Project

Profile

Help

Story #3808

closed

As a user, I am able to use the REMOTE_USER compatible authentication with the Pulp api

Added by ttereshc over 6 years ago. Updated about 5 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Category:
-
Sprint/Milestone:
Start date:
Due date:
% Done:

100%

Estimated time:
Platform Release:
Groomed:
Yes
Sprint Candidate:
Yes
Tags:
Sprint:
Sprint 54
Quarter:

Description

This RFE is a result of Katello/Pulp3 gap analysis. P1 item. For more info on how to turn on support for REMOTE_USER, see:

https://docs.djangoproject.com/en/2.1/howto/auth-remote-user/

Actions #1

Updated by ttereshc over 6 years ago

  • Tags Pulp 3 added
Actions #2

Updated by jsherril@redhat.com over 6 years ago

  • Tags Katello-P1 added
  • Tags deleted (Pulp 3)
Actions #3

Updated by jsherril@redhat.com over 6 years ago

  • Tags Pulp 3 added
Actions #4

Updated by bmbouter over 6 years ago

The Basic auth is currently submitted via a header. Do we need more than that?

Actions #5

Updated by jsherril@redhat.com over 6 years ago

The goal was to support auth via a client certificate rather than basic auth. We could accomplish this by using a web server like apache to do the client cert verification and tell it to put the CN into a header, which the application will look for. This is a common paradigm and we use it today with pulp 2.

Actions #6

Updated by bmbouter about 6 years ago

@jsherrill what you're describing sounds like exactly what we're making for ContentGuards. That's the new name for the "content protection" feature of Pulp2. The epic for that work is #3968 and the specific Oid content guard port from Pulp2 is #4009.

That feature is only for the content portion of the WSGI app; the rest of the API calls (non-content calls) use Basic auth currently. For those non-content calls, Is having a cert more useful for you than basic auth somehow?

Actions #7

Updated by jsherril@redhat.com about 6 years ago

  • Subject changed from As a user, I am able to use header-based auth to authenticate with Pulp to As a user, I am able to use header-based auth to authenticate with the Pulp api

This was actually specifically for the api, not for content (updated the title to reflect that). There are a couple of reasons why we would like this feature:

1. it greatly simplifies installation. There is no shared secret between the the katello and pulp servers, we can simply generate a certificate against the ca that the webserver in front of pulp is using

2. We talk to multiple pulp servers in katello via our smart-proxy/capsule concept. Storing different basic auth credentials per server would make management much more difficult.

All of these things are solvable, but it seems much easier for pulp to recognize something like a REMOTE_USER header on a request as described here: https://docs.djangoproject.com/en/2.1/howto/auth-remote-user/

Actions #8

Updated by daviddavis almost 6 years ago

  • Subject changed from As a user, I am able to use header-based auth to authenticate with the Pulp api to As a user, I am able to use the REMOTE_USER header to authenticate with the Pulp api
  • Description updated (diff)
  • Groomed changed from No to Yes
  • Sprint Candidate changed from No to Yes
  • Tags Pulp 3 RC Blocker added
Actions #9

Updated by ttereshc almost 6 years ago

  • Sprint set to Sprint 49
Actions #10

Updated by jortel@redhat.com almost 6 years ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to jortel@redhat.com
Actions #11

Updated by jortel@redhat.com almost 6 years ago

Tested and validated that this works as anticipated.


The default behavior of the RemoteUserBackend is to create a new user in django when the remote-user is unknown. As prescribed by [1] we'd need to override this behavior in a custom class.

[1] https://docs.djangoproject.com/en/2.1/ref/contrib/auth/#django.contrib.auth.backends.RemoteUserBackend

diff --git a/pulpcore/app/auth/__init__.py b/pulpcore/app/auth/__init__.py
index e69de29bb..a577e27ce 100644
--- a/pulpcore/app/auth/__init__.py
+++ b/pulpcore/app/auth/__init__.py
@@ -0,0 +1 @@
+from .backends import RemoteUserBackend  # noqa

diff --git a/pulpcore/app/auth/backends.py b/pulpcore/app/auth/backends.py
index e69de29bb..ab4a1d74f 100644
--- a/pulpcore/app/auth/backends.py
+++ b/pulpcore/app/auth/backends.py
@@ -0,0 +1,5 @@
+from django.contrib.auth import backends
+
+
+class RemoteUserBackend(backends.RemoteUserBackend):
+    create_unknown_user = False

Apache configuration used for testing.


