Merken

External authentication for Django projects

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Beta
Erkannte Entitäten
Sprachtranskript
hello many dimensions of the mind from another OK so thanks for being interested in all that aggression the situation of
or you have a application that you've developed and a large organization is interested in and they would like to divide or deployed and you're excited about and the thing is you've probably build it around jungle country off or something like that and maybe you expanded on it a little bit and maybe you've added a nice of management interface but there the organization wants employee also seems to have access to that of litigation and perhaps not just the employees of that application but all the partners and suppliers and maybe go on to customers and older people should have access to the workflow the idea workflow almost like this the new person joints the company H R it's a good speech are and put the person into the central point into the management system Active Directory possible at all they both the person into groups that somehow much what the person is supposed to do a lot groups to which person belongs and when the person that finally gives the false and what's we should be able to log in to any service that that is somehow related to the work that the use of a few of you hire a new finance person that person should be able to log to the finance accounting or whatever application right away if you're hi you network administrator again this should get the set all the to a domain words and say you know sort the and and then exists there all that's what management system all mature administration and be all too log and why solvers undefined people should not have access to the networking of management and the net and institutions from the north of the able to access the tax records the problem is but no 1 in the world enter those users into obligation not organization so when the new person is higher that application someone needs to learn about it you person about their access rights right ways of you know what it's going note none of the of those is going to type of person to be be dust into all multiple applications they only want good answer world where different organizations have different ideas and different requirements about what negation proper cross be use some sometimes it's discoverers typically if you have all of their career sometimes is all cards out sometimes it's some especially when you want to integrate this all other companies sometimes often your organization has the verified audited method of setting up close authentication mechanisms using some from time http server and they do they won't change it for your application maybe have standard that they want use so I'll probably do universe way I typically do it I'll do it the most First out so that you know what I'm talking about and if you think that it's too easy you can we find the more would suffer here
so I have created a server which is basically something like Active Directory just on online notes and I have balls account created here and I have a very simple and general obligation that that obligation to ideas
of it just shows was London and it shows the last but that's so only with
currently not loving and all that time mean has several that's not the situation and I also
have an identity provider which
is basically which provides me with some assertions and it's connected to the so that's the idea so
I have 3 machines while currently only exists in all 3 areas now I can 2 ways I can
either click log here in that applications article going
hear in that Central single-sign-on solution which right which would you prefer the OK so result in all on I know the
password I get all then of no when I come to the application
all I'm going to know that I could go
and i i got redirected to that all identity provider I get rejected by of the world now shows that the 12 certified it's our duty done so with some of which is the only the only block the book has sold them and not just the ball has acquired some privileges no wall either similarly because that's pretty cool well at the end of show you the same this terrorists and at the end you will be able to pick your own login so that you know that I'm not faking as so how doing good
I will assume that we have a party and John was running under under project and is that we want it to consume that the because standard remote user all all dedication results right so well how do you do it well since jungle 1 point 1 you have removed well so that's easy right you set on why there are at least 2 problems 1st of all of the modules are made aware of really expects your or or this is to be authenticated so even if as the results all that lets us and why did not show you and I probably should is if I look I have all 2 different far from the surroundings so if I had a fresh the view you can see that both account got created and actually not not just we don't know just know that it's but we also need this 1st and then also and so there's more than to just all the blog my
