Project

Profile

Help

Story #3808

As a user, I am able to use the REMOTE_USER compatible authentication with the Pulp api

Added by ttereshc over 1 year ago. Updated 4 months ago.

Status:
MODIFIED
Priority:
Normal
Assignee:
Category:
-
Sprint/Milestone:
Start date:
Due date:
% Done:

100%

Platform Release:
Blocks Release:
Backwards Incompatible:
No
Groomed:
Yes
Sprint Candidate:
Yes
Tags:
QA Contact:
Complexity:
Smash Test:
Verified:
No
Verification Required:
No
Sprint:
Sprint 54

Description

This RFE is a result of Katello/Pulp3 gap analysis. P1 item. For more info on how to turn on support for REMOTE_USER, see:

https://docs.djangoproject.com/en/2.1/howto/auth-remote-user/


Checklist

Associated revisions

Revision 4cd84799 View on GitHub
Added by bmbouter 4 months ago

Add REMOTE_USER support

This adds REMOTE_USER support which is enabled by default. For
reverse proxy deployments, a new setting is introduced controlling
which WSGI environment var contains the trusted authenticated
username.

A new authentication section is added which contains docs on the
default authentication, how to customize or disable them, and how to
install custom authentication.

https://pulp.plan.io/issues/3808
closes #3808

History

#1 Updated by ttereshc over 1 year ago

  • Tags Pulp 3 added

#2 Updated by jsherril@redhat.com about 1 year ago

  • Tags Katello-P1 added
  • Tags deleted (Pulp 3)

#3 Updated by jsherril@redhat.com about 1 year ago

  • Tags Pulp 3 added

#4 Updated by bmbouter about 1 year ago

The Basic auth is currently submitted via a header. Do we need more than that?

#5 Updated by jsherril@redhat.com about 1 year ago

The goal was to support auth via a client certificate rather than basic auth. We could accomplish this by using a web server like apache to do the client cert verification and tell it to put the CN into a header, which the application will look for. This is a common paradigm and we use it today with pulp 2.

#6 Updated by bmbouter about 1 year ago

@jsherrill what you're describing sounds like exactly what we're making for ContentGuards. That's the new name for the "content protection" feature of Pulp2. The epic for that work is #3968 and the specific Oid content guard port from Pulp2 is #4009.

That feature is only for the content portion of the WSGI app; the rest of the API calls (non-content calls) use Basic auth currently. For those non-content calls, Is having a cert more useful for you than basic auth somehow?

#7 Updated by jsherril@redhat.com about 1 year ago

  • Subject changed from As a user, I am able to use header-based auth to authenticate with Pulp to As a user, I am able to use header-based auth to authenticate with the Pulp api

This was actually specifically for the api, not for content (updated the title to reflect that). There are a couple of reasons why we would like this feature:

1. it greatly simplifies installation. There is no shared secret between the the katello and pulp servers, we can simply generate a certificate against the ca that the webserver in front of pulp is using

2. We talk to multiple pulp servers in katello via our smart-proxy/capsule concept. Storing different basic auth credentials per server would make management much more difficult.

All of these things are solvable, but it seems much easier for pulp to recognize something like a REMOTE_USER header on a request as described here: https://docs.djangoproject.com/en/2.1/howto/auth-remote-user/

#8 Updated by daviddavis 8 months ago

  • Checklist item Set up apache and test out that REMOTE_USER works added
  • Checklist item Add some docs saying that Pulp supports REMOTE_USER and the header should be set to username added
  • Subject changed from As a user, I am able to use header-based auth to authenticate with the Pulp api to As a user, I am able to use the REMOTE_USER header to authenticate with the Pulp api
  • Description updated (diff)
  • Groomed changed from No to Yes
  • Sprint Candidate changed from No to Yes
  • Tags Pulp 3 RC Blocker added

#9 Updated by ttereshc 8 months ago

  • Sprint set to Sprint 49

#10 Updated by jortel@redhat.com 8 months ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to jortel@redhat.com

#11 Updated by jortel@redhat.com 8 months ago

Tested and validated that this works as anticipated.


The default behavior of the RemoteUserBackend is to create a new user in django when the remote-user is unknown. As prescribed by [1] we'd need to override this behavior in a custom class.

