Editing the Authentication Module

The Authentication Module is the bridge through which ScaleArc authenticates users through an authentication scheme that resides outside ScaleArc.

With such a setup, ScaleArc retains the flexibility to edit the bridge as required to perform authentication with various third-party REST-based authentication products.  Contact ScaleArc support if you require specific assistance in editing the authentication module for your environment.

Customizing the Authentication Module

The Authentication Module is used to authenticate ScaleArc UI admin users. The authentication module is user-editable and is Python 2.6 compatible, which can be enhanced by end-users to meet their specific authentication configuration requirements. The UI authentication subsystem of ScaleArc uses this as a plugin module with a pre-defined I/O interface using a method call.

Prerequisites

The module requires a Python, new-style, class named rest_admin_auth, with a public method called "authenticate." This method takes two parameters, namely "username" and "password." The response occurs in a dictionary data type format.

Customization steps

Follow these general steps to customize the authentication module:

  1. Click on the SETTINGS menu > User Management > Authentication Configuration from the ScaleArc dashboard.
  2. Enable the Edit Authentication Module to edit the source code that controls the authentication logic. 

    Edit_Auth_Module_Local_User.png
     
  3. Edit the authentication module, using the following guidelines
  4. Click Test Configuration when done to test the edited authentication module.
  5. Click Apply when done. In the pop-up, enter a valid username/password to test and validate this authentication. 

Default ScaleArc Authentication Module 

ScaleArc ships with a default Authentication Module for authentication against the HashiCorp Vault authentication server. However, with minor changes, the module can be used to authenticate against other REST API-based authentication servers.

Class: rest_auth

The default authentication module inherits an abstract base class called rest_auth, with the following methods:

Method Description

pre_auth ()

Used to set up communication to the authentication server or API. In the default authentication module, it is used to unseal the Vault server. This method does not accept any parameters.
post_auth () Used to destroy any connection with the authentication server during authentication. This method can be used to seal the authentication server after login. It does not accept any parameters.
logout () Used, if required, to log out of any session. This method does not accept any parameters.

execute_rest_api (url, method, data, timeout=30, retries=3)

 

Used to fetch any RESTful API result by providing the following parameters:

Parameter Description
URL The URL to be used to fetch the API result. Data type is a string.
Method The HTTP method used. For example, GET/POST/PUT/DELETE. Data type is a string.
Data Contains the data to be passed to the HTTP API. Data type is a dictionary.
Timeout Contains the URL timeout to be used. Data type is an integer. Default = 30
Retries Displays the number of retries if URL fetch failed. Data type is an integer. Default = 3
authenticate (username, password)

Called by the ScaleArc UI authentication sub-system. Here's an example of a sample request and response:

Sample request
authenticate <username>, <password>

where

Parameter Description
Username Contains the username to be authenticated. Data type is a string.
Password Contains the password to be authenticated. Data type is a string.
Sample response
Response_ScaleArc = {
'auth_status': False,
'access_token': None,
'policies': None,
'group_name': None,
'err_message': None
}

where

Field Description
auth_status True signifies authentication was successful; False signifies authentication failed. The data type is Boolean (True/False).
access_token When the authentication server provides an access token for authorization purposes. Currently, ScaleArc does not use this setting. Data type is a string.
policies When the authentication server provides ScaleArc with a Role/Policy name that can be used to authorize the user for specific tasks in ScaleArc. This is used for RBAC implementation. The data type is a list.
group_name If the user belongs to a group, the group name is specified in this parameter. This setting is used for group-based authentication. Data type is a string.
err_message Specifies the type of error when authentication fails; can be used to debug/trace the root cause of the error. Data type is a string.

 

Additional methods

These are additional methods for the Authentication Module:

Method Description
__init__() This is the constructor for the class rest_admin_auth.
validate_config() Validates the authentication configuration data specified by the server.
set_attrs()

Sets various attributes from the authentication configuration which are later used by other methods while authenticating. For example, parameters from META_CONF_INFO such as IP, port, and keys are used to set different attributes like rest_api_url, auth_type, access_token, etc.

check_vault_seal_status() Checks the Vault server's seal status.
unseal_vault() Unseals the Vault server.
seal_vault() Seals the Vault server.
translate_response(auth_response) Translates the response provided by the authentication server into a format understood by the ScaleArc authentication sub-system.
auth_response Any data format according to the authentication server. For Vault servers, the response format is JSON/Python dictionary.

Back to top

Comments

0 comments

Please sign in to leave a comment.