Project

Profile

Help

Story #2361

As a user, I can authenticate using an external authority

Added by ttereshc almost 4 years ago. Updated over 1 year ago.

Status:
CLOSED - WONTFIX
Priority:
Normal
Assignee:
-
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:

Description

The suggestion is to use apache modules for external auth and to look up username in the REMOTE_USER* environment variables.
In this case we need to extend djangorestframework-jwt to trust the REMOTE_USER_* environment variables when creating tokens.
We should also take care of the auto-creation and update of the external users in Pulp.

External authentication is expected to be used as an initial authentication to obtain JWT token and not to be used on every request.

Relevant info from the proposal:

REMOTE_USER_*
---------------------------

mod_lookup_identity is the recommended solution by the FreeIPA project for allowing a web app to discover user identity and related attributes from a trusted authentication source. It uses SSSD to lookup attributes, and then it sets various REMOTE_USER_* environment variables within the context of a request. Any web application can then trust those values, making it a simple integration point.

Commonly-available attributes include username, email, first name, last name, and group membership.

Auto-Creation of Users
--------------------------------

In addition to looking for and trusting the REMOTE_USER environment variable, the drf-jwt token creation view would be extended to automatically create and update users. When invoked, it would:

- trust the REMOTE_USER value for authentication
- if the user exists in the DB, update its attributes with the other REMOTE_USER_* values
- if the user does not exist in the DB, create it based on the REMOTE_USER_* values


Related issues

Related to Pulp - Task #2090: Create a plan for user/auth in 3.0CLOSED - CURRENTRELEASE

<a title="Actions" class="icon-only icon-actions js-contextmenu" href="#">Actions</a>

History

#1 Updated by ttereshc almost 4 years ago

  • Subject changed from As a user, I can authenticate to the REST API using an external authority to As a user, I can authenticate using an external authority
  • Description updated (diff)

#2 Updated by ttereshc almost 4 years ago

  • Description updated (diff)

#3 Updated by ttereshc almost 4 years ago

  • Related to Task #2090: Create a plan for user/auth in 3.0 added

#4 Updated by bmbouter over 1 year ago

  • Status changed from NEW to CLOSED - WONTFIX

#5 Updated by bmbouter over 1 year ago

Pulp 2 is approaching maintenance mode, and this Pulp 2 ticket is not being actively worked on. As such, it is being closed as WONTFIX. Pulp 2 is still accepting contributions though, so if you want to contribute a fix for this ticket, please reopen or comment on it. If you don't have permissions to reopen this ticket, or you want to discuss an issue, please reach out via the developer mailing list.

#6 Updated by bmbouter over 1 year ago

  • Tags Pulp 2 added

Please register to edit this issue

Also available in: Atom PDF