Story #3808
closedAs a user, I am able to use the REMOTE_USER compatible authentication with the Pulp api
100%
Description
This RFE is a result of Katello/Pulp3 gap analysis. P1 item. For more info on how to turn on support for REMOTE_USER, see:
https://docs.djangoproject.com/en/2.1/howto/auth-remote-user/
Updated by jsherril@redhat.com over 6 years ago
- Tags Katello-P1 added
- Tags deleted (
Pulp 3)
Updated by bmbouter over 6 years ago
The Basic auth is currently submitted via a header. Do we need more than that?
Updated by jsherril@redhat.com over 6 years ago
The goal was to support auth via a client certificate rather than basic auth. We could accomplish this by using a web server like apache to do the client cert verification and tell it to put the CN into a header, which the application will look for. This is a common paradigm and we use it today with pulp 2.
Updated by bmbouter about 6 years ago
@jsherrill what you're describing sounds like exactly what we're making for ContentGuards. That's the new name for the "content protection" feature of Pulp2. The epic for that work is #3968 and the specific Oid content guard port from Pulp2 is #4009.
That feature is only for the content portion of the WSGI app; the rest of the API calls (non-content calls) use Basic auth currently. For those non-content calls, Is having a cert more useful for you than basic auth somehow?
Updated by jsherril@redhat.com about 6 years ago
- Subject changed from As a user, I am able to use header-based auth to authenticate with Pulp to As a user, I am able to use header-based auth to authenticate with the Pulp api
This was actually specifically for the api, not for content (updated the title to reflect that). There are a couple of reasons why we would like this feature:
1. it greatly simplifies installation. There is no shared secret between the the katello and pulp servers, we can simply generate a certificate against the ca that the webserver in front of pulp is using
2. We talk to multiple pulp servers in katello via our smart-proxy/capsule concept. Storing different basic auth credentials per server would make management much more difficult.
All of these things are solvable, but it seems much easier for pulp to recognize something like a REMOTE_USER header on a request as described here: https://docs.djangoproject.com/en/2.1/howto/auth-remote-user/
Updated by daviddavis almost 6 years ago
- Subject changed from As a user, I am able to use header-based auth to authenticate with the Pulp api to As a user, I am able to use the REMOTE_USER header to authenticate with the Pulp api
- Description updated (diff)
- Groomed changed from No to Yes
- Sprint Candidate changed from No to Yes
- Tags Pulp 3 RC Blocker added
Updated by jortel@redhat.com almost 6 years ago
- Status changed from NEW to ASSIGNED
- Assignee set to jortel@redhat.com
Updated by jortel@redhat.com almost 6 years ago
Tested and validated that this works as anticipated.
The default behavior of the RemoteUserBackend is to create a new user in django when the remote-user is unknown. As prescribed by [1] we'd need to override this behavior in a custom class.
diff --git a/pulpcore/app/auth/__init__.py b/pulpcore/app/auth/__init__.py
index e69de29bb..a577e27ce 100644
--- a/pulpcore/app/auth/__init__.py
+++ b/pulpcore/app/auth/__init__.py
@@ -0,0 +1 @@
+from .backends import RemoteUserBackend # noqa
diff --git a/pulpcore/app/auth/backends.py b/pulpcore/app/auth/backends.py
index e69de29bb..ab4a1d74f 100644
--- a/pulpcore/app/auth/backends.py
+++ b/pulpcore/app/auth/backends.py
@@ -0,0 +1,5 @@
+from django.contrib.auth import backends
+
+
+class RemoteUserBackend(backends.RemoteUserBackend):
+ create_unknown_user = False
Apache configuration used for testing.
WSGIScriptAlias /pulp/api/v3 /srv/pulp/wsgi.py/pulp/api/v3
<Directory /srv/pulp>
Require all granted
</Directory>
<Files wsgi.py>
SSLRenegBufferSize 1048576
SSLVerifyDepth 9
SSLOptions +StdEnvVars +ExportCertData
SSLVerifyClient optional_no_ca
RewriteEngine on
RewriteRule .* - [E=REMOTE_USER:%{SSL:SSL_CLIENT_S_DN_CN}]
</Files>
The django settings needs to be altered when using REMOTE-USER as follows:
/etc/pulp/settings.py needed to re-configure django auth.
from pulpcore.app import settings
REST_FRAMEWORK = settings.REST_FRAMEWORK
REST_FRAMEWORK['DEFAULT_AUTHENTICATION_CLASSES'] = (
'rest_framework.authentication.BasicAuthentication',
'rest_framework.authentication.RemoteUserAuthentication',
)
AUTHENTICATION_BACKENDS = [
'pulpcore.app.auth.RemoteUserBackend',
]
This replaces the SessionAuthentication with RemoteUserAuthentication. Apache should be responsible for any session management including CSRF, right? If not, I don't know how to resolve "CRSF token missing or incorrect" errors.
Should I proceed with a PR to add the docs and custom RemoteUserBackend?
Where should the documentation go? And, what should be documented that is not redundant to django docs?
Updated by dkliban@redhat.com almost 6 years ago
- Assignee changed from jortel@redhat.com to daviddavis
Updated by jsherril@redhat.com almost 6 years ago
My 2 cents:
Any supported options in settings.py should be documented in the pulp docs. Being a django developer/admin should not be a prerequisite to deploying pulp3 IMO.
Updated by daviddavis almost 6 years ago
- Status changed from ASSIGNED to NEW
Unassigning myself as I don't have time to work on this.
Updated by daviddavis almost 6 years ago
- Sprint/Milestone set to 3.0.0
- Tags deleted (
Katello-P1, Pulp 3, Pulp 3 RC Blocker)
Removing as an RC blocker. This is still a priority and hoping we can address this before the RC release.
Updated by amacdona@redhat.com over 5 years ago
- Sprint changed from Sprint 53 to Sprint 54
Updated by bmbouter over 5 years ago
- Status changed from NEW to ASSIGNED
- Assignee set to bmbouter
Updated by bmbouter over