paste.auth.grantip – Set user and groups based on IP address

Grant roles and logins based on IP address.

Module Contents

class paste.auth.grantip.GrantIPMiddleware(app, ip_map, clobber_username=True)

On each request, ip_map is checked against REMOTE_ADDR and logins and roles are assigned based on that.

ip_map is a map of {ip_mask: (username, roles)}. Either username or roles may be None. Roles may also be prefixed with -, like '-system' meaning that role should be revoked. '__remove__' for a username will remove the username.

If clobber_username is true (default) then any user specification will override the current value of REMOTE_USER. '__remove__' will always clobber the username.

ip_mask is something that paste.util.ip4:IP4Range can parse. Simple IP addresses, IP/mask, ip<->ip ranges, and hostnames are allowed.

paste.auth.grantip.make_grantip(app, global_conf, clobber_username=False, **kw)

Grant roles or usernames based on IP addresses.

Config looks like this:

[filter:grant]
use = egg:Paste#grantip
clobber_username = true
# Give localhost system role (no username):
127.0.0.1 = -:system
# Give everyone in 192.168.0.* editor role:
192.168.0.0/24 = -:editor
# Give one IP the username joe:
192.168.0.7 = joe
# And one IP is should not be logged in:
192.168.0.10 = __remove__:-editor