bound the amount of people once that 9 to be present in in that remote users a parabola or and or whatever you call it but what rest so your have a to maintain some systems and about which is kind of home replicating more general does anybody have jungle create created a session right for us or you will need to the old the old the old indicates upon that might have been fined by on it's the possible files and Basic authentication was used it's not find use cameras because you don't want to renegotiate contracts fell upon written request you don't want to really been negotiated once every hour the renegotiate summer 2nd problem is that if you use the standard although useful here it does not really understand 1 dollar user has already obligated while it still shows that blogging page even at the the jungle indicates the decision has already been created on what's the solution the or how how do we want to do what we want all extra and I don't want that the organization requires federalist or reduces the general B as so we summary shows an example is not known we wanted to be only created only enabled on 1 log your do or that we're all
thinking what to me from sign-on
otherwise I will not be able to to about here this is the living on talking about for some reason it doesn't show all all the little of its social so the solution to the
1st of problem is coming in general 1 when although we have new the additional Oracle persistent move to the middle of and it basically does what it says it will only require that remote user extra authentication be present when the jungle dedicated session is created or when the jungle system is Marcus authenticated and it will basically preserving untill you look out in general for the 2nd problem I've going with solution which basically I'm CQ or long something sensible all in each of the user the support indicated but unfortunately we need to write our own all of you all of you and if there is it can also inherited from all of the standard all or what you expect if we check that the user is authenticated we just redirect to whatever the landing page of that logging pages so if the user happens if the click the login page and the user happens to be authenticated before the handler directions to the vote because summing over kicks in and found that the motives populated all will just say well OK you be authenticated fine all Jack is currently very happy about this being the default and so all at the end of the presentation of the more links about how we want to so the problem maybe a little is that a problem at all no if you have only In modern applications that uses that user name the blocking is small enough applications 1 to some modifications to the people out there was a so there needs some reasonable in other obligations 1 crucial what i'm their maybe reports in and what them about and so they want some additional arguments about the user so yeah the proposal since they started with the remote user for the login was use remote user and undistorted for a few views of the all we've actually Standard In other words non jungle non typing projects and it seems to work pretty well all if you are using it as this is the basis violations that you can use more than 1 entity eparchy module 2 I don't think you're basically mapping of all or other tributes to all this environment rabbits use model bound for some of you can do the same so it's possible is if you have depending on x maybe a party made maybe engine acts in the future maybe some other from and server but if you have depending on its integration we should also somehow expect them all that that's the environment of front and http server is able to populate some other environment variables headers whatever you call it than just remote user the How do we consume those attributes in general I have remote users after middleware which basically all checks the user as see our old indicated in general the 1 matching the 100 so that there is a mismatch and I just use this all those of you who sets yet you thought you uses those number of arrivals or mentalities sets out the use for user and say point was that point if I had a pointer so what this means is that upon every class not just the mold user middleware creates the user which is what you would what would happen because you need to use record created in your application database otherwise you're foreign keys with 1 match that 