from the  
REMOTE_USER_FULLNAME env variable, which is being set by a
custom  
apache module we use.

So I'm hoping to substitute that var for REMOTE_USER.

Steve

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the
Google Groups "Trac Development" group.
To post to this group, send email to trac-devgooglegroups.com
To unsubscribe from this group, send email to
trac-dev-unsubscribegooglegroups.com
For more options, visit this group at http://
groups.google.com/group/trac-dev?hl=en
-~----------~----~----~----~------~----~------~--~---

On Jul 31, 2007, at 2:49 PM, Stephen A. Cochran Lists
wrote:

>
>
> On Jul 31, 2007, at 2:43 PM, Noah Kantrowitz wrote:
>
>> What exactly is your goal?
>
> I'm simply looking to pull the user name from the
> REMOTE_USER_FULLNAME env variable, which is being set
by a custom
> apache module we use.
>
> So I'm hoping to substitute that var for REMOTE_USER.
>
> Steve
>
> >
>


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the
Google Groups "Trac Development" group.
To post to this group, send email to trac-devgooglegroups.com
To unsubscribe from this group, send email to
trac-dev-unsubscribegooglegroups.com
For more options, visit this group at http://
groups.google.com/group/trac-dev?hl=en
-~----------~----~----~----~------~----~------~--~---

The easiest way will be to make a plugin that has a new  
IAuthenticator. Specifically you want to inherit from  
trac.web.auth.LoginModule and override _do_login.
s/req.remote_user/ 
req.environ['REMOTE_USER_FULLNAME'].

--Noah

On Jul 31, 2007, at 2:49 PM, Stephen A. Cochran Lists
wrote:

>
>
> On Jul 31, 2007, at 2:43 PM, Noah Kantrowitz wrote:
>
>> What exactly is your goal?
>
> I'm simply looking to pull the user name from the
> REMOTE_USER_FULLNAME env variable, which is being set
by a custom
> apache module we use.
>
> So I'm hoping to substitute that var for REMOTE_USER.
>
> Steve
>
> >
>


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the
Google Groups "Trac Development" group.
To post to this group, send email to trac-devgooglegroups.com
To unsubscribe from this group, send email to
trac-dev-unsubscribegooglegroups.com
For more options, visit this group at http://
groups.google.com/group/trac-dev?hl=en
-~----------~----~----~----~------~----~------~--~---

On Jul 31, 2007, at 3:00 PM, Noah Kantrowitz wrote:

> The easiest way will be to make a plugin that has a
new
> IAuthenticator. Specifically you want to inherit from
> trac.web.auth.LoginModule and override _do_login.
s/req.remote_user/
> req.environ['REMOTE_USER_FULLNAME'].
>
> --Noah


So I tried something similar, I'm simply modifying
web/auth.py in  
_do_login. I tried your change:

req.environ['REMOTE_USER_FULLNAME']

but I'm getting a "'ModPythonRequest' object has no
attribute  
'environ'" error.

I also wasn't sure if req.remote_user was a standard Python
thing or  
if that was being set somewhere else like in
modpython_frontend.py.

Steve Cochran
Dartmouth College

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the
Google Groups "Trac Development" group.
To post to this group, send email to trac-devgooglegroups.com
To unsubscribe from this group, send email to
trac-dev-unsubscribegooglegroups.com
For more options, visit this group at http://
groups.google.com/group/trac-dev?hl=en
-~----------~----~----~----~------~----~------~--~---

On Aug 1, 5:18 am, "Stephen A. Cochran Lists"
<stephen.a.cochran.li...cahir.net> wrote:
> On Jul 31, 2007, at 3:00 PM, Noah Kantrowitz wrote:
>
> > The easiest way will be to make a plugin that has
a new
> > IAuthenticator. Specifically you want to inherit
from
> > trac.web.auth.LoginModule and override _do_login.
s/req.remote_user/
> > req.environ['REMOTE_USER_FULLNAME'].
>
> > --Noah
>
> So I tried something similar, I'm simply modifying
web/auth.py in
> _do_login. I tried your change:
>
> req.environ['REMOTE_USER_FULLNAME']

Should be:

  req.subprocess_env['REMOTE_USER_FULLNAME']

if it is passed as equivalent of SetEnv directive, or:

  req.notes['REMOTE_USER_FULLNAME']

if other modules is using notes table for request.

