Replace freeipa auth backend by pam auth backend for userportal

ComputeCanada · Aug 18, 2023 · 62dde86 · 62dde86
1 parent 7d9769f
commit 62dde86
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 17 deletions.
diff --git a/data/common.yaml b/data/common.yaml
@@ -222,7 +222,7 @@ profile::slurm::base::os_reserved_memory: 512
 profile::slurm::controller::autoscale_version: '0.2.3'
 
 profile::accounts::project_regex: '(ctb|def|rpp|rrg)-[a-z0-9_-]*'
-profile::users::ldap::access_tags: ['login:sshd', 'node:sshd', 'proxy:jupyterhub-login']
+profile::users::ldap::access_tags: ['login:sshd', 'node:sshd', 'proxy:jupyterhub-login', 'mgmt:login']
 profile::users::ldap::users:
   'user':
     count: "%{alias('terraform.data.nb_users')}"

diff --git a/site/profile/manifests/userportal.pp b/site/profile/manifests/userportal.pp
@@ -251,15 +251,13 @@
     ],
   }
 
-  # Need to use this fork to manage is_staff correctly
-  # https://github.com/enervee/django-freeipa-auth/pull/9
-  -> exec { 'pip install django-freeipa-auth':
-    command => 'pip3 install https://github.com/88Ocelot/django-freeipa-auth/archive/d77df67c03a5af5923116afa2f4280b8264b4b5b.zip',
+  exec { 'pip install django-pam':
+    command => 'pip3 install django-pam',
     path    => [
       '/opt/software/userportal-env/bin',
       '/usr/bin',
     ],
-    creates => '/opt/software/userportal-env/lib/python3.8/site-packages/freeipa_auth/backends.py',
+    creates => '/opt/software/userportal-env/lib/python3.8/site-packages/django_pam/__init__.py',
     require => [Exec['userportal_venv']],
   }
 }

diff --git a/site/profile/templates/userportal/99-local.py.epp b/site/profile/templates/userportal/99-local.py.epp
@@ -12,7 +12,7 @@ INSTALLED_APPS = [
     'django.contrib.messages',
     'django.contrib.staticfiles',
     'django.contrib.humanize',
-    'freeipa_auth',
+    'django_pam',
     'watchman',
 
     'pages',
@@ -68,21 +68,12 @@ STATIC_URL = '/static/'
 STATIC_ROOT = '/var/www/userportal-static/'
 
 AUTHENTICATION_BACKENDS = [
+    'django_pam.auth.backends.PAMBackend',
     'django.contrib.auth.backends.ModelBackend',
-    'freeipa_auth.backends.FreeIpaRpcAuthBackend',
 ]
 
 LOGIN_URL = '/accounts/login/' # So it does not use SAML2
 
-FREEIPA_AUTH_BACKEND_ENABLED = True
-FREEIPA_AUTH_SERVER = "ipa.int.<%= $domain_name %>"
-FREEIPA_AUTH_SSL_VERIFY = False#'/etc/pki/tls/certs/ca-bundle.crt'
-FREEIPA_AUTH_UPDATE_USER_GROUPS = True
-FREEIPA_AUTH_ALWAYS_UPDATE_USER = True
-FREEIPA_AUTH_USER_ATTRS_MAP = {"first_name": "givenname", "last_name": "sn", "email": "mail"}
-FREEIPA_AUTH_SERVER_TIMEOUT = 5
-FREEIPA_AUTH_STAFF_GROUPS = ['admins']
-
 EXPORTER_INSTALLED = [
     'slurm-job-exporter',
     'node_exporter',