Project

Profile

Help

Story #266

[RFE] allow Pulp admin to read user credentials from users admin.conf

Added by vijaykumar.jain@nomura.com almost 7 years ago. Updated about 1 year ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Platform Release:
2.6.0
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:

Description

++ This bug was initially created as a clone of Bugzilla Bug #1159067 ++

Description of problem:

Description of problem:
We are using ldap for pulp auth.
now if we use pulp-admin cli multiple times, user does not like to enter password every time he runs the command. also he would not like to use --password field bcoz of security issue (ps | grep will show the password)

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.
2.
3.

Actual results:

Expected results:

Additional info:

--- Additional comment from at 11/03/2014 17:47:38 ---

A couple of notes on the things that should be done for this:

1) The username and password should be added as fields to admin.conf.

2) If they are supplied by the CLI options (--password) then the CLI supplied one should be used instead of the admin.conf one (for username or password).

3) The admin.conf should provide admin/admin as defaults so that this feature will allow someone to use pulp-admin with the default credentials without specifying -u or -p

4) Add docs describing the admin.conf attributes

--- Additional comment from at 11/04/2014 05:59:47 ---

Thanks bbouters.

Please find my comments.

1)we would not like to have username/password in global admin.conf? we have put username/password(commented) in the admin.conf to server as a template to user's local admin.conf?

2)I was about to modify the command line but help, but got stuck with the English thinking it would become confusing.(--password -> credentials for the Pulp server; if specified will bypass any defaults stored in admin.conf or the stored certificate)do you think this is correct?also the authentication failure message mentions creation os cer

3)yes, it sounds correct, but then it will mask the entire effort of certificates even when we do not use apache ldap auth. does it sound ok?

also, I am getting a feeling that this(auth/cred in admin.conf) should be not be provided by pulp.wherever I store the password, environment variable or hidden file, it will be stored in plain text and that sounds like a concern for sure.
but pulp can allow plugin/extension or decorator/callback to pulp.client.launcher.main for the auth

I will work on this and update you, but let me know if the concern is reasonable and callback/decorator workaround sounds reasonable.

--- Additional comment from at 11/04/2014 17:16:03 ---

Thanks for the comments, here are some thoughts I have on them.

1) Pulp creates the admin.conf in the users home directory. There is a template in the codebase already [0]. I think of [0] as the template that any user would start from the first time they run pulp-admin. I think that the username and password should be added to [0] and would be un-commented with the 'admin' as the value for both username and password.

If you want to have a 'global template' of admin.conf that you provide for your users that is fine and you could have the username and password uncommented for them to fill in as you describe. That would just be for your users, not all Pulp users. Normal pulp users will still receive [0].

2) Your English is good. Do your best in the PR, and I can help make sure it reads well. Regarding the sentence you did write, replace the word 'bypass' with 'override' and it will convey the meaning you want.

3) This username and password would not change the way pulp handles certificates. The current functionality is that when a user logs in with a username and password (ie: admin/admin) the server authenticates them, builds them a certificate that expires after some number of days, and then gives the certificate to the client pulp-admin. None of that would be adjusted. The only adjustment is that the username and password pulp-admin uses to authenticate and receive the certificate comes from admin.conf instead of exclusively from the command line.

I think keeping the file on the file system in plaintext is secure as long as the admin.conf is only readable by the users who should be able to read that password. I do not think the callback or decorator provides any additional security, but it does introduce complexity. Consider the fact that if someone has gained root access they can access everything on that system so nothing that is stored in plaintext (anywhere on the system) can be considered safe. In the case of root-access a callback on the same machine would be just as insecure.

Would keeping this in a file on the filesystem that has "safe" permissions be OK for your use case?

[0]: https://github.com/pulp/pulp/blob/master/client_admin/etc/pulp/admin/admin.conf

--- Additional comment from at 11/04/2014 18:33:40 ---

Sounds good. Thanks for clearing my concerns.I will do the needful on the above requested work wrt config update and docs.

i guess long term solution should involve apache kerberos auth (mongo also supports kerberos so we should be good storing principals i guess). but i think that would be a separate RFE.

--- Additional comment from at 11/04/2014 19:12:49 ---

Sounds good vijay.

Another team member reviewed your PR [0] with some comments. I adjusted the title so that it includes [Work in Progress]. Once you are ready for us to re-review, remove [Work in Progress] from the title, and post a note on the BZ or the PR that it is ready for another review.

[0]: https://github.com/pulp/pulp/pull/1280

--- Additional comment from at 11/06/2014 17:45:16 ---

Ready for review. :)
https://github.com/pulp/pulp/pull/1280

--- Additional comment from at 11/11/2014 17:37:56 ---

Please check now.

