Story #3559

Support redirects to CDN endpoints using HMAC token authorization

Added by peasters over 3 years ago. Updated over 2 years ago.

Start date:
Due date:
% Done:


Estimated time:
Platform Release:
Target Release - Crane:
Sprint Candidate:
Pulp 2


In order to protect image layers and manifests from unauthorized access on a CDN, Crane should support generating HMAC tokens to be appended in the query string of requests. This allows CDN providers to validate content is only accessed by authorized users of Crane.

Related issues

Related to Crane - Issue #3227: Rewrite redirect URLCLOSED - CURRENTRELEASE<a title="Actions" class="icon-only icon-actions js-contextmenu" href="#">Actions</a>

Associated revisions

Revision b4cec8ff View on GitHub
Added by peasters over 3 years ago

Add support for CDN token auth and url rewriting

  • Adds support for rewriting base URLs of repos to a new location (e.g. to
  • Adds support for generating HMAC tokens for query string authorization with CDN providers

Closes #3559 Closes #3227


#1 Updated by rchan over 3 years ago

PR has been opened.

#3 Updated by dalley over 3 years ago

  • Tracker changed from Issue to Story
  • % Done set to 0

#4 Updated by over 3 years ago

Hi Patrick,

thanks a lot for opening this feature request and providing a PR to it.

Would you be able to answer couple of questions so we can have a better understanding:

1) what would be the exact e2e usecases? describing what happens step by step would be very helpful.
2) how someone could use this and have benefit from this? What would be the setup environment?
3) you mentioned on the PR that generated tokens are complaint akamai's token auth, what about other CDN? or this feature is purely specific and limited to Akamai?

Thank you.

#5 Updated by peasters over 3 years ago

Hi Ina,

1) This is part of fulfilling a business requirement for all container layers/content being secured and authorized. The goal is that content should not be reachable on the CDN without having already been authorized via Crane. Take the following scenario where the Akamai CDN is configured to enforce HMAC token authorization.

  • User performs `docker login` and relevant authn/authz takes place at Apache
  • User performs `docker pull` and pulls manifests/blobs from Crane
  • Crane generates redirect for content on CDN based on redirect_url given in Pulp metadata
    • Crane rewrites destination redirect URL if configured (to avoid needing duplicate repos being published for the same content)
    • Crane generates HMAC token for URL and configured expiration date, then appends it to the query string of the 302 redirect issued to client (e.g. /content/product/example?exp=1523835702~hmac=abd783776f32cca3de1b7)
  • User follows given redirect and downloads content

2) This would benefit anyone using Akamai as a content delivery network for Pulp content. This PR also addresses issue #3227 which requested a way to rewrite the redirect URL of repos:

3) The PR is specifically for Akamai, but other CDN providers (S3, etc) do use similar methods of providing URL-based authorization for content.

#6 Updated by peasters over 3 years ago

  • Status changed from NEW to MODIFIED
  • % Done changed from 0 to 100

#7 Updated by over 3 years ago

#8 Updated by over 3 years ago

  • Platform Release set to 2.16.1
  • Target Release - Crane set to 3.2.0

#9 Updated by over 3 years ago

  • Status changed from MODIFIED to 5

#10 Updated by over 3 years ago

  • Status changed from 5 to CLOSED - CURRENTRELEASE

#11 Updated by bmbouter over 2 years ago

  • Tags Pulp 2 added

Please register to edit this issue

Also available in: Atom PDF