WSGIScriptAlias /pulp/api/v3 /srv/pulp/wsgi.py/pulp/api/v3

<Directory /srv/pulp>
  Require all granted
</Directory>

<Files wsgi.py>
  SSLRenegBufferSize  1048576
  SSLVerifyDepth 9
  SSLOptions +StdEnvVars +ExportCertData
  SSLVerifyClient optional_no_ca
  RewriteEngine on
  RewriteRule .* - [E=REMOTE_USER:%{SSL:SSL_CLIENT_S_DN_CN}]
</Files>

The django settings needs to be altered when using REMOTE-USER as follows:

/etc/pulp/settings.py needed to re-configure django auth.

from pulpcore.app import settings

REST_FRAMEWORK = settings.REST_FRAMEWORK
REST_FRAMEWORK['DEFAULT_AUTHENTICATION_CLASSES'] = (
    'rest_framework.authentication.BasicAuthentication',
    'rest_framework.authentication.RemoteUserAuthentication',
)

AUTHENTICATION_BACKENDS = [
    'pulpcore.app.auth.RemoteUserBackend',
]

This replaces the SessionAuthentication with RemoteUserAuthentication. Apache should be responsible for any session management including CSRF, right? If not, I don't know how to resolve "CRSF token missing or incorrect" errors.

Should I proceed with a PR to add the docs and custom RemoteUserBackend?

Where should the documentation go? And, what should be documented that is not redundant to django docs?

Actions #12

Updated by dkliban@redhat.com almost 6 years ago

  • Assignee changed from jortel@redhat.com to daviddavis
Actions #13

Updated by jsherril@redhat.com almost 6 years ago

My 2 cents:

Any supported options in settings.py should be documented in the pulp docs. Being a django developer/admin should not be a prerequisite to deploying pulp3 IMO.

Actions #14

Updated by rchan almost 6 years ago

  • Sprint changed from Sprint 49 to Sprint 50
Actions #15

Updated by daviddavis almost 6 years ago

  • Status changed from ASSIGNED to NEW

Unassigning myself as I don't have time to work on this.

Actions #16

Updated by daviddavis almost 6 years ago

  • Assignee deleted (daviddavis)
Actions #17

Updated by daviddavis almost 6 years ago

  • Sprint/Milestone set to 3.0.0
  • Tags deleted (Katello-P1, Pulp 3, Pulp 3 RC Blocker)

Removing as an RC blocker. This is still a priority and hoping we can address this before the RC release.

Actions #18

Updated by kersom almost 6 years ago

  • Tags Pulp 3 added
Actions #19

Updated by rchan over 5 years ago

  • Sprint changed from Sprint 50 to Sprint 51
Actions #20

Updated by rchan over 5 years ago

  • Sprint changed from Sprint 51 to Sprint 52
Actions #21

Updated by bmbouter over 5 years ago

  • Tags deleted (Pulp 3)
Actions #22

Updated by rchan over 5 years ago

  • Sprint changed from Sprint 52 to Sprint 53
Actions #23

Updated by amacdona@redhat.com over 5 years ago

  • Sprint changed from Sprint 53 to Sprint 54
Actions #24

Updated by bmbouter over 5 years ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to bmbouter
Actions #25

Updated by bmbouter over 5 years ago

  • Subject changed from As a user, I am able to use the REMOTE_USER header to authenticate with the Pulp api to As a user, I am able to use the REMOTE_USER compatible authentication with the Pulp api
Actions #26

Updated by bmbouter over 5 years ago

  • Status changed from ASSIGNED to POST

Added by bmbouter over 5 years ago

Revision 4cd84799 | View on GitHub

Add REMOTE_USER support

This adds REMOTE_USER support which is enabled by default. For reverse proxy deployments, a new setting is introduced controlling which WSGI environment var contains the trusted authenticated username.

A new authentication section is added which contains docs on the default authentication, how to customize or disable them, and how to install custom authentication.

https://pulp.plan.io/issues/3808 closes #3808

Actions #27

Updated by bmbouter over 5 years ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100
Actions #28

Updated by bmbouter about 5 years ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE

Also available in: Atom PDF