This is a very rough implementation of a Django backend using Atlassian Crowd's REST API. See Atlassian documentation for more information on this API.
This is a fork of the original implementation https://github.com/Linaro/django-crowd-rest-backend with various improvements:
- letting Users stay superusers or staff
- Fix Django > 1.10 compatibility issues
- Removing unnecessary model change
- Various code improvements (PEP8, etc)
- Connect to an Atlassian Crowd server
- Authenticate given user by password
- Sync Django user instance with attributes from Crowd user
- Setup Django user staff/superuser flags based on associated Crowd groups of user
- Synchronization of groups from Crowd
- SuperUser and Staff groups handling
- HTTPS certificate validation when connecting to secure Crowd URL
- No handling of SSO cookie
No dependencies outside of Django and Python.
- Edit
settings.py
to addcrowdrest
app to your list of apps - Adapt configuration settings for
crowdrest
insettings.py
using the attributes detailed below.
-
indicates whether you want to sync Django users from Crowd attributes:
# Defaults to True AUTH_CROWD_ALWAYS_UPDATE_USER = True
-
indicates whether you want to sync django groups from Crowd groups:
# Defaults to True AUTH_CROWD_ALWAYS_UPDATE_GROUPS = True
If you use any form of group-based authorization/permission checking, you'd rather have this as
True
(default). In particular,AUTH_CROWD_STAFF_GROUP
&AUTH_CROWD_SUPERUSER_GROUP
settings depend on this. -
indicates whether you want to sync all user's Crowd groups into Django
# Defaults to False AUTH_CROWD_CREATE_GROUPS = False
This setting is considered only if
AUTH_CROWD_ALWAYS_UPDATE_GROUPS = True
.- If this is
True
, then all user's groups in Crowd will be synced to Django (so, effectively, you'll be able to check Crowd group memberships using Django API) - If set to
False
(default), no groups will be created by the backend, and only groups already existing in Django will be considered (i.e. user group membership in Django will be updated to intersection of user's Crowd groups and all available Django groups).
You'd rather have this as
True
. In particular,AUTH_CROWD_STAFF_GROUP
andAUTH_CROWD_SUPERUSER_GROUP
settings depend on this. - If this is
-
Django user will get
staff
flag when Crowd user is in given Crowd group# Defaults to None AUTH_CROWD_STAFF_GROUP = 'staff'
-
Django user will get
superuser
flag when Crowd user is in given Crowd group# Defaults to None AUTH_CROWD_SUPERUSER_GROUP = 'superuser'
Note that superuser group member does not imply staff membership and vice versa (make sure you read Django docs to understand the difference)
-
indicates if you want the
superuser
andstaff
be overridden at every login:# defaults to False AUTH_CROWD_ALWAYS_UPDATE_SUPERUSER_STAFF_STATUS = False
If set to
True
, the authentication backend will check if the user belongs to the groups inAUTH_CROWD_STAFF_GROUP
and/orAUTH_CROWD_SUPERUSER_GROUP
and will update the user accordingly, always. This overrides the corresponding properties of the User, even if the User was set eg. Staff from the Django Admin interface. Set this option toFalse
if those properties should not be overridden.At first login (when the User is created in Django after the first successful login) the
staff
andsuperuser
flags are set according toAUTH_CROWD_STAFF_GROUP
andAUTH_CROWD_SUPERUSER_GROUP
respectively, if those exists. -
Crowdrest will use this username and password to connect to Crowd server
AUTH_CROWD_APPLICATION_USER = 'django' AUTH_CROWD_APPLICATION_PASSWORD = 'django'
-
URL to Crowd REST API
AUTH_CROWD_SERVER_REST_URI = 'http://127.0.0.1:8095/crowd/rest/usermanagement/latest'
-
Use given certificate file to validate https connection to Crowd server
AUTH_CROWD_SERVER_TRUSTED_ROOT_CERTS_FILE = None
HTTPS certificate validation uses VerifiedHTTPS tweak.
Use this code as you want. Consider it free. Say thank you. Don't blame me if it doesn't work for you.