Project

Profile

Help

Task #2090

closed

Create a plan for user/auth in 3.0

Added by mhrivnak over 6 years ago. Updated almost 4 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Platform Release:
Groomed:
Yes
Sprint Candidate:
Yes
Tags:
Pulp 2
Sprint:
Sprint 9
Quarter:

Description

This task is largely to determine if we should use django's built-in auth plus the auth in django-rest-framework. Hopefully yes, because using it gets us a lot for free, including easy integration with tools like django-admin.

This task is successful when reasonable answers to the below questions have been agreed on, and tasks have been created that cover at least the next steps, if not all of the work required.

Below are notes from the team on this subject:

Hopefully we can just replace what we have with django's auth.
Q: Will it meet user needs?
Q: If not, do we need to introduce a more detailed framework like Django Guardian? (https://github.com/lukaszb/django-guardian )
Q: Will we need to add custom authz logic? What's the scope?
Q: To what extent can/should we migrate existing authz data? Perhaps we should just not.
+1 to not doing this now, but we look at porting the data after we have the new one implemented. In other words, we could green-field use django's auth and decide later.
Q: What authn mechanisms will we support? ssl certs? cookies? basic? other? What work is involved for us to make these happen vs. what can django do out of the box?
Q: What will be our integration story with freeipa?
We could use generic Kerberos integration to work. Not only should it work in theory, but I believe rbarlow successfully tested a user patch for kerberos support against a freeipa based kerberos. One area then should be adding/testing Kerberos support from the start.
django-rest-framework (DRF) has pluggable auth, so DRF resources might be useful for implementing authnz features in the API:
http://www.django-rest-framework.org/api-guide/authentication/
http://www.django-rest-framework.org/api-guide/permissions/
http://www.django-rest-framework.org/topics/third-party-resources/#authentication

Related issues

Related to Pulp - Task #946: Develop a plan to improve Pulp's authentication offeringsCLOSED - WONTFIX

Actions
Related to Pulp - Task #2243: Create custom django User modelCLOSED - CURRENTRELEASEdkliban@redhat.com

Actions
Related to Pulp - Task #2356: Add serializer for the user modelCLOSED - CURRENTRELEASEdkliban@redhat.com

Actions
Related to Pulp - Task #2357: Add a user ViewSetCLOSED - CURRENTRELEASEdkliban@redhat.com

Actions
Related to Pulp - Story #2358: As a user, I can authenticate with username and password stored in PulpCLOSED - CURRENTRELEASEdkliban@redhat.com

Actions
Related to Pulp - Story #2359: As a user, I can use JWT tokens for authenticatonCLOSED - CURRENTRELEASEfdobrovo

Actions
Related to Pulp - Task #2360: Create a plan for user authorization in 3.yCLOSED - WONTFIX

Actions
Related to Pulp - Story #2361: As a user, I can authenticate using an external authorityCLOSED - WONTFIX

Actions
Related to Pulp - Story #2366: As a user, my password can be expiredCLOSED - WONTFIX

Actions
Related to Pulp - Story #2367: As a user, I can configure the expiration period for JWT tokensCLOSED - DUPLICATE

Actions
Has duplicate Pulp - Task #1874: Plan User/Auth system for 3.0CLOSED - DUPLICATE

Actions

Also available in: Atom PDF