CKAN ckanext-security Redis and CSRF errors #22
Comments
|
Hi @wild276 can you tell us which version of CKAN you are running please? We've mostly used this module with 2.6.x and 2.7.x. |
|
Hi @camfindlay I'm running on v2.8. I did some more digging. The error I'm seeing on the front end is generated in the security/middleware.py file (relevant code below). This would suggest there is a problem with the beaker.session in the environment. I saw you've called that out in the README, but I'm almost certain I've installed the patch correctly. Again, I'm not sure if this is related to the redis connection not working properly. |
|
Hi @wild276 I've seen this problem on a fresh 2.8 install. We've primarily used this module for 2.7.x. I started to trace the bug back through the middleware layer of CKAN as far as I can tell I "think" it may be to do with how the underlying pylon python framework is passing session information into the flask framework (now that CKAN is somewhere in between those 2 frameworks at present). You'll see here, there is a middleware class for each, this extension provides a patch for the pylon layer only. https://github.com/ckan/ckan/tree/ckan-2.8.2/ckan/config/middleware As for a fix, we haven't yet upgraded our CKAN install to 2.8 so we haven't addressed this extension. I'd be grateful if someone had a crack at it and provided a PR. At this stage, we can probably say this module isn't 2.8.x compatible just yet (at least I haven't been able to get it to work). |
|
Thanks for confirming @camfindlay. |
|
Absolutely. We're actually quite keen to see some of this stuff in CKAN core if at all possible, we did start some work to this effect. See #2 |
|
See our new proposed way of doing CSRF which we'll look to make a tagged release of soon #24 |
|
As per Cam's comment, we have tagged release 1.1.0 which changes the method of csrf and it no longer uses Redis for storing the token https://github.com/data-govt-nz/ckanext-security/releases/tag/1.1.0 |
I'm trying to install the ckanext-security and I'm hitting a couple of issues.
I've completed the readme.md instructions, but I hit a 404 internal server error with the recommended settings. When I check the Apache logs, the description is as follows:
"Connection Error: Error 111 connecting to 127.0.0.1:6739. Connection refused."
It appears to be related to this line from the .ini file: beaker.session.type = redis. I've ran the command: redis-cli ping and the Redis instance seems to be up and running.
The only fix (and I can't prove that it has worked properly) is if I update from beaker.session.type = redis to beaker.session.type = ext:redis. Can someone verify this?
Using the approach above, I can get passed the 404 internal server error. However, when I then try to login to an existing user account, I get "403 Forbidden Access was denied to this resource. CSRF authentication failed. Token missing or invalid." from the front end.
I've checked the Apache logs for the 403 error, and there's nothing in there. I can create a new account and remain logged in, but when I log out and log back in, the 403 error reappears.
Can anyone help?
I've pasted the .ini settings I'm using below:
ckanext.security.domain = http://localhost:5000
ckanext.security.redis.host = 127.0.0.1
ckanext.security.redis.port = 6379
ckanext.security.redis.db = 1
beaker.session.key = ckan_session
beaker.session.secret = Changed-for-GitHub-post
beaker.session.data_serializer = json
beaker.session.httponly = true
beaker.session.secure = true
beaker.session.timeout = 3600
beaker.session.save_accessed_time = true
beaker.session.type = ext:redis
beaker.session.url = 127.0.0.1:6739
beaker.session.cookie_expires = true
beaker.session.cookie_domain = http://localhost:5000
15 minute timeout with 10 attempts
ckanext.security.lock_timeout = 900
Login throttling lock period
ckanext.security.login_max_count = 10
Login throttling attempt limit
The text was updated successfully, but these errors were encountered: