yum install docker-selinuxDocker 1.9 has fixed this issue
The full list of commands
sudo yum update curl -sSL https://get.docker.com/ | sh service docker start chkconfig docker on
yum install docker-selinuxDocker 1.9 has fixed this issue
sudo yum update curl -sSL https://get.docker.com/ | sh service docker start chkconfig docker on
dj-sso-server is a Django application that provides Single Sign-on feature for your project.
The dj-sso-server application works as a SSO provider , you can use dj-sso-client (https://github.com/feifangit/dj-sso-client) as the SSO client in other projects need SSO.
Install by command pip install dj-sso-server
The dependent package dj-api-auth (https://github.com/feifangit/dj-api-auth) will be installed automatically.
Based on the dj-api-auth module, we can create an API key with SSO related APIs initially included. All the API communications between dj-sso-server and dj-sso-client are protected by dj-api-auth
The API key will also be bind with a host which is used to limit the origin of SSO requests.
SSO work flow with dj-sso-client
Firstly, dj-sso-client applies a request key via API reqeusttoken/ on dj-sso-server
The request key in dj-sso-server side will be kept in cache for 5 minutes, so the whole SSO login process should be done in 5 minutes.
With the request key, dj-sso-client redirects user to SSO login page on SSO provider, and get auth token if login success. dj-sso-server will
- verify the request origin
- verify request key validity (expired?)
- save user information in cache
dj-sso-client verifies the auth token with dj-sso-server via API authtoken/, and get a SSOUser object.
dj-sso-server delete the request key from cache once the authtoken/ is called.
If there's an already logged-in account on dj-sso-server (say, the project where SSO provider is placed also provides other features, and there's a valid cookies in browser side and valid session on server side), user can select to continue with that logged account.
SSO login through dj-sso-server with not affect the login status on dj-sso-server.
Since request keys are stored in cache waiting for verification or expiration. If you have multiple application process running in your deployment (gunicorn etc.), please use proper cache system that can be shared between processes.
Memcached and Redis are both great for caching, be aware, the Local-memory caching (django.core.cache.backends.locmem.LocMemCache) is a toy for local debugging.
# add auth for a browser-oriented view
url(r'^sso/', include("djssoserver.urls"))
#...
optional, a path to function receives an user object and return a json string.
the default SSO_SERVER_USER_TO_JSON_FUNC function is djssoserver.utility.default_user_to_json
def default_user_to_json(user): return json.dumps(model_to_dict(user, exclude=["password", "user_permissions"]), cls=DjangoJSONEncoder)
In order to discover and manage APIs, after dj-sso-server is added in an accessible urls.py, run command python manage.py reloadentrypoints to collect APIs to database.
You can add styles to your own SSO login page. simply create djsso/ssologin.html under the templates folder. Revamp it by imitating the
original page
dj-sso-client gets a SSOUser object whatever the User model is used in SSO provider project.
See detail in README file of dj-sso-client (https://github.com/feifangit/dj-sso-client)
We have a SSO provider application running on Heroku (https://dj-sso-sample.herokuapp.com/).
Source code: under example folder
To try the demo out, check out the README file of dj-sso-client (https://github.com/feifangit/dj-sso-client)
dj-sso-client is the a Django application works as SSO client side of dj-sso-server (https://github.com/feifangit/dj-sso-server)
pip install dj-sso-client
Modify following settings in settings.py of your project
- AUTHENTICATION_BACKENDS, add djssoclient.authbackend.SSOAuthBackend as the backends
- AUTH_USER_MODEL, set djssoclient.SSOUser as user model
AUTHENTICATION_BACKENDS = ('djssoclient.authbackend.SSOAuthBackend',)
AUTH_USER_MODEL = 'djssoclient.SSOUser'
Add following dj-sso-client settings base on your demand
SSO_API_AUTH_SETTING: set API key, SEC key and remote SSO provider URL. This setting is used by underneath dj-api-auth module to proejct API accessing.
SSO_API_AUTH_SETTING = { "apikey": "f4a05287", "seckey": "6a4eeaea54d54f51af703e79c6096d51", "url": "https://dj-sso-sample.herokuapp.com", }SSO_REMOTE_URL_PREFIX (optional): SSO path in remote SSO provider. default /sso/
SSO_USER_STORAGE``(optional): SSOUser storage solution, there are 2 storage backends in ``dj-sso-client already. default: SSOUserDBStorage
- djssoclient.userstorage.SSOUserDBStorage: store user data in database
- djssoclient.userstorage.SSOUserCacheStorage: store user data in cache. You will get better performance.