> but I'm getting a "'ModPythonRequest' object has
no attribute
> 'environ'" error.
>
> I also wasn't sure if req.remote_user was a standard
Python thing or
> if that was being set somewhere else like in
modpython_frontend.py.

The user as determined by standard authentication modules is
stored in
req.user.

Note that the standard way that Apache authentication
modules are
supposed to work is that they set req.user to the
authenticated user
id. This is also turned into REMOTE_USER variable in
req.subprocess_env when req.add_common_vars() is called. If
add_common_vars() isn't being called by a mod_python handler
you will
thus not have access to REMOTE_USER and would have to use
req.user.

FWIW, you seem to deliberately doing things to break how
Apache
normally works. Why can't your other module simply set
req.user in the
correct manner to what you want rather than using the
request
environment variables. If the module is a C module it is the
'user'
attribute of request_rec structure. If you need whether this
is done
to be selectable then add a directive to enable passing full
name in
req.user. Do note though that your full names better be
unique
otherwise you might have issues in Trac.

Perhaps provide more explanation of the reasons for wanting
to so
this, rather than simply what you want to achieve. It may be
the case
that you shouldn't be changing Trac but that the other
module should
be changed to do things in a more customisable way inline
with how
Apache should be used.

Graham


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the
Google Groups "Trac Development" group.
To post to this group, send email to trac-devgooglegroups.com
To unsubscribe from this group, send email to
trac-dev-unsubscribegooglegroups.com
For more options, visit this group at http://
groups.google.com/group/trac-dev?hl=en
-~----------~----~----~----~------~----~------~--~---

On Jul 31, 2007, at 6:42 PM, Graham Dumpleton wrote:

> Note that the standard way that Apache authentication
modules are
> supposed to work is that they set req.user to the
authenticated user
> id. This is also turned into REMOTE_USER variable in
> req.subprocess_env when req.add_common_vars() is
called. If
> add_common_vars() isn't being called by a mod_python
handler you will
> thus not have access to REMOTE_USER and would have to
use req.user.
>
> FWIW, you seem to deliberately doing things to break
how Apache
> normally works. Why can't your other module simply set
req.user in the
> correct manner to what you want rather than using the
request
> environment variables. If the module is a C module it
is the 'user'
> attribute of request_rec structure. If you need whether
this is done
> to be selectable then add a directive to enable passing
full name in
> req.user. Do note though that your full names better be
unique
> otherwise you might have issues in Trac.
>
> Perhaps provide more explanation of the reasons for
wanting to so
> this, rather than simply what you want to achieve. It
may be the case
> that you shouldn't be changing Trac but that the other
module should
> be changed to do things in a more customisable way
inline with how
> Apache should be used.

Actually our module is setting REMOTE_USER correctly, but to
provide  
backwards compatibility the name being put into that field
is missing  
some important information. Our web authentication system
was  
recently upgraded to support multiple realms of users, for
example  
alumni, pre-admission students, and general community
members.

To differentiate between users in different realms, the
username is  
concatenated with 'REALM'. So for example my username would
be

Stephen A. CochranDARTMOUTH.EDU

whereas my old username would have just been

Stephen A. Cochran

To prevent breaking all the old applications that were
already  
looking at REMOTE_USER and didn't know anything about the
realm, I  
wrote the apache module (written in c) to put the old
version in  
REMOTE_USER, and added a new ENV variable called
REMOTE_USER_FULLNAME  
with the new form. Users can simply use an htaccess
directive to  
limit access to a certain realm to prevent problems with the
new  
realms. That way applications can be upgraded at their own
pace.

