一. 背景介绍
单点登录(Single Sign On,SSO)是指在多个应用系统中,用户只需要登录一次就可以访问所有相互信任的应用系统。
有多种开源的单点登录方案,其中,CAS(Central Authentication Service)是Yale University开发的、应用比较广泛的一种实现。
HUE没有直接提供对CAS的支持。django-cas-ng是Django框架的一个CAS客户端,经过适当修改后可以整合到HUE中实现HUE的单点登录。
二. 环境
HUE版本:3.9.0
django-cas-ng版本:3.4.2
CAS Server:JASIG
三. 实现过程
1. 拷贝django-cas-ng-3.4.2目录及里面内容到desktop/core/ext-py。
2. 修改desktop/core/src/desktop/middleware.py。
import django_cas_ng.views
DJANGO_VIEW_AUTH_WHITELIST=[
django_cas_ng.views.login,
django.views.static.serve,
desktop.views.is_alive,
]
3. 修改desktop/core/src/desktop/settings.py。
MIDDLEWARE_CLASSES中增加'django_cas_ng.middleware.CASMiddleware'。
增加CAS_SERVER_URL='http:100.0.1.1:8080/cas/login',位置任意,地址为CAS服务器的URL地址。
4. 修改desktop/core/src/desktop/urls.py。
dynamic_patterns = patterns('desktop.auth.views',
#(r'^accounts/login/$', 'dt_login'),
#(r'^accounts/logout/$', 'dt_logout', {'next_page':'/'}),
(r'^profile$', 'profile'),
(r'^login/oauth/?$', 'oauth_login'),
(r'^login/oauth_authenticated/?$', 'oauth_authenticated'),
)
dynamic_patterns += patterns('',
(r'^accounts/login/', 'django_cas_ng.views.login'),
(r'^accounts/logout/', 'django_cas_ng.views.logout'),
(r'^admin/', include(admin.site.urls)),
)
5. 修改desktop/core/src/desktop/auth/backend.py。
CASBackend类在django_cas_ng/backends.py中CASBackend类的基础上做了一些改动。
from django.conf import settings
from django_cas_ng.backends import _verify
from django_cas_ng.signals import cas_user_authenticated
class CASBackend(object):
"""CAS authentication backend"""
def authenticate(self, ticket, service, request):
"""Verifies CAS ticket and gets or creates User object"""
username, attributes = _verify(ticket, service)
if attributes:
request.session['attributes'] = attributes
if not username:
return None
try:
user = User.objects.get(username=username)
created = False
except User.DoesNotExist:
#check if we want to create new users, if we don't fail auth
create = getattr(settings, 'CAS_CREATE_USER', True)
if not create:
return None
#user will have an "unusable" password
user = User.objects.create_user(username, '')
#user.save()
created = True
default_group = get_default_user_group()
if default_group is not None:
user.groups.add(default_group)
user = rewrite_user(user)
user.save()
#send the 'cas_user_authenticated' signal
cas_user_authenticated.send(
sender=self,
user=user,
created=created,
attributes=attributes,
ticket=ticket,
service=service,
)
return user
def get_user(self, user_id):
"""Retrieve the user's entry in the User model if it exists"""
try:
return rewrite_user(User.objects.get(pk=user_id))
except User.DoesNotExist:
return None
6. 修改desktop/conf/hue.ini
backend=desktop.auth.backend.CASBackend
redirect_whitelist==^\/.*$,^.*\/cas\/login.*$,^.*\/cas\/logout.*$