Project

Profile

Help

Story #3808

As a user, I am able to use the REMOTE_USER compatible authentication with the Pulp api

Added by ttereshc over 1 year ago. Updated about 1 month ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Category:
-
Sprint/Milestone:
Start date:
Due date:
% Done:

100%

Platform Release:
Blocks Release:
Backwards Incompatible:
No
Groomed:
Yes
Sprint Candidate:
Yes
Tags:
QA Contact:
Complexity:
Smash Test:
Verified:
No
Verification Required:
No
Sprint:
Sprint 54

Description

This RFE is a result of Katello/Pulp3 gap analysis. P1 item. For more info on how to turn on support for REMOTE_USER, see:

https://docs.djangoproject.com/en/2.1/howto/auth-remote-user/


Checklist

Associated revisions

Revision 4cd84799 View on GitHub
Added by bmbouter 7 months ago

Add REMOTE_USER support

This adds REMOTE_USER support which is enabled by default. For
reverse proxy deployments, a new setting is introduced controlling
which WSGI environment var contains the trusted authenticated
username.

A new authentication section is added which contains docs on the
default authentication, how to customize or disable them, and how to
install custom authentication.

https://pulp.plan.io/issues/3808
closes #3808

History

#1 Updated by ttereshc over 1 year ago

  • Tags Pulp 3 added

#2 Updated by jsherril@redhat.com over 1 year ago

  • Tags Katello-P1 added
  • Tags deleted (Pulp 3)

#3 Updated by jsherril@redhat.com over 1 year ago

  • Tags Pulp 3 added

#4 Updated by bmbouter over 1 year ago

The Basic auth is currently submitted via a header. Do we need more than that?

#5 Updated by jsherril@redhat.com over 1 year ago

The goal was to support auth via a client certificate rather than basic auth. We could accomplish this by using a web server like apache to do the client cert verification and tell it to put the CN into a header, which the application will look for. This is a common paradigm and we use it today with pulp 2.

#6 Updated by bmbouter over 1 year ago

@jsherrill what you're describing sounds like exactly what we're making for ContentGuards. That's the new name for the "content protection" feature of Pulp2. The epic for that work is #3968 and the specific Oid content guard port from Pulp2 is #4009.

That feature is only for the content portion of the WSGI app; the rest of the API calls (non-content calls) use Basic auth currently. For those non-content calls, Is having a cert more useful for you than basic auth somehow?

#7 Updated by jsherril@redhat.com over 1 year ago

  • Subject changed from As a user, I am able to use header-based auth to authenticate with Pulp to As a user, I am able to use header-based auth to authenticate with the Pulp api

This was actually specifically for the api, not for content (updated the title to reflect that). There are a couple of reasons why we would like this feature:

1. it greatly simplifies installation. There is no shared secret between the the katello and pulp servers, we can simply generate a certificate against the ca that the webserver in front of pulp is using

2. We talk to multiple pulp servers in katello via our smart-proxy/capsule concept. Storing different basic auth credentials per server would make management much more difficult.

All of these things are solvable, but it seems much easier for pulp to recognize something like a REMOTE_USER header on a request as described here: https://docs.djangoproject.com/en/2.1/howto/auth-remote-user/

#8 Updated by daviddavis 12 months ago

  • Checklist item Set up apache and test out that REMOTE_USER works added
  • Checklist item Add some docs saying that Pulp supports REMOTE_USER and the header should be set to username added
  • Subject changed from As a user, I am able to use header-based auth to authenticate with the Pulp api to As a user, I am able to use the REMOTE_USER header to authenticate with the Pulp api
  • Description updated (diff)
  • Groomed changed from No to Yes
  • Sprint Candidate changed from No to Yes
  • Tags Pulp 3 RC Blocker added

#9 Updated by ttereshc 11 months ago

  • Sprint set to Sprint 49

#10 Updated by jortel@redhat.com 11 months ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to jortel@redhat.com

#11 Updated by jortel@redhat.com 11 months ago

Tested and validated that this works as anticipated.


The default behavior of the RemoteUserBackend is to create a new user in django when the remote-user is unknown. As prescribed by [1] we'd need to override this behavior in a custom class.

