Project

Profile

Help

Actions
Send by e-mail Copy link

Issue #1844

closed

pulp-admin --config and/or api_prefix option appears to be ignored

Added by kfiresmith about 8 years ago. Updated almost 3 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
amacdona@redhat.com
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
1. Low
Version:
2.8.0
Platform Release:
2.9.0
OS:
RHEL 7
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:

Description

Hi Folks,
This is a show-stopper problem for my AD / kerberos integration efforts I'm putting together for 2.9 documentation.

Because pulp-admin cannot work with kerberos tickets, a split authentication scheme must be used to allow both AD accounts and local pulp accounts to log into Pulp. The easiest way we have thought of to allow this is to have two different api paths via WSGIScriptAlias like so:

WSGIScriptAlias /pulp/api /usr/share/pulp/wsgi/webservices.wsgi
WSGIScriptAlias /pulp-local/api /usr/share/pulp/wsgi/webservices.wsgi

Then having a mod_auth_gssapi conf file to protect logins on the normal API path using AD auth:

<Location /pulp/api/v2/actions/login>

  1. Require TLS (nee SSL).
    SSLRequireSSL
    SSLOptions +StrictRequire
  1. Use GSSAPI authentication.
    AuthType GSSAPI
    AuthName "Pulp Login"
  1. For paranoia, make GSSAPI also require TLS.
    GssapiSSLonly On
  1. Permit password-based authentication for clients that can't do Negotiate.
    GssapiBasicAuth On
  1. Require a valid user.
    require valid-user

</Location>

With these settings in place for Apache, a local login should be possible by using an alternate config file that contains the following api_prefix statement:
api_prefix: /pulp-local/api
...and pointing to the alternate config file via:
pulp-admin -v --config=/etc/pulp/admin/admin-local.conf login -u admin -p <some_password>

But this does not happen. Instead, the login command is posted to the normal api path as seen in the logs:

==> /var/log/httpd/ssl_access_log <==
10.xx.xx.xx - - [14/Apr/2016:10:22:47 0400] "POST /pulp/api/v2/actions/login/ HTTP/1.1" 401 451 "" "-"

Frustratingly, using strace it's apparent that the admin-client does in fact source the alternate config file, but it doesn't seem to accept the api_prefix option:

$strace pulp-admin v --config=/etc/pulp/admin/admin-local.conf login -u admin -p ---------------- 2>&1 | grep admin-local
open("/etc/pulp/admin/admin-local.conf", O_RDONLY) = 3

Because I don't know how to Python, I'm at a loss to figure out what is broken behind the curtain.

Related issues

Has duplicate Pulp - Issue #822: api_prefix in admin.conf doesn't workCLOSED - DUPLICATEActions
Actions
Send by e-mail Copy link

Also available in: Atom PDF