1 had have anything to do with point to but when they are the phrase that user record whenever although it is usually start so we have fresh data about the about user by the way carefully to raise your hand and asked any times when you don't like something or when you're confused or when you want to add something now that's nice but I said at all we also want user membership to some relate to permissions that a person has been In that application so all the networking people mature admins will be both by H are to some groups which my down have more privileges in the network of of publication none of the normal people and it's not a morning things it's not likely you either get even you're completely out because for example all those people you also want them to have access to everything but we don't want so that they can check samples of all things if it's for example might be composed of a system of organization so if I have no idea hold us they need to be able to see in the frame it should not be able to to modify an effect only a few things maybe so based on their own group membership in Active Directory or somewhere else all the issues the given application-specific all the
similar if I look
impact as more the summarize both got this to
be our images here so here the proposal since we don't want June between the general schema to march we called have any special model especially political sometimes hold the but let's start small proposals if a In general starts with access called whenever a extraordinary user logs populate his or her membership in those text graphics all groups with whatever groups you find coming with that uses and why summaries of if the person is in that expert effects of and no longer you see our that being member of that group when they're are old indicated he moved down so that 1 the person changes departments or this working on the project you have 1 central place do do that something and all because propagated to any application which gets moved to the central server all Western to a mechanism all at the same time if the Administrator needs to say that yes this person even if they are not network administrator person they will need you have so the permission they can use any other unknown X graphics all roots and all manage their emissions and he invented relied on just proposing that all those as graphics on groups are somehow special and yes you the the use of the space and you know how we're going to want to that so long as used to have a the so you have to was only what would you do all of the you have for all that would be you all the time yeah you start with the problem that I did not want to get that deep in the store so your head so we said that we would have a that we could have remote user now 14 hours so 1 why not have remote user about 4 groups and all the way you can set it up and will become quite entity which just stopped using assesses the which is a always level what integration and identity social all of and the way it it is possible to remove all known in the in the coming coming the legend of part of the is that it populates grew underscore and so that you know how many groups are coming and then you have the individual arrivals list all bright and also would be have just cause separated by want to also the possible way and then we have the middle and just the perfect is is some hallmark wouldn't hear of because we I call that we need to start small and start some and then we look at the group that we get we look at the groups that we currently have and we basically all update what we have and and call
call this on and save the user and update views so I showed you how do how we can what made you in West can but we know
so that we have somehow the 1 state what user would you
want me to create don't say something well you you be resolved and that thank you OK all let me give her passport
charges and a small so
that you can more yes works who and I will know just
380 at home I've been
speaking true on server I need to worry authenticate administrator which would be much easier have shown the bottom of the page OK so we have penetrated what's called Benny into network of men's group because joined I. T. department just we just created by name what changing our interests
called what we have here addresses here so that you can trust me it's not just thinking so we have penetrated sorry we have penetrated 0
let's give it a Benny and carers it's from all by default 388 through the use of this boss which parts of the trees to fossil but all I had a ticket granting taken for those of you who are of fluent and cameras which basically means it's a good thing so was verified
what we have in the jungle obligations we still only have admin and Bob and now yeah I need to change the