SSO_SETTING_CACHE (optional): if you selected SSOUserCacheStorage as your user storage backend, and you have more than one cache in settings.py, you can pick up the cache name here. default: default
The default django.core.cache.backends.locmem.LocMemCache stores data per process. In multi-process production environment (gunicorn on multi-core server), it may cause problem while using SSOUserCacheStorage as your user storage engine.
Please use dedicate cache system (Memcached or Redis) as cache backend to avoid this problem.
SSOUser is the user model to store user data. It can be used as database model class if you selected SSOUserDBStorage to be your user storage engine.
class SSOUser(AbstractBaseUser):
username = models.CharField(unique=True, max_length=50)
extras = models.TextField(default="{}")
...
extra user attributes : attributes not exists in the SSOUser class. (attributes except username, password, last_login etc.)
All extra user attributes can be access by getattr method or . operator. And they are stored in class member extras in JSON format.
We already have a SSO provider (dj-sso-server) application running on Heroku: http://dj-sso-sample.herokuapp.com/ . Run the example application in folder example/ssoclient/ locally.
The API key using in the example application is binding with localhost:8000, so make sure you're accessing local application by localhost:8000 rather than the 127.0.0.1:8000.
fresh login
login with existing logged account
switch account
dj-api-auth is a Django application, providing an AWS-alike API auth solution.
When I was seeking a simple solution rather than intricate OAuth, I was inspired by this article
Designing a Secure REST (Web) API without OAuth.
Thanks to the author and the comments.
Generate a pair of API key and SEC key, assign some APIs to it.
Client put API key and current UNIX time as apikey and timestemp in requestURL
Client also generate a signature by calculate a SHA256 value on the whole URL(without signature) by its known SEC key.
if any verification failed, return 403 error with brief message
If you have admin enabled for your project, you can find these features in admin site. Otherwise, you can import forms from djapiauth.forms or write your own form based on models in djapiauth.models
# add auth for a browser-oriented view
url_with_auth(r'^hello/$', 'djapp.views.index'),
#...
@api_auth
def api_whoami(request):
return JsonResponse({"user": "feifan", "boss": "lidan zhou"})
we have a Django command reloadentrypoints to help you to collect and save all auth-required APIs to database.
Server application provides 2 APIs
DIY:
Thanks for the Javascript test code from Neil Chen (neil.chen.nj@gmail.com)
dj-mongo-reader ├── dist ├── dj_mongo_reader.egg-info ├── djmongoreader │ ├── static │ │ └── dj-mongo-reader │ │ └── js │ └── templates │ └── dj-mongo-reader └── example └── *****sampleapp**** ├── sampleapp └── templates └── dj-mongo-reader
cd dj-mongo-reader
heroku git:remote -a dj-mongo-reader
git subtree push --prefix example/sampleapp heroku master
git push heroku `git subtree split --prefix example/sampleapp master`:master --force
[ERROR] 2015-01-15 18:07:40,933 url fetch error: xxx.xxxx.com, HTTP 599: gnutls_handshake() failed: Illegal parameter, 599 ...
try: import pycurl logging.info("py curl version:%s" % pycurl.version) httpclient.AsyncHTTPClient.configure( "tornado.curl_httpclient.CurlAsyncHTTPClient", max_clients=1000 ) logging.info("curl found, use curl client") except: logging.warning("run pip install pycurl for better performance")
validate_cert=False,in http client's fetch method.
python >>> import pycurl >>> pycurl.version_info() (3, '7.35.0', 467712, 'x86_64-pc-linux-gnu', 50877, 'GnuTLS/2.12.23', 0, '1.2.8', ('dict', 'file', 'ftp', 'ftps', 'gopher', 'http', 'https', 'imap', 'imaps', 'ldap', 'ldaps', 'pop3', 'pop3s', 'rtmp', 'rtsp', 'smtp', 'smtps', 'telnet', 'tftp'), None, 0, '1.28')On my dev machine, it's linked with OpenSSL instead of GnuTLS. So, I reinstalled pycurl with openSSL.
apt-get update apt-get install -y curl libcurl3-openssl-dev pip uninstall -y pycurl export PYCURL_SSL_LIBRARY=openssl pip install pycurl
python >>> import pycurl >>> pycurl.version_info() (3, '7.35.0', 467712, 'x86_64-pc-linux-gnu', 50877, 'OpenSSL/1.0.1f', 0, '1.2.8', ('dict', 'file', 'ftp', 'ftps', 'gopher', 'http', 'https', 'imap', 'imaps', 'ldap', 'ldaps', 'pop3', 'pop3s', 'rtmp', 'rtsp', 'smtp', 'smtps', 'telnet', 'tftp'), None, 0, '1.28')