4. You are in a maze of twisty
little webapps, all alike.
• Munin • Rundeck
• Icinga • Logstash
• Resque-Web • Graphite
• Jenkins • …
Multiple servers, same users
5. How to authenticate?
• HTTP auth? – Awful UX & UI. Syncing
passwords is tricky.
• LDAP? – No. Just no.
• OpenID? – Dependency on a new third
party, frequent callbacks, slow, inconvenient.
• FreeIPA? – Overkill.
6. GodAuth
• https://github.com/exflickr/GodAuth
• A mod_perl module shared by Flickr
• Shared cookie, HMAC-signed with a shared
secret
• Clunky, manual installation & setup
• Badly needed a rewrite
8. Odin Authenticator
The badly needed rewrite of GodAuth
http://ginzamarkets.github.com/odin_authenticator/
9. General setup
• Individual services under single domain
(something.i.yourdomain.com)
• Domain root (i.yourdomain.com) serves
the authenticator, which sets the cookie
12. Odin Authorizer App
• ginzamarkets/App-OdinAuthorizer
on GitHub
• Perl Dancer webapp that calls out to
Google Apps for Domains to authenticate
and sets the signed cookie if successful
• Simple & basic – no user roles, single
configured valid domain
13. Odin Authorizer App
1. hub clone
ginzamarkets/App-OdinAuthorizer
2. perl Build.pl
./Build installdeps
3. ./bin/app.pl
Use Apache, mod_perl, and http://plackperl.org/
for real deployment
16. • Move Apache handler config into httpd.conf
• Make authorizer webapp more flexible
• Different sources of identity
• Multi-factor authentication
• RBAC
• More eyeballs on the crypto stuff