--- Additional comment from at 11/16/2014 20:31:20 ---

https://github.com/pulp/pulp/pull/1305

--- Additional comment from at 11/19/2014 23:34:23 ---

PR appears to be merged to 2.6-dev and master.

Setting state to MODIFIED.

Thanks for the contribution!

--- Additional comment from at 11/20/2014 05:22:21 ---

Hooray!!. Thanks a lot. Appreciate your effort in mentoring and being patient on my first pull request :)
I am pretty sure, I would want to be involved with more as I get more understanding of the product.

--- Additional comment from at 11/20/2014 13:46:19 ---

Great job Vijay! Your code will be included in the upcoming 2.6.0 alpha. Watch pulp-list to see the announcement of it. Thanks for your contribution.

--- Additional comment from at 12/23/2014 20:52:30 ---

fixed in pulp 2.6.0-0.2.beta

--- Additional comment from at 02/02/2015 21:41:55 ---

Please add some steps to verify this bz.

--- Additional comment from at 02/02/2015 21:58:46 ---

I wrote out steps, but then I deleted them because I also want to ensure that the docs provided to users are adequate. Attempt to configure auth by setting credentials in ~/.pulp/admin.conf per the docs here [0].

[0]: http://pulp.readthedocs.org/en/latest/user-guide/admin-client/authentication.html?highlight=username#basic-authentication-of-users

--- Additional comment from at 02/03/2015 16:17:02 ---

verified
[root@ibm-x3550m3-07 ~]# rpm -qa pulp-server
pulp-server-2.6.0-0.5.beta.el6.noarch
[root@ibm-x3550m3-07 ~]#

[root@ibm-x3550m3-07 ~]# pulp-admin repo list
Traceback (most recent call last):
File "/usr/bin/pulp-admin", line 9, in <module>
load_entry_point('pulp-client-admin==2.6.0', 'console_scripts', 'pulp-admin')()
File "/usr/lib/python2.6/site-packages/pulp/client/admin/__init__.py", line 22, in main
exit_code = launcher.main(read_config(), exception_handler_class=AdminExceptionHandler)
File "/usr/lib/python2.6/site-packages/pulp/client/admin/config.py", line 96, in read_config
validate_overrides(overrides)
File "/usr/lib/python2.6/site-packages/pulp/client/admin/config.py", line 124, in validate_overrides
"It should be one of %(valid_private_perms)s.") % runtime_dict)
RuntimeError: File /root/.pulp/admin.conf contains a password and has incorrect permissions: 500, It should be one of [400, 600, 700].
[root@ibm-x3550m3-07 ~]# chmod 600 ~/.pulp/admin.conf
[root@ibm-x3550m3-07 ~]# pulp-admin repo list
--------------------------------------------------------------------
Repositories
--------------------------------------------------------------------

Id: pulp-el6
Display Name: pulp-el6
Description: None
Content Unit Counts:
Package Group: 7
Rpm: 71

Id: zoo
Display Name: zoo
Description: None
Content Unit Counts:
Erratum: 4
Package Category: 1
Package Group: 2
Rpm: 32

Id: puppet-builds
Display Name: puppet-builds
Description: None
Content Unit Counts:

[root@ibm-x3550m3-07 ~]# pulp-admin -u test-user -p redhat repo list
----------------------------------------------------------------------
Repositories
--------------------------------------------------------------------

The specified user does not have permission to execute the given command

[root@ibm-x3550m3-07 ~]#
[root@ibm-x3550m3-07 ~]#
[root@ibm-x3550m3-07 ~]# pulp-admin auth permission grant --resource /v2/repositories/ --login test-user -o create -o update -o read
Permissions [/v2/repositories/ : ['CREATE', 'UPDATE', 'READ']] successfully
granted to user [test-user]

[root@ibm-x3550m3-07 ~]# pulp-admin u test-user -p redhat repo list+---------------------------------------------------------------------+
Repositories
--------------------------------------------------------------------

Id: pulp-el6
Display Name: pulp-el6
Description: None
Content Unit Counts:
Package Group: 7
Rpm: 71

Id: zoo
Display Name: zoo
Description: None
Content Unit Counts:
Erratum: 4
Package Category: 1
Package Group: 2
Rpm: 32

Id: puppet-builds
Display Name: puppet-builds
Description: None
Content Unit Counts:

[root@ibm-x3550m3-07 ~]#
[root@ibm-x3550m3-07 ~]#

History

#1 Updated by bmbouter almost 7 years ago

  • Status changed from NEW to 6

This was already at VERIFIED state in Bugzilla. There was an error in the migration into Redmine. This change sets the correct state.

#2 Updated by rbarlow almost 7 years ago

  • Status changed from 6 to CLOSED - CURRENTRELEASE

#4 Updated by bmbouter almost 3 years ago

  • Tags Pulp 2 added

Also available in: Atom PDF