In Django 2.2, if I plan to make authentication its own service in the future and serve requests through DRF, should I put my User model in a separate app from my regular "functional apps and models"?
There's no way each app should contain its own implementation of auth, right?
UPDATE: I ultimately plan to use Keycloak for auth so that I can easily SSO.
Project_Root
|--app_access
|--app_shipper
|--app_cleaner
Absolutely.
If you use the default Django authentication, you will notice that Permission, Group, User models are grouped together in one app.
Related
Django project has two apps. Customers & Operations.
I want to separate access to the apps with separated front ends. The user authorization strategy I will follow to achieve this is where I am stuck. My research has is advising against two user models. And I recently found out about Proxy models.
I need opinions on best approach for above requirement.
the access links requirements are e.g
app1 customers.example.com
app2 operations.example.com
Customers will have its own set of users and authorization.
Operations will have its own set of users and authorization.
Operations app will create Customers[eg Cust_X, Cust_Y].
Cust_X will have users[eg User_X1, User_X2]
Cust_Y will have users[eg User_Y1, User_Y2]
(I am relatively new to Django, so sorry if I was misunderstanding anything ^^")
so let say I have app1 and app2, and I want to implement the same groups, roles and permission through these two apps by only having one database.
my idea was to create a central back end server that the two app authenticate through and grabs the roles from it. essentially this can be used for SSO(Single sign on) later. but now the target is to authenticate the user logging through one app and get his roles and groups from there.
In Django documentation I found "Authentication using REMOTE_USER":
which should allow me to do remote authentication (which is my target), was able to make it run but how am I supposed to give it the link of the Django authentication server.
my understanding is that after setting this remote user authentication, all groups, roles and permission checks doesn't need to be changed since Django should have access to the remote server that it authenticates through.
I hope that I wasn't misunderstanding "Authentication using REMOTE_USER" concept.
also if there is any other ideas on how to implement this, please let me know.
Thank you !
Sounds like REMOTE_USER is NOT what you're expecting it to be: when Django is configured to use this functionality, it foregoes Django's typical security, because it expects a web server situated in front of Django (e.g. APACHE or NGINX) to do user authorization on its behalf. In a nutshell, the web server passes along the user's id in every request it sends to Django in the REMOTE_USER header.
You expectations, on the other hand, seem directed at configuring a common Django app to authorize and authenticate users for other apps. This is a common configuration, and is effected by several steps, including these three:
(1) Adding to the common app's settings.py the other apps in the INSTALLED_APPS list. For example:
INSTALLED_APPS = [
...
'app1',
'app2',
]
(2) Include the apps URLconf in common api urls.py, for example:
path('app1/', include('app1.urls')),
path('polls/', include('app2.urls')),
(3) Run python manage.py migrate in order to create the database tables for two apps.
You'll probably have to fuss with your urls in the common app more that what I've sketched out above; and you might add a middleware to prevent unauthorized requests any access until authenticated.
I have written a web app in Django with usual Django project structure. At my company, they want to separate front end and backend on different servers. Frontend server will have internet access and backend will have a strong firewall and no net access. What I understand from this concept is, they want to separate back-end (view.py) from Django project to shared folder (shared with the back-end server). Is it possible to separate view.py file to the different folder and then import it to project?
Also another question on the same topic. Does Django have good security or security ideas like this are required to protect against hacking? What measures should I take to ensure protecting my backend against hacking if I can't separate backend? (I have already implemented LDAP authentication, using CSRF tokens and all pages are protected by #login_required)
What you can do is creating two projects, one for serving your "front end" with a disabled admin (simply remove the 'admin' in your project's urls.py) and another one for managing the django admin and only accessible from inside your company's network.
Make them share the same database where the database server should only be accessible from within your company's network, as well. Be sure to only create the models only in one app, preferably in the front end app as you might want to have user input handled by django forms.
Register the "front-end" app models in the "back-end" project via the admin.py in the "back end" app. That should allow you accessing the data stored in the db.
When it comes to third party apps and plugins be sure to check their urls.py (and disable the admin in case), models.py and admin.py in order to implement it in your "back-end".
Hope that helps!
I have a medium sized Drupal 6 site running (around 5 million page views per month and more than 30K registered users) and I need to integrate OSQA, a Django application, with it. I already have many users, roles and permissions in my Drupal database and I'd like to point the Django app to use the sign up and login pages I already have in Drupal to give my users a single point on entrance.
I want to keep the Django authentication part because I think OSQA would work better. I also have performance reasons in mind, the Drupal site already gets a lot of traffic and has a very busy database and I think that using a separate database for Django would help.
After some research I think I could make the Drupal sign up and login pages call Django in the background to sign up or login to the Django app. I plan to do this writing a couple of views in Django, one for sign up and another for login, and Drupal would post the username and password to those views. Of course I'd need to disable CSRF in Django for those views and probably also post some secret key that only my Drupal and Django applications know about to avoid external sites trying to use this "unprotected" Django views.
I know that my Django application may need some user data from Drupal at some points and I'm planning on using the Drupal services module for that.
Would this be a good approach? Any suggestions?
Thanks a lot!
Are there any plugins for OSQA to expose an authentication service that Drupal can talk to? (OpenID or similar).
Alternatively, check out Drupal's ldap_integration module for an example of a module that uses an external authentication service. Consider that you will need to create Drupal user accounts for each login.
Finally, why not just build the essential parts of OSQA's functionality with Drupal? Seems like the key functionality could be replicated quite easily using Taxonomy, Vote Up and Userpoints/User Badges... potentially easier to do than shared authentication, especially on a large site.
I once created a very simple [sql_authentication][1] module, which you can probably simply re-create for a more recent version of Drupal.
The idea is simple: provide Drupal with an alternative authentication callback.
In that callback-function, just check against the Django database, and return TRUE if you think the user is correct.
You could look at how openid.module (in core) extends the user-authentication for a simple example.
If you can post to the Django form, you may be able to use drupal_http_request to handle the call to Django. After using the ldap_integration module for a while, I worked on a custom authentication module that calls a Java-based REST authentication API using drupal_http_request. If you're interested in the code, let me know.
What would be the best solution to use a different authentication backend for the Django admin site?
See the documentation, which contains this quote:
The Django admin system is tightly
coupled to the Django User object
described at the beginning of this
document. For now, the best way to
deal with this is to create a Django
User object for each user that exists
for your backend (e.g., in your LDAP
directory, your external SQL database,
etc.) You can either write a script to
do this in advance, or your
authenticate method can do it the
first time a user logs in.