configuration of that application because all but she has how fish to keep all I have it's still
images decline for some are here so was removed I could have used both but I don't want to complicate things and Chandra
extent controversial supported the come from the
prosodic eparchy and so
on and they have been single sign on this is what you would see you would see ATG these you brought in on your Windows machines well let's
click on now we can see that many household it is she did not have any pound if I refreshed now account is that I can see that the paramount versus there alright and I can check that money is a member of X that work admins group so per group membership that I created that I set up in poem 3 years not propagated all and if I look
at the network elements group that
I had created you can see that all it has is that is for randomly picked just for the purpose of this presentation permissions and not if I look at what the application so to planning it was just it exactly these 4 dimensions
conclusions so it is possible
June suffer multiple authentication mechanism results right particle now this is a fucking conference so you might not find that a good thing but 1st it might be required to that the front and authentication should be used because that's what the company for our government body and that implementation might actually be much harder than you can imagine all if you start France from scratch in jungle 109 it is possible through city you authentication enabled the text authentication enables departure or another another from the house just will belong in your and it will not survive is that of the system on what is the you need to be careful if you especially if you want that login page to still be available and external authentication because you might want users to use their moral about fullback did don't have a ticket and by the way they are just so that
you trust me that can happen you can see the HTTP service because it was created so it really was terrorist the authenticated panic now yes from Italy remote user was modeled indicated users and in general we have the functionality to create user automatically a ball the first one and for some time but these days you probably want more than that attitudes that user and yes you need to find a way to some how much what you have in our corporate identity management to attributes each and every application has to the to the model and more importantly of membership because you can only all permissions the groups and have permissions recreated and predefined and when the user gets created all the good properties and you come Houston
again we learn not writing a lot of Python called all we but not writing some for comparison but we are just consuming excellent indication depending on your view this is a good thing of all that thing so I I I welcome your questions and comments and there some points to go with this presentation and no really asking some
questions yes please it actually the sentiment so what about
federated low those at all don't I don't all the 1st
2nd Digital Identity Provider does supported on some of supported by depending on on the practical use it either possible or not so if you're thinking about the skills which if the person that's forests and you don't all about all I don't think that you will find a solution like a social so I was not focusing on the that would you be using the same method that if furious uh using the rules of law or
something like that for the organ of yes it's all all support so I'm sure how do more the you use it for authorization and depending on if you you well the there following horrible you will find in humans for the users visiting all it's the meeting the problem itself all the the gentleman my Christians speccy Priscilla sort more over the connect so that you know when I already have a single sign on base for example where the connected
using else the there is to it depend on the implementation jungle that it's positive connected or holders root cause you talking about a lot about to Burroughs or of but as ML so what is really necessary able to connect my singer on on while all my answer would be what does your support because trying to all I right not to do it in John I'm trying to build a framework is about more but all I'm trying to do finally the approach the jungle which will make it possible to use what we need other languages and frameworks you so if it's employment for or for some other from and that's that is available his without having to direct support for it the knowledge of the protocol John Watson of so if you all yes but at the end of the day you get all user and some aren't you so what 1 I wants use don't try to or maybe you don't want to try