Support redirects to CDN endpoints using HMAC token authorization
In order to protect image layers and manifests from unauthorized access on a CDN, Crane should support generating HMAC tokens to be appended in the query string of requests. This allows CDN providers to validate content is only accessed by authorized users of Crane.
Updated by firstname.lastname@example.org over 5 years ago
thanks a lot for opening this feature request and providing a PR to it.
Would you be able to answer couple of questions so we can have a better understanding:
1) what would be the exact e2e usecases? describing what happens step by step would be very helpful.
2) how someone could use this and have benefit from this? What would be the setup environment?
3) you mentioned on the PR that generated tokens are complaint akamai's token auth, what about other CDN? or this feature is purely specific and limited to Akamai? https://github.com/pulp/crane/pull/88/files#diff-caf2a6b8f4947d018f68893c695b5202R93
Updated by peasters over 5 years ago
1) This is part of fulfilling a business requirement for all container layers/content being secured and authorized. The goal is that content should not be reachable on the CDN without having already been authorized via Crane. Take the following scenario where the Akamai CDN is configured to enforce HMAC token authorization.
- User performs `docker login` and relevant authn/authz takes place at Apache
- User performs `docker pull crane.example.com/image` and pulls manifests/blobs from Crane
- Crane generates redirect for content on CDN based on redirect_url given in Pulp metadata
- Crane rewrites destination redirect URL if configured (to avoid needing duplicate repos being published for the same content)
- Crane generates HMAC token for URL and configured expiration date, then appends it to the query string of the 302 redirect issued to client (e.g. /content/product/example?exp=1523835702~hmac=abd783776f32cca3de1b7)
- User follows given redirect and downloads content
2) This would benefit anyone using Akamai as a content delivery network for Pulp content. This PR also addresses issue #3227 which requested a way to rewrite the redirect URL of repos: https://pulp.plan.io/issues/3227
3) The PR is specifically for Akamai, but other CDN providers (S3, etc) do use similar methods of providing URL-based authorization for content.
Added by peasters over 5 years ago
Add support for CDN token auth and url rewriting
- Adds support for rewriting base URLs of repos to a new location (e.g. access.redhat.com/webassets/docker to registry.redhat.io/containers)
- Adds support for generating HMAC tokens for query string authorization with CDN providers