Story #3559
closed
Support redirects to CDN endpoints using HMAC token authorization
100%
Description
In order to protect image layers and manifests from unauthorized access on a CDN, Crane should support generating HMAC tokens to be appended in the query string of requests. This allows CDN providers to validate content is only accessed by authorized users of Crane.
Related issues
Updated by amacdona@redhat.com over 6 years ago
Updated by dalley over 6 years ago
- Tracker changed from Issue to Story
- % Done set to 0
Updated by ipanova@redhat.com over 6 years ago
Hi Patrick,
thanks a lot for opening this feature request and providing a PR to it.
Would you be able to answer couple of questions so we can have a better understanding:
1) what would be the exact e2e usecases? describing what happens step by step would be very helpful.
2) how someone could use this and have benefit from this? What would be the setup environment?
3) you mentioned on the PR that generated tokens are complaint akamai's token auth, what about other CDN? or this feature is purely specific and limited to Akamai? https://github.com/pulp/crane/pull/88/files#diff-caf2a6b8f4947d018f68893c695b5202R93
Thank you.
Updated by peasters over 6 years ago
Hi Ina,
1) This is part of fulfilling a business requirement for all container layers/content being secured and authorized. The goal is that content should not be reachable on the CDN without having already been authorized via Crane. Take the following scenario where the Akamai CDN is configured to enforce HMAC token authorization.
- User performs `docker login` and relevant authn/authz takes place at Apache
- User performs `docker pull crane.example.com/image` and pulls manifests/blobs from Crane
- Crane generates redirect for content on CDN based on redirect_url given in Pulp metadata
- Crane rewrites destination redirect URL if configured (to avoid needing duplicate repos being published for the same content)
- Crane generates HMAC token for URL and configured expiration date, then appends it to the query string of the 302 redirect issued to client (e.g. /content/product/example?exp=1523835702~hmac=abd783776f32cca3de1b7)
- User follows given redirect and downloads content
2) This would benefit anyone using Akamai as a content delivery network for Pulp content. This PR also addresses issue #3227 which requested a way to rewrite the redirect URL of repos: https://pulp.plan.io/issues/3227
3) The PR is specifically for Akamai, but other CDN providers (S3, etc) do use similar methods of providing URL-based authorization for content.
Added by peasters over 6 years ago
Updated by peasters over 6 years ago
- Status changed from NEW to MODIFIED
- % Done changed from 0 to 100
Applied in changeset b4cec8ff6252cebcd2f56cedf55d40cc9d337bad.
Updated by ipanova@redhat.com over 6 years ago
- Related to Issue #3227: Rewrite redirect URL added
Updated by ipanova@redhat.com over 6 years ago
- Platform Release set to 2.16.1
- Target Release - Crane set to 3.2.0
Updated by ipanova@redhat.com over 6 years ago
- Status changed from MODIFIED to 5
Updated by ipanova@redhat.com over 6 years ago
- Status changed from 5 to CLOSED - CURRENTRELEASE
.
Add support for CDN token auth and url rewriting
Closes #3559 Closes #3227