to address it in jungle maybe you want to find an existing solution for that I just to the result and he doesn't really matter how many countries the probable Monday it's going to use all of the the eventually you will get them remote user on the occasion of the user has authenticated and that's what you kind of follows and we actually used to work together and I'm wondering if there you have ever and made like it's alleging that that was each use keywords something else other Apache with evolved with their you whiskey versus another there and so rather than like Apache what we actually have a person working on on the module on on the modules for 4 and so we're trying to do some of stuff on the approach to not known about but we're still only focusing on a variety of common friends and again of it would be about implementing those the course you those additional services and then consuming the result in the hopefully some of the OK so thank you replacement
Server
Subtraktion
Bit
Punkt
Gewicht <Mathematik>
Selbst organisierendes System
Hausdorff-Dimension
Mathematisierung
Gruppenkeim
Abgeschlossene Menge
Befehl <Informatik>
Sprachsynthese
Kartesische Koordinaten
Identitätsverwaltung
Computeranimation
Metropolitan area network
Selbst organisierendes System
Datensatz
Domain-Name
Negative Zahl
Geschlossenes System
Standardabweichung
Datentyp
Automorphismus
Grundraum
Gammafunktion
Schnittstelle
Data Encryption Standard
Kraftfahrzeugmechatroniker
Softwareentwickler
Datennetz
Güte der Anpassung
Systemverwaltung
Vorzeichen <Mathematik>
Quick-Sort
Chipkarte
Portscanner
Diskrete-Elemente-Methode
Rechter Winkel
Identitätsverwaltung
Client
Server
Authentifikation
Wort <Informatik>
Eigentliche Abbildung
Verzeichnisdienst
Metropolitan area network
Server
Mathematisierung
Datenfluss
Extrempunkt
E-Mail
Verzeichnisdienst
Speicherbereichsnetzwerk
Computeranimation
Arithmetisches Mittel
Metropolitan area network
Virtuelle Maschine
Flächeninhalt
Systemverwaltung
Identitätsverwaltung
E-Mail
Service provider
Computeranimation
Gruppenoperation
Metropolitan area network
Logarithmus
Passwort
Kartesische Koordinaten
Passwort
Chatbot
Baum <Mathematik>
Computeranimation
Resultante
Server
Punkt
Sichtenkonzept
Web log
Mathematisierung
Überlagerung <Mathematik>
p-Block
E-Mail
Modul
Menge
Service provider
Computeranimation
Inverser Limes
Metropolitan area network
Middleware
Rechter Winkel
Front-End <Software>
Identitätsverwaltung
Projektive Ebene
Automorphismus
URL
Tropfen
Selbst organisierendes System
REST <Informatik>
Mathematisierung
Überlagerung <Mathematik>
E-Mail
Elektronische Publikation
Computeranimation
Gruppenoperation
Homepage
Design by Contract
Entscheidungstheorie
Inverser Limes
Service provider
Metropolitan area network
Softwaretest
Rechter Winkel
Login
Statistische Analyse
Authentifikation
Automorphismus
URL
Abstimmung <Frequenz>
Punkt
Gruppenkeim
Kartesische Koordinaten
Element <Mathematik>
Extrempunkt
Login
Computeranimation
Homepage
Richtung
Metropolitan area network
Last
Geschlossenes System
RPC
Default
Große Vereinheitlichung
Parametersystem
Addition
Geschlossenes System
Sichtenkonzept
Datennetz
Datenhaltung
Landing Page
Login
ATM
Server
Projektive Ebene
Reelle Zahl
Cloud Computing
Programmierumgebung
Schlüsselverwaltung
Verzeichnisdienst
Ext-Funktor
Standardabweichung
Rahmenproblem
Selbst organisierendes System
Klasse <Mathematik>
Zahlenbereich
Ikosaeder
Identitätsverwaltung
E-Mail
Kombinatorische Gruppentheorie
Kontextbezogenes System
W3C-Standard
Service provider
Selbst organisierendes System
Variable
Informationsmodellierung
Datensatz
Mailing-Liste
Front-End <Software>
Stichprobenumfang
DoS-Attacke
Zeiger <Informatik>
Automorphismus
Ideal <Mathematik>
Normalvektor
Soundverarbeitung
Matching <Graphentheorie>
Systemverwaltung
Binder <Informatik>
Modul
Vorhersagbarkeit
Integral
Portscanner
Mapping <Computergraphik>
EDV-Beratung
Thetafunktion
Basisvektor
Attributierte Grammatik
Authentifikation
Wort <Informatik>
Normalvektor
Mereologie
Mathematisierung
Gruppenkeim
Kartesische Koordinaten
Identitätsverwaltung
Element <Mathematik>
Login
Raum-Zeit
Computeranimation
Übergang
Metropolitan area network
Selbst organisierendes System
Informationsmodellierung
Netzwerkverwaltung
Ordnungsbegriff
Passwort
Wurzel <Mathematik>
Gravitationsgesetz
Speicher <Informatik>
Automorphismus
Bildgebendes Verfahren
Meta-Tag
Normalvektor
Modul
Schreib-Lese-Kopf
Soundverarbeitung
Kraftfahrzeugmechatroniker
Expertensystem
Geschlossenes System
Systemverwaltung
Systemaufruf
Mailing-Liste
Endogene Variable
Integral
Portscanner
EDV-Beratung
Login
Mereologie
Identitätsverwaltung
Server
Attributierte Grammatik
Projektive Ebene
Ext-Funktor
Metropolitan area network
EDV-Beratung
Sichtenkonzept
Systemaufruf
Computeranimation
Aggregatzustand