[1] https://docs.djangoproject.com/en/2.1/ref/contrib/auth/#django.contrib.auth.backends.RemoteUserBackend

diff --git a/pulpcore/app/auth/__init__.py b/pulpcore/app/auth/__init__.py
index e69de29bb..a577e27ce 100644
--- a/pulpcore/app/auth/__init__.py
+++ b/pulpcore/app/auth/__init__.py
@@ -0,0 +1 @@
+from .backends import RemoteUserBackend  # noqa

diff --git a/pulpcore/app/auth/backends.py b/pulpcore/app/auth/backends.py
index e69de29bb..ab4a1d74f 100644
--- a/pulpcore/app/auth/backends.py
+++ b/pulpcore/app/auth/backends.py
@@ -0,0 +1,5 @@
+from django.contrib.auth import backends
+
+
+class RemoteUserBackend(backends.RemoteUserBackend):
+    create_unknown_user = False


Apache configuration used for testing.

WSGIScriptAlias /pulp/api/v3 /srv/pulp/wsgi.py/pulp/api/v3

<Directory /srv/pulp>
  Require all granted
</Directory>

<Files wsgi.py>
  SSLRenegBufferSize  1048576
  SSLVerifyDepth 9
  SSLOptions +StdEnvVars +ExportCertData
  SSLVerifyClient optional_no_ca
  RewriteEngine on
  RewriteRule .* - [E=REMOTE_USER:%{SSL:SSL_CLIENT_S_DN_CN}]
</Files>

The django settings needs to be altered when using REMOTE-USER as follows:

/etc/pulp/settings.py needed to re-configure django auth.

from pulpcore.app import settings

REST_FRAMEWORK = settings.REST_FRAMEWORK
REST_FRAMEWORK['DEFAULT_AUTHENTICATION_CLASSES'] = (
    'rest_framework.authentication.BasicAuthentication',
    'rest_framework.authentication.RemoteUserAuthentication',
)

AUTHENTICATION_BACKENDS = [
    'pulpcore.app.auth.RemoteUserBackend',
]

This replaces the SessionAuthentication with RemoteUserAuthentication. Apache should be responsible for any session management including CSRF, right? If not, I don't know how to resolve "CRSF token missing or incorrect" errors.

Should I proceed with a PR to add the docs and custom RemoteUserBackend?

Where should the documentation go? And, what should be documented that is not redundant to django docs?

#12 Updated by dkliban@redhat.com 11 months ago

  • Assignee changed from jortel@redhat.com to daviddavis

#13 Updated by jsherril@redhat.com 11 months ago

My 2 cents:

Any supported options in settings.py should be documented in the pulp docs. Being a django developer/admin should not be a prerequisite to deploying pulp3 IMO.

#14 Updated by rchan 11 months ago

  • Sprint changed from Sprint 49 to Sprint 50

#15 Updated by daviddavis 10 months ago

  • Status changed from ASSIGNED to NEW

Unassigning myself as I don't have time to work on this.

#16 Updated by daviddavis 10 months ago

  • Assignee deleted (daviddavis)

#17 Updated by daviddavis 10 months ago

  • Sprint/Milestone set to 3.0.0
  • Tags deleted (Katello-P1, Pulp 3, Pulp 3 RC Blocker)

Removing as an RC blocker. This is still a priority and hoping we can address this before the RC release.

#18 Updated by kersom 10 months ago

  • Tags Pulp 3 added

#19 Updated by rchan 10 months ago

  • Sprint changed from Sprint 50 to Sprint 51

#20 Updated by rchan 9 months ago

  • Sprint changed from Sprint 51 to Sprint 52

#21 Updated by bmbouter 9 months ago

  • Tags deleted (Pulp 3)

#22 Updated by rchan 8 months ago

  • Sprint changed from Sprint 52 to Sprint 53

#23 Updated by amacdona@redhat.com 8 months ago

  • Sprint changed from Sprint 53 to Sprint 54

#24 Updated by bmbouter 8 months ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to bmbouter

#25 Updated by bmbouter 8 months ago

  • Checklist item Set up apache and test out that REMOTE_USER works set to Done
  • Checklist item Add some docs saying that Pulp supports REMOTE_USER and the header should be set to username set to Done
  • Subject changed from As a user, I am able to use the REMOTE_USER header to authenticate with the Pulp api to As a user, I am able to use the REMOTE_USER compatible authentication with the Pulp api

#26 Updated by bmbouter 7 months ago

  • Status changed from ASSIGNED to POST

#27 Updated by bmbouter 7 months ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100

#28 Updated by bmbouter about 1 month ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE

Please register to edit this issue

Also available in: Atom PDF