[1] https://docs.djangoproject.com/en/2.1/ref/contrib/auth/#django.contrib.auth.backends.RemoteUserBackend

diff --git a/pulpcore/app/auth/__init__.py b/pulpcore/app/auth/__init__.py
index e69de29bb..a577e27ce 100644
--- a/pulpcore/app/auth/__init__.py
+++ b/pulpcore/app/auth/__init__.py
@@ -0,0 +1 @@
+from .backends import RemoteUserBackend  # noqa

diff --git a/pulpcore/app/auth/backends.py b/pulpcore/app/auth/backends.py
index e69de29bb..ab4a1d74f 100644
--- a/pulpcore/app/auth/backends.py
+++ b/pulpcore/app/auth/backends.py
@@ -0,0 +1,5 @@
+from django.contrib.auth import backends
+
+
+class RemoteUserBackend(backends.RemoteUserBackend):
+    create_unknown_user = False


Apache configuration used for testing.

WSGIScriptAlias /pulp/api/v3 /srv/pulp/wsgi.py/pulp/api/v3

<Directory /srv/pulp>
  Require all granted
</Directory>

<Files wsgi.py>
  SSLRenegBufferSize  1048576
  SSLVerifyDepth 9
  SSLOptions +StdEnvVars +ExportCertData
  SSLVerifyClient optional_no_ca
  RewriteEngine on
  RewriteRule .* - [E=REMOTE_USER:%{SSL:SSL_CLIENT_S_DN_CN}]
</Files>

The django settings needs to be altered when using REMOTE-USER as follows:

/etc/pulp/settings.py needed to re-configure django auth.

from pulpcore.app import settings

REST_FRAMEWORK = settings.REST_FRAMEWORK
REST_FRAMEWORK['DEFAULT_AUTHENTICATION_CLASSES'] = (
    'rest_framework.authentication.BasicAuthentication',
    'rest_framework.authentication.RemoteUserAuthentication',
)

AUTHENTICATION_BACKENDS = [
    'pulpcore.app.auth.RemoteUserBackend',
]

This replaces the SessionAuthentication with RemoteUserAuthentication. Apache should be responsible for any session management including CSRF, right? If not, I don't know how to resolve "CRSF token missing or incorrect" errors.

Should I proceed with a PR to add the docs and custom RemoteUserBackend?

Where should the documentation go? And, what should be documented that is not redundant to django docs?

#12 Updated by dkliban@redhat.com 7 months ago

  • Assignee changed from jortel@redhat.com to daviddavis

#13 Updated by jsherril@redhat.com 7 months ago

My 2 cents:

Any supported options in settings.py should be documented in the pulp docs. Being a django developer/admin should not be a prerequisite to deploying pulp3 IMO.

#14 Updated by rchan 7 months ago

  • Sprint changed from Sprint 49 to Sprint 50

#15 Updated by daviddavis 7 months ago

  • Status changed from ASSIGNED to NEW

Unassigning myself as I don't have time to work on this.

#16 Updated by daviddavis 7 months ago

  • Assignee deleted (daviddavis)

#17 Updated by daviddavis 7 months ago

  • Sprint/Milestone set to 3.0
  • Tags deleted (Katello-P1, Pulp 3, Pulp 3 RC Blocker)

Removing as an RC blocker. This is still a priority and hoping we can address this before the RC release.

#18 Updated by kersom 7 months ago

  • Tags Pulp 3 added

#19 Updated by rchan 7 months ago

  • Sprint changed from Sprint 50 to Sprint 51

#20 Updated by rchan 6 months ago

  • Sprint changed from Sprint 51 to Sprint 52

#21 Updated by bmbouter 6 months ago

  • Tags deleted (Pulp 3)

#22 Updated by rchan 5 months ago

  • Sprint changed from Sprint 52 to Sprint 53

#23 Updated by amacdona@redhat.com 4 months ago

  • Sprint changed from Sprint 53 to Sprint 54

#24 Updated by bmbouter 4 months ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to bmbouter

#25 Updated by bmbouter 4 months ago

  • Checklist item Set up apache and test out that REMOTE_USER works set to Done
  • Checklist item Add some docs saying that Pulp supports REMOTE_USER and the header should be set to username set to Done
  • Subject changed from As a user, I am able to use the REMOTE_USER header to authenticate with the Pulp api to As a user, I am able to use the REMOTE_USER compatible authentication with the Pulp api

#26 Updated by bmbouter 4 months ago

  • Status changed from ASSIGNED to POST

#27 Updated by bmbouter 4 months ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100

Please register to edit this issue

Also available in: Atom PDF