Using rest in post-auth
Hi, This is more a philosophical question then a practical one, as our current setup works for us. We run a 'frontend' server that proxies requests to a number of backends, those backends reply with a number of attributes that define the service. We check the attributes to make sure they form a logical setup. One of those checks is quite convoluted and we've resorted to turning it into a REST call. Since the rlm_rest doesn't support post-proxy we make that call in post-auth. We only reject a session in unusual circumstances (generally we modify the attributes and admit the session, or drop it into a "walled-garden" setup), so every time we send a reject - we update Reply-Message that we log using linelog in "Post-Auth-Type Reject". That makes it easy to troubleshoot. Now, with the rlm_rest module as far a we can tell there is no way to reject a session and update the Reply-Message in one go. Even if we return 'Auth-Type := Reject' the session still get's admitted, if the code is 401 - then the session is rejected, but the body is not parsed (as per the docs). For now we've settled on an internal attribute that signals that the session should be rejected, and we return it from REST (together with the Reply-Message), and later look for it to change Auth-Type to Reject. I was wondering if there is any simpler way of doing it. kind regards Pshem
On 12 Jun 2016, at 22:44, Pshem Kowalczyk <pshem.k@gmail.com> wrote:
Hi,
This is more a philosophical question then a practical one, as our current setup works for us.
We run a 'frontend' server that proxies requests to a number of backends, those backends reply with a number of attributes that define the service. We check the attributes to make sure they form a logical setup. One of those checks is quite convoluted and we've resorted to turning it into a REST call. Since the rlm_rest doesn't support post-proxy we make that call in post-auth.
You can do post-proxy { rest.post-auth } if you like...
We only reject a session in unusual circumstances (generally we modify the attributes and admit the session, or drop it into a "walled-garden" setup), so every time we send a reject - we update Reply-Message that we log using linelog in "Post-Auth-Type Reject". That makes it easy to troubleshoot.
Now, with the rlm_rest module as far a we can tell there is no way to reject a session and update the Reply-Message in one go. Even if we return 'Auth-Type := Reject' the session still get's admitted, if the code is 401 - then the session is rejected, but the body is not parsed (as per the docs). For now we've settled on an internal attribute that signals that the session should be rejected, and we return it from REST (together with the Reply-Message), and later look for it to change Auth-Type to Reject.
I was wondering if there is any simpler way of doing it.
Assuming you're not using the authentication behaviour elsewhere post-auth { rest.authenticate } Then you can return 401 and get the body decoded. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Hi, On Mon, 13 Jun 2016 at 15:09 Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
{cut}
We run a 'frontend' server that proxies requests to a number of backends, those backends reply with a number of attributes that define the service. We check the attributes to make sure they form a logical setup. One of those checks is quite convoluted and we've resorted to turning it into a REST call. Since the rlm_rest doesn't support post-proxy we make that call in post-auth.
You can do
post-proxy { rest.post-auth }
if you like...
Ok, this could help, but in our case is more cosmetic than anything (we have some other stuff in post-auth anyway). {cut}
Now, with the rlm_rest module as far a we can tell there is no way to reject a session and update the Reply-Message in one go. Even if we return 'Auth-Type := Reject' the session still get's admitted, if the code is 401 - then the session is rejected, but the body is not parsed (as per the docs). For now we've settled on an internal attribute that signals that the session should be rejected, and we return it from REST (together with the Reply-Message), and later look for it to change Auth-Type to Reject.
I was wondering if there is any simpler way of doing it.
Assuming you're not using the authentication behaviour elsewhere
post-auth { rest.authenticate }
Then you can return 401 and get the body decoded.
ok, we use unlang to verify a number of conditions and only use REST if the result returned by unlang is not conclusive enough to determine the outcome (for example the data for the particular user is not cached locally yet or the cache expired) . I don't have access to a test system right now, but will 'rest.authenticate' allow us to reject from unlang as well (in post-auth).
kind regards Pshem
the result returned by unlang is not conclusive enough to determine the outcome (for example the data for the particular user is not cached locally yet or the cache expired) . I don't have access to a test system right now, but will 'rest.authenticate' allow us to reject from unlang as well (in post-auth).
Should loop back round to run Post-Auth-Type reject { } If you reject within the post-auth section. Or you can do rest.authenticate { reject = 1 } if (reject) { ... stuff } -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
participants (2)
-
Arran Cudbard-Bell -
Pshem Kowalczyk