I'm having trouble using mod_authz_dbd in Apache to do access control with :
require dbd_group
I have a Apache reverse proxy, that must do authentication and authorization to let users accessing their projects. Projects need a http header containing group for role-based access control. Currently I would like to authorize users if they have a valid group for a project. I use the following mysql database with my apache server :
______________ _________________ __________________
| User | | User's project | | Project |
|--------------| |-----------------| |------------------|
|PK | id |_ |PK | id | _|PK | id |
| | username | \_|FK | user_id | / | | url |
| | password | |FK | project_id |_/ | | project name |
|______________| | | group | |__________________|
|_________________|
The project url is relative url like "/foo".
Each user can work in several projects and can have different group for each, groups are per project and can take three values :
- admin
- pm for the project manager
- dev for the developers
To implement this, I write in my configuration file :
# Get relative url in environment variable.
RewriteRule (.*) - [E=TARGET_URL:$1]
Require dbd-group "admin"
Require dbd-group "pm"
Require dbd-group "dev"
AuthzDBDQuery "SELECT group FROM user, project, users_project WHERE username = %s AND url='%{TARGET_URL}e' AND project.id = users_project.project_id AND user.id = users_project.user_id"
# Here set the group but how ?
RequestHeader set "X-Forwarded-Groups" "group"
But I have two problems :
first, using environment variables in the SQL query does not work. So, how can I make a query with username and url as parameters in AuthzDBDQuery ?
Secondly, how to get group from the AuthzDBDQuery to set it in http header ?
I also tried with a RewriteMap with dbd and then with prg using python script, but same problem, I did not find how to pass two parameters.
