Story #3559


Support redirects to CDN endpoints using HMAC token authorization

Added by peasters about 6 years ago. Updated about 5 years ago.

Start date:
Due date:
% Done:


Estimated time:
Platform Release:
Target Release - Crane:
Sprint Candidate:
Pulp 2


In order to protect image layers and manifests from unauthorized access on a CDN, Crane should support generating HMAC tokens to be appended in the query string of requests. This allows CDN providers to validate content is only accessed by authorized users of Crane.

Related issues

Related to Crane - Issue #3227: Rewrite redirect URLCLOSED - CURRENTRELEASEActions
Actions #1

Updated by rchan about 6 years ago

PR has been opened.

Actions #3

Updated by dalley about 6 years ago

  • Tracker changed from Issue to Story
  • % Done set to 0
Actions #4

Updated by about 6 years ago

Hi Patrick,

thanks a lot for opening this feature request and providing a PR to it.

Would you be able to answer couple of questions so we can have a better understanding:

1) what would be the exact e2e usecases? describing what happens step by step would be very helpful.
2) how someone could use this and have benefit from this? What would be the setup environment?
3) you mentioned on the PR that generated tokens are complaint akamai's token auth, what about other CDN? or this feature is purely specific and limited to Akamai?

Thank you.

Actions #5

Updated by peasters about 6 years ago

Hi Ina,

1) This is part of fulfilling a business requirement for all container layers/content being secured and authorized. The goal is that content should not be reachable on the CDN without having already been authorized via Crane. Take the following scenario where the Akamai CDN is configured to enforce HMAC token authorization.

  • User performs `docker login` and relevant authn/authz takes place at Apache
  • User performs `docker pull` and pulls manifests/blobs from Crane
  • Crane generates redirect for content on CDN based on redirect_url given in Pulp metadata
    • Crane rewrites destination redirect URL if configured (to avoid needing duplicate repos being published for the same content)
    • Crane generates HMAC token for URL and configured expiration date, then appends it to the query string of the 302 redirect issued to client (e.g. /content/product/example?exp=1523835702~hmac=abd783776f32cca3de1b7)
  • User follows given redirect and downloads content

2) This would benefit anyone using Akamai as a content delivery network for Pulp content. This PR also addresses issue #3227 which requested a way to rewrite the redirect URL of repos:

3) The PR is specifically for Akamai, but other CDN providers (S3, etc) do use similar methods of providing URL-based authorization for content.

Added by peasters about 6 years ago

Revision b4cec8ff | View on GitHub

Add support for CDN token auth and url rewriting

  • Adds support for rewriting base URLs of repos to a new location (e.g. to
  • Adds support for generating HMAC tokens for query string authorization with CDN providers

Closes #3559 Closes #3227

Actions #6

Updated by peasters about 6 years ago

  • Status changed from NEW to MODIFIED
  • % Done changed from 0 to 100
Actions #7

Updated by about 6 years ago

Actions #8

Updated by about 6 years ago

  • Platform Release set to 2.16.1
  • Target Release - Crane set to 3.2.0
Actions #9

Updated by about 6 years ago

  • Status changed from MODIFIED to 5
Actions #10

Updated by about 6 years ago

  • Status changed from 5 to CLOSED - CURRENTRELEASE
Actions #11

Updated by bmbouter about 5 years ago

  • Tags Pulp 2 added

Also available in: Atom PDF