Issue #1844
closed
pulp-admin --config and/or api_prefix option appears to be ignored
Description
Hi Folks,
This is a show-stopper problem for my AD / kerberos integration efforts I'm putting together for 2.9 documentation.
Because pulp-admin cannot work with kerberos tickets, a split authentication scheme must be used to allow both AD accounts and local pulp accounts to log into Pulp. The easiest way we have thought of to allow this is to have two different api paths via WSGIScriptAlias like so:
WSGIScriptAlias /pulp/api /usr/share/pulp/wsgi/webservices.wsgi
WSGIScriptAlias /pulp-local/api /usr/share/pulp/wsgi/webservices.wsgi
Then having a mod_auth_gssapi conf file to protect logins on the normal API path using AD auth:
<Location /pulp/api/v2/actions/login>
- Require TLS (nee SSL).
SSLRequireSSL
SSLOptions +StrictRequire
- Use GSSAPI authentication.
AuthType GSSAPI
AuthName "Pulp Login"
- For paranoia, make GSSAPI also require TLS.
GssapiSSLonly On
- Permit password-based authentication for clients that can't do Negotiate.
GssapiBasicAuth On
- Require a valid user.
require valid-user
</Location>
With these settings in place for Apache, a local login should be possible by using an alternate config file that contains the following api_prefix statement:
api_prefix: /pulp-local/api
...and pointing to the alternate config file via:
pulp-admin -v --config=/etc/pulp/admin/admin-local.conf login -u admin -p <some_password>
But this does not happen. Instead, the login command is posted to the normal api path as seen in the logs:
==> /var/log/httpd/ssl_access_log <==
10.xx.xx.xx - - [14/Apr/2016:10:22:47 0400] "POST /pulp/api/v2/actions/login/ HTTP/1.1" 401 451 "" "-"
Frustratingly, using strace it's apparent that the admin-client does in fact source the alternate config file, but it doesn't seem to accept the api_prefix option:
$strace pulp-admin v --config=/etc/pulp/admin/admin-local.conf login -u admin -p ---------------- 2>&1 | grep admin-local
open("/etc/pulp/admin/admin-local.conf", O_RDONLY) = 3
Because I don't know how to Python, I'm at a loss to figure out what is broken behind the curtain.
Related issues
Updated by kfiresmith almost 7 years ago
While the above issue is annoying I've since figured out that I can at least use /root/.pulp/admin.conf's [auth] section to completely circumvent our apache mod_auth_gssapi protections for root in order to do all our automated pulp-admin functions, so this isn't quite the end of the world for us after all.
Of course in the long run we'd still like full GSSAPI goodness so that we can just have root use the host principal to interact with pulp via pulp-admin, but that's outside the scope of this bug by a mile.
Updated by amacdona@redhat.com almost 7 years ago
- Status changed from NEW to POST
- Assignee set to amacdona@redhat.com
After a brief investigation, it appears that the config option `api_prefix` was not being used.
I changed `/etc/pulp/admin/admin.conf` api_prefix, restarted, and made a pulp-admin request. It still went to the default prefix `pulp/api`
Updated by mhrivnak almost 7 years ago
- Severity changed from 2. Medium to 1. Low
- Triaged changed from No to Yes
Updated by mhrivnak almost 7 years ago
- Has duplicate Issue #822: api_prefix in admin.conf doesn't work added
Added by Austin Macdonald almost 7 years ago
Added by Austin Macdonald almost 7 years ago
Use the api_prefix option from config
The config contains api_prefix, but it was not being utilized when initializing a PulpConnection.
closes #1844
Updated by Anonymous almost 7 years ago
- Status changed from POST to MODIFIED
- % Done changed from 0 to 100
Applied in changeset pulp|7a1bb0b5d59eb11528b2a53e3e41196f3bf2c1b0.
Updated by semyers over 6 years ago
- Status changed from MODIFIED to CLOSED - CURRENTRELEASE
.
Use the api_prefix option from config
The config contains api_prefix, but it was not being utilized when initializing a PulpConnection.
closes #1844