Discussion:
[clug] authenticated RPC
jm
2014-09-10 04:38:51 UTC
Permalink
Are there any RPC protocols out there that have
authentication/aothorisation built in? It seem to have been over looked
in every one I've looked at. I'm using python to write some middle ware
to sit between a django front end on one server and a privileged service
on another, exposing a limited set of functionality. While I'll be
locking it down to only one or two IP addresses I'd still prefer to have
the extra level of protection of authentication. Not just as a mean of
defence in depth, but also to stop other things on the front end server
from having access or to change what functionality is available
depending on the user.

Jeff.



!DSPAM:540fd5dd12416598930770!
Scott Ferguson
2014-09-10 05:33:45 UTC
Permalink
Post by jm
Are there any RPC protocols out there that have
authentication/aothorisation built in? It seem to have been over looked
in every one I've looked at.
Quick Google gives:-
IBM
http://www-01.ibm.com/support/knowledgecenter/ssw_aix_61/com.ibm.aix.progcomc/rpc_auth.htm
Oracle Secure RPC
http://docs.oracle.com/cd/E23823_01/html/816-4557/auth-2.html
Google RPCAuth
Microsoft has one too.
Post by jm
I'm using python to write some middle ware
to sit between a django front end on one server and a privileged service
on another, exposing a limited set of functionality. While I'll be
locking it down to only one or two IP addresses I'd still prefer to have
the extra level of protection of authentication. Not just as a mean of
defence in depth, but also to stop other things on the front end server
from having access or to change what functionality is available
depending on the user.
Jeff.
!DSPAM:540fd5dd12416598930770!
HTH

Kind regards
Brad Hards
2014-09-11 02:00:34 UTC
Permalink
Post by jm
Are there any RPC protocols out there that have
authentication/aothorisation built in? It seem to have been over looked
in every one I've looked at. I'm using python to write some middle ware
to sit between a django front end on one server and a privileged service
on another, exposing a limited set of functionality. While I'll be
locking it down to only one or two IP addresses I'd still prefer to have
the extra level of protection of authentication. Not just as a mean of
defence in depth, but also to stop other things on the front end server
from having access or to change what functionality is available
depending on the user.
Maybe something like Apache Etch would be a good fit?
http://etch.apache.org/index.html

TLS/SSL is one transport option, with password based authn possible within
that.

Note: Looked at it, but not tried it.

Brad
tmc
2014-09-11 02:06:35 UTC
Permalink
Hi all
Post by Brad Hards
Post by jm
Are there any RPC protocols out there that have
authentication/aothorisation built in? It seem to have been over looked
in every one I've looked at. I'm using python to write some middle ware
Post by jm
to sit between a django front end on one server and a privileged
service
on another, exposing a limited set of functionality. While I'll be
locking it down to only one or two IP addresses I'd still prefer to have
the extra level of protection of authentication. Not just as a mean of
defence in depth, but also to stop other things on the front end server
from having access or to change what functionality is available
depending on the user.
Maybe something like Apache Etch would be a good fit?
http://etch.apache.org/index.html
TLS/SSL is one transport option, with password based authn possible within
that.
Note: Looked at it, but not tried it.
if you do TLS, then you could do client certificate validation against a
known fingerprint, instead of a password. Depends on your application.

Cheers
Post by Brad Hards
Tomasz
tmc
2014-09-11 02:05:07 UTC
Permalink
Hi all
Post by Brad Hards
Post by jm
Are there any RPC protocols out there that have
authentication/aothorisation built in? It seem to have been over looked
in every one I've looked at. I'm using python to write some middle ware
to sit between a django front end on one server and a privileged service
on another, exposing a limited set of functionality. While I'll be
locking it down to only one or two IP addresses I'd still prefer to have
the extra level of protection of authentication. Not just as a mean of
defence in depth, but also to stop other things on the front end server
from having access or to change what functionality is available
depending on the user.
Maybe something like Apache Etch would be a good fit?
http://etch.apache.org/index.html
TLS/SSL is one transport option, with password based authn possible within
that.
Note: Looked at it, but not tried it.
if you do TLS, then you could do client certificate validation against a
known fingerprint, instead of a password. Depends on your application.

Cheers
Tomasz
Jeremy Kerr
2014-09-11 02:53:24 UTC
Permalink
Hi Jeff,
Post by jm
Are there any RPC protocols out there that have
authentication/aothorisation built in? It seem to have been over looked
in every one I've looked at. I'm using python to write some middle ware
to sit between a django front end on one server and a privileged service
on another, exposing a limited set of functionality.
Sounds like what we've done in patchwork (a django application). There's
an XMLRPC interface which can be used to query the patch database.
Updates are allowed, from authorised users, by using HTTP Basic auth.

Server side XMLRPC views:

http://git.ozlabs.org/?p=patchwork;a=blob;f=apps/patchwork/views/xmlrpc.py;h=ca84c94cdc7c3d1f21c4577a731db9a4a4292083;hb=HEAD

- the dispatcher does authentication, if the view requires it

Client side:

http://git.ozlabs.org/?p=patchwork;a=blob;f=apps/patchwork/bin/pwclient;h=64c6817e570004b3693329790f173b4ff15a1b9e;hb=HEAD#l83

- which provides a new XMLRPC transport that supports Basic auth.

There's probably a much neater way of doing this, but it works.

Hope this helps,


Jeremy
jm
2014-09-12 01:50:01 UTC
Permalink
It's taken me longer to reply than intented. I'll go though these and
see what works best.

Thanks to those that replied.

Jeff.
Post by Jeremy Kerr
Hi Jeff,
Post by jm
Are there any RPC protocols out there that have
authentication/aothorisation built in? It seem to have been over looked
in every one I've looked at. I'm using python to write some middle ware
to sit between a django front end on one server and a privileged service
on another, exposing a limited set of functionality.
Sounds like what we've done in patchwork (a django application). There's
an XMLRPC interface which can be used to query the patch database.
Updates are allowed, from authorised users, by using HTTP Basic auth.
http://git.ozlabs.org/?p=patchwork;a=blob;f=apps/patchwork/views/xmlrpc.py;h=ca84c94cdc7c3d1f21c4577a731db9a4a4292083;hb=HEAD
- the dispatcher does authentication, if the view requires it
http://git.ozlabs.org/?p=patchwork;a=blob;f=apps/patchwork/bin/pwclient;h=64c6817e570004b3693329790f173b4ff15a1b9e;hb=HEAD#l83
- which provides a new XMLRPC transport that supports Basic auth.
There's probably a much neater way of doing this, but it works.
Hope this helps,
Jeremy
!DSPAM:5412514a12417316217517!

Loading...