Project

Profile

Help

Story #2361

closed

As a user, I can authenticate using an external authority

Added by ttereshc about 8 years ago. Updated over 5 years ago.

Status:
CLOSED - WONTFIX
Priority:
Normal
Assignee:
-
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:

Description

The suggestion is to use apache modules for external auth and to look up username in the REMOTE_USER* environment variables.
In this case we need to extend djangorestframework-jwt to trust the REMOTE_USER_* environment variables when creating tokens.
We should also take care of the auto-creation and update of the external users in Pulp.

External authentication is expected to be used as an initial authentication to obtain JWT token and not to be used on every request.

Relevant info from the proposal:

REMOTE_USER_*
---------------------------

mod_lookup_identity is the recommended solution by the FreeIPA project for allowing a web app to discover user identity and related attributes from a trusted authentication source. It uses SSSD to lookup attributes, and then it sets various REMOTE_USER_* environment variables within the context of a request. Any web application can then trust those values, making it a simple integration point.

Commonly-available attributes include username, email, first name, last name, and group membership.

Auto-Creation of Users
--------------------------------

In addition to looking for and trusting the REMOTE_USER environment variable, the drf-jwt token creation view would be extended to automatically create and update users. When invoked, it would:

- trust the REMOTE_USER value for authentication
- if the user exists in the DB, update its attributes with the other REMOTE_USER_* values
- if the user does not exist in the DB, create it based on the REMOTE_USER_* values


Related issues

Related to Pulp - Task #2090: Create a plan for user/auth in 3.0CLOSED - CURRENTRELEASEttereshc

Actions
Actions #1

Updated by ttereshc about 8 years ago

  • Subject changed from As a user, I can authenticate to the REST API using an external authority to As a user, I can authenticate using an external authority
  • Description updated (diff)
Actions #2

Updated by ttereshc about 8 years ago

  • Description updated (diff)
Actions #3

Updated by ttereshc about 8 years ago

  • Related to Task #2090: Create a plan for user/auth in 3.0 added
Actions #4

Updated by bmbouter over 5 years ago

  • Status changed from NEW to CLOSED - WONTFIX
Actions #5

Updated by bmbouter over 5 years ago

Pulp 2 is approaching maintenance mode, and this Pulp 2 ticket is not being actively worked on. As such, it is being closed as WONTFIX. Pulp 2 is still accepting contributions though, so if you want to contribute a fix for this ticket, please reopen or comment on it. If you don't have permissions to reopen this ticket, or you want to discuss an issue, please reach out via the developer mailing list.

Actions #6

Updated by bmbouter over 5 years ago

  • Tags Pulp 2 added

Also available in: Atom PDF