Basic Auth in your LA node without CAS - AtlasOfLivingAustralia/documentation GitHub Wiki
If you need to use LA software without CAS Authentication System (for instance in an initial deploy) you need two main steps to protect your /admin/ web interfaces:
- Configure a Basic Auth in your proxy
- Disable CAS in the different services you are deploying
Take into account that without CAS there are several things that nowadays will not work in your services like:
- the new download plugin
- some functionality in
image-servicelike select/delete & albums - some lists species actions like deletion, setting 'authoritative' flag, ...
- some spatial admin tasks
- etc
Lets use collectory service as a sample. You have to get what is authenticated by default via CAS, so we do:
$ grep uri_filter_pattern ansible/roles/collectory/templates/config/*
security.cas.uriFilterPattern={{ collectory_uri_filter_pattern | default('/admin.*,/admin/.*,/admin/.*/.*,/collection.*,/institution.*,/contact.*,/reports.*,/providerCode.*,/providerMap.*,/dataProvider.*,/dataResource.*,/dataHub.*,/manage/.*') }}
and transform this filter in some Basic Auth (in this example using Apache).
You need to a2enmod include for using includes.
Use passwd to create a manage users in, for instance, in /etc/apache2/la-users-password.
Later create /etc/la directory and something like:
# /etc/la/basic-auth.conf
AuthType Basic
AuthName "Authentication Required"
AuthUserFile /etc/apache2/la-users-password
<RequireAny>
Require env noauth
Require env REDIRECT_noauth
Require valid-user
</RequireAny>
And create an admin-collectory.conf file requesting auth for each previous CAS filter.
# /etc/la/admin-collectory.conf
<Location /admin>
Include /etc/la/basic-auth.conf
</Location>
<Location /collection>
Include /etc/la/basic-auth.conf
</Location>
<Location /institution>
Include /etc/la/basic-auth.conf
</Location>
(...)
<Location /manage>
Include /etc/la/basic-auth.conf
</Location>
this sample is truncated.
Later you have to include /etc/la/admin-collectory.conf in your collectory vhost configuration, like:
<VirtualHost *:443>
ServerName collectory.yourlivingatlas.org
(...)
Include /etc/la/admin-collectory.conf
ErrorLog ${APACHE_LOG_DIR}/error.log
(...)
</VirtualHost>
Later you have to leave blank the previous security.cas.uriFilterPattern in each service and disable CAS.
For instance in collectory, after running ansible you should get something like:
security.cas.uriFilterPattern=
security.cas.bypass=true
disableCAS=true
in your /data/ala-collectory/config/ala-collectory-config.properties.
Take into account that each service has a different ansible var name for this filter. So with:
bie_base_uri_filter_pattern=
bie_index_uri_filter_pattern=
collectory_uri_filter_pattern=
images_uri_filter_pattern=
specieslist_uri_filter_pattern=
logger_uri_filter_pattern=
regions_uri_filter_pattern=
biocache_hub_uri_filter_pattern=
bypass_cas=true
adapted to your inventory/ies you'll disable CAS in these services.
In the future, if you install a CAS system, you can comment these filters (son ansible will use the default filter value), and set bypass_cas=false to enable CAS authentication.