Metropolitan area network
Passwort
Objektklasse
E-Mail
Computeranimation
Gruppenoperation
Prozess <Informatik>
Datennetz
Division
Schießverfahren
Browser
Systemverwaltung
Gruppenkeim
Elektronischer Datenaustausch
Identitätsverwaltung
Objektklasse
Computeranimation
Homepage
Gruppenoperation
Metropolitan area network
PERM <Computer>
Minimum
Server
Reelle Zahl
Passwort
Gravitationsgesetz
Caching
Server
Adressraum
Mathematisierung
Dienst <Informatik>
Extrempunkt
E-Mail
Computeranimation
Gruppenoperation
Datensichtgerät
Netzwerktopologie
Metropolitan area network
Mailing-Liste
Softwaretest
Benutzerschnittstellenverwaltungssystem
Datennetz
Mereologie
Mobiles Internet
Passwort
Default
Automorphismus
Server
Mathematisierung
Kartesische Koordinaten
Dienst <Informatik>
E-Mail
Computeranimation
Gruppenoperation
Metropolitan area network
Softwaretest
Datennetz
Login
Verweildauer
Statistische Analyse
Konfigurationsraum
Benutzerprofil
Euler-Winkel
ATM
Total <Mathematik>
Maßerweiterung
Automorphismus
Bildgebendes Verfahren
Computeranimation
Binärdaten
Caching
Server
Systemverwaltung
Gruppenkeim
Mathematisierung
Digitalfilter
Element <Mathematik>
E-Mail
Computeranimation
Gruppenoperation
Virtuelle Maschine
Metropolitan area network
Mailing-Liste
Softwaretest
Vorzeichen <Mathematik>
Bildschirmfenster
Statistische Analyse
Passwort
Automorphismus
Normalvektor
Datentyp
Datennetz
Hausdorff-Dimension
Gruppenkeim
Systembereichsnetz
Single Sign-On
Mathematisierung
Ikosaeder
Kartesische Koordinaten
Element <Mathematik>
Kombinatorische Gruppentheorie
Systemaufruf
Computeranimation
Portscanner
Middleware
Login
Statistische Analyse
Attributierte Grammatik
Gravitationsgesetz
Automorphismus
Resultante
Gruppenkeim
Implementierung
Kartesische Koordinaten
Element <Mathematik>
Euler-Winkel
Computeranimation
Homepage
Multiplikation
Informationsmodellierung
Dämpfung
Geschlossenes System
RPC
Code
Statistische Analyse
Attributierte Grammatik
URL
Kraftfahrzeugmechatroniker
Lineares Funktional
Kategorie <Mathematik>
Logarithmus
Systemaufruf
Portscanner
Rechter Winkel
Identitätsverwaltung
Server
Attributierte Grammatik
Authentifikation
Partikelsystem
Geschlossenes System
Punkt
Sichtenkonzept
Logarithmus
Singularität <Mathematik>
Paarvergleich
Kombinatorische Gruppentheorie
Systemaufruf
Computeranimation
Homepage
W3C-Standard
Portscanner
Middleware
Login
Code
Statistische Analyse
Attributierte Grammatik
Indexberechnung
URL
Portscanner
Metropolitan area network
Firefox <Programm>
Wald <Graphentheorie>
Schlussregel
Bildschirmsymbol
Automorphismus
Gesetz <Physik>
Computeranimation
Logik höherer Stufe
Autorisierung
Resultante
Protokoll <Datenverarbeitungssystem>
Selbst organisierendes System
Physikalischer Effekt
Formale Sprache
Implementierung
Modul
Quick-Sort
Framework <Informatik>
Computeranimation
Verbandstheorie
Server
Single Sign-On
Automorphismus
Logik höherer Stufe
Varietät <Mathematik>

Metadaten

Formale Metadaten

Titel External authentication for Django projects
Serientitel EuroPython 2015
Teil 13
Anzahl der Teile 173
Autor Pazdziora, Jan
Lizenz CC-Namensnennung - keine kommerzielle Nutzung - Weitergabe unter gleichen Bedingungen 3.0 Unported:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen und nicht-kommerziellen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen und das Werk bzw. diesen Inhalt auch in veränderter Form nur unter den Bedingungen dieser Lizenz weitergeben
DOI 10.5446/20135
Herausgeber EuroPython
Erscheinungsjahr 2015
Sprache Englisch
Produktionsort Bilbao, Euskadi, Spain

Technische Metadaten

Dauer 35:08

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract Jan Pazdziora - External authentication for Django projects When applications get deployed in enterprise environment or in large organizations, they need to support user accounts and groups that are managed externally, in existing directory services like FreeIPA or Active Directory, or federated via protocols like SAML. While it is possible to add support for these individual setups and protocols directly to application code or to Web frameworks or libraries, often it is better to delegate the authentication and identity operations to a frontend server and just assume that the application has to be able to consume results of the external authentication and identity lookups. In this talk, we will look at Django Web framework and how with few small changes to the framework and to the application we can extend the functionality of existing RemoteUserMiddleware and RemoteUserBackend to consume users coming from enterprise identity management systems. We will focus on using proven OS-level components such as SSSD for Web applications, but will also show setup using federation.
Schlagwörter EuroPython Conference
EP 2015
EuroPython 2015

Ähnliche Filme

Loading...