Cloudify lets you extend the user authentication mechanism so that you can support different external authentication services.
You can authenticate users with the basic username/password support in Cloudify or you can configure your Manager to integrate with an external authenticator, such as an LDAP-based user-management system. External authentication is an extension to the Cloudify Manager not included in the standard Manager installation.
To support a new external authentication mechanism, you must add a dedicated module in the specified format to a specific location in the Manager and restart the REST services.
Managing external authentication in Cloudify
You can add the external authentication modules at any time after you install the Cloudify Manager. The Cloudify module that interacts with the authentication modules is the
ExtendedAuthHandler module. The
ExtendedAuthHandler module loads all of the authentication modules from these folders:
You can use the authentication modules that are in the
cloudify_premium package, located at
cloudify_premium/authentication, as a reference implementation or as a base implementation that can be modified for your needs.
Authenticator Base Module
Each authenticator module inherits from the
AuthBase class. The
AuthBase contains the common tasks relevant to user authentication, including Cloudify user creation, and user group and tenant update, if needed.
A very simple example to authenticate the user “meme”:
from cloudify_premium.authentication.auth_base import AuthBase, UserData class MyAuthentication(AuthBase): def _authenticate_request(self, request): auth = request.authorization if auth and auth.username == "meme": return UserData(auth.username) return None configure = MyAuthentication().configure
This is not a practical example, but it does show the high-level requirements of the authentication module.
- Inherit from
- Include authentication logic for every request
- Add a module-level
configurevariable that holds the authenticator’s
In this example,
_authenticate_request is overridden to verify the username and to return a
UserData object that contains the given username. A relevant Cloudify user is created according to the
As mentioned, the
AuthBase module implements the basic functionality for Cloudify user authentication and management. You can override this functionality to support any type of external authentication. Other important methods are:
configure method is called once and returns the object (
None if the object should not be created. By default,
self, which means that the authenticator is added to the authenticators pool. For example, the implementation in the LDAP authenticator is:
def configure(self, logger): """ Set the object instance. Being called after the configuration is loaded """ if not config.instance.ldap_server: return None self.logger = logger self._ldappy = self._get_ldappy() return self
In this example, if LDAP info is not found in the configuration, then the LDAP authenticator is not used.
can_handle_auth_request method shows if a specific request is valid for the current authenticator. By default, the method returns
True, which means that the authenticator is a valid authentication for any request. For example, the implementation in the LDAP authenticator is:
def can_handle_auth_request(self, request): """ Validate that this authenticator can handle auth process, for given request """ return request.authorization and self._ldappy
In this example, the LDAP authenticator handles only requests that contain authorization information, and only if there is a valid
The handle_auth_request method is the actual method that does user authentication for a given request. It triggers a call to the
_authenticate_request method and acts according to the response. In the case of a
UserData information, it will create/update a Cloudify user and return it. In the case of a
Response object, it will just return the response.
LDAP/OKTA Reference Implementation
In version 4.3 and below, LDAP and OKTA authentication modules were included with Cloudify Manager. Starting version 4.4, LDAP and OKTA support is converted to the new external authentication method.
The OKTA and LDAP authentication implementations are located at
cloudify_premium/authentication. As with other external authentication services, you can change the authentication module and restart the REST service with the command:
sudo supervisorctl restart cloudify-restservice.