Steve Cochran


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the
Google Groups "Trac Development" group.
To post to this group, send email to trac-devgooglegroups.com
To unsubscribe from this group, send email to
trac-dev-unsubscribegooglegroups.com
For more options, visit this group at http://
groups.google.com/group/trac-dev?hl=en
-~----------~----~----~----~------~----~------~--~---

On Aug 1, 11:39 am, "Stephen A. Cochran Lists"
<stephen.a.cochran.li...cahir.net> wrote:
> On Jul 31, 2007, at 6:42 PM, Graham Dumpleton wrote:
>
>
>
> > Note that the standard way that Apache
authentication modules are
> > supposed to work is that they set req.user to the
authenticated user
> > id. This is also turned into REMOTE_USER variable
in
> > req.subprocess_env when req.add_common_vars() is
called. If
> > add_common_vars() isn't being called by a
mod_python handler you will
> > thus not have access to REMOTE_USER and would have
to use req.user.
>
> > FWIW, you seem to deliberately doing things to
break how Apache
> > normally works. Why can't your other module simply
set req.user in the
> > correct manner to what you want rather than using
the request
> > environment variables. If the module is a C module
it is the 'user'
> > attribute of request_rec structure. If you need
whether this is done
> > to be selectable then add a directive to enable
passing full name in
> > req.user. Do note though that your full names
better be unique
> > otherwise you might have issues in Trac.
>
> > Perhaps provide more explanation of the reasons
for wanting to so
> > this, rather than simply what you want to achieve.
It may be the case
> > that you shouldn't be changing Trac but that the
other module should
> > be changed to do things in a more customisable way
inline with how
> > Apache should be used.
>
> Actually our module is setting REMOTE_USER correctly,
but to provide
> backwards compatibility the name being put into that
field is missing
> some important information. Our web authentication
system was
> recently upgraded to support multiple realms of users,
for example
> alumni, pre-admission students, and general community
members.
>
> To differentiate between users in different realms, the
username is
> concatenated with 'REALM'. So for example my
username would be
>
> Stephen A. Coch...DARTMOUTH.EDU
>
> whereas my old username would have just been
>
> Stephen A. Cochran
>
> To prevent breaking all the old applications that were
already
> looking at REMOTE_USER and didn't know anything about
the realm, I
> wrote the apache module (written in c) to put the old
version in
> REMOTE_USER, and added a new ENV variable called
REMOTE_USER_FULLNAME
> with the new form.

As I mentioned briefly in my comments, would you be able to
implement
a directive for your module which can be set to
enable/disable
req.user being set to the full name with realm.

Presuming that Trac user database has full name with realm
in it, you
could then say:

  <Location /trac>
  StuffFullNameInUser On
  </Location>

Ie., turn on passing of full name just for URL Trac is
under.

This will allow you to selectively pass through the extra
information
to applications as user databases are updated.

Not sure I have got this round the right way, so I hope you
understand
what I am talking about. Or am I missing something.

Graham


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the
Google Groups "Trac Development" group.
To post to this group, send email to trac-devgooglegroups.com
To unsubscribe from this group, send email to
trac-dev-unsubscribegooglegroups.com
For more options, visit this group at http://
groups.google.com/group/trac-dev?hl=en
-~----------~----~----~----~------~----~------~--~---

On Jul 31, 2007, at 9:53 PM, Graham Dumpleton wrote:

> As I mentioned briefly in my comments, would you be
able to implement
> a directive for your module which can be set to
enable/disable
> req.user being set to the full name with realm.
>
> Presuming that Trac user database has full name with
realm in it, you
> could then say:
>
>   <Location /trac>
>   StuffFullNameInUser On
>   </Location>
>
> Ie., turn on passing of full name just for URL Trac is
under.
>
> This will allow you to selectively pass through the
extra information
> to applications as user databases are updated.
>
> Not sure I have got this round the right way, so I hope
you understand
> what I am talking about. Or am I missing something.

Yep, I think I understand. Basically adding the option to
the apache  
module to set REMOTE_USER to the usernamerealm
form via directive.  
It's not a bad feature to add to the module, I just thought
it would  
be easier to change the spot in trac that was pulling the
REMOTE_USER  
param, I just couldn't find it or figure out the new form.

Steve

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the
Google Groups "Trac Development" group.
To post to this group, send email to trac-devgooglegroups.com
To unsubscribe from this group, send email to
trac-dev-unsubscribegooglegroups.com
For more options, visit this group at http://
groups.google.com/group/trac-dev?hl=en
-~----------~----~----~----~------~----~------~--~---