Provide authentication using local files
New in version 2018.3.0.
The file auth module allows simple authentication via local files. Different filetypes are supported, including:
Text files, with passwords in plaintext or hashed
Apache-style htpasswd files
Apache-style htdigest files
Note
The python-passlib library is required when using a ^filetype of
htpasswd or htdigest.
The simplest example is a plaintext file with usernames and passwords:
external_auth:
file:
^filename: /etc/insecure-user-list.txt
gene:
- .*
dean:
- test.*
In this example the /etc/insecure-user-list.txt file would be formatted
as so:
dean:goneFishing
gene:OceanMan
^filename is the only required parameter. Any parameter that begins with
a ^ is passed directly to the underlying file authentication function
via kwargs, with the leading ^ being stripped.
The text file option is configurable to work with legacy formats:
external_auth:
file:
^filename: /etc/legacy_users.txt
^filetype: text
^hashtype: md5
^username_field: 2
^password_field: 3
^field_separator: '|'
trey:
- .*
This would authenticate users against a file of the following format:
46|trey|16a0034f90b06bf3c5982ed8ac41aab4
555|mike|b6e02a4d2cb2a6ef0669e79be6fd02e4
2001|page|14fce21db306a43d3b680da1a527847a
8888|jon|c4e94ba906578ccf494d71f45795c6cb
Note
The hashutil.digest execution
function is used for comparing hashed passwords, so any algorithm
supported by that function will work.
There is also support for Apache-style htpasswd and htdigest files:
external_auth:
file:
^filename: /var/www/html/.htusers
^filetype: htpasswd
cory:
- .*
When using htdigest the ^realm must be set:
external_auth:
file:
^filename: /var/www/html/.htdigest
^filetype: htdigest
^realm: MySecureRealm
cory:
- .*
File based authentication
The path to the file to use for authentication.
The type of file: text, htpasswd, htdigest.
Default: text
The realm required by htdigest authentication.
Note
The following parameters are only used with the text filetype.
The digest format of the password. Can be plaintext or any digest
available via hashutil.digest.
Default: plaintext
The character to use as a delimiter between fields in a text file.
Default: :
The numbered field in the text file that contains the username, with numbering beginning at 1 (one).
Default: 1
The numbered field in the text file that contains the password, with numbering beginning at 1 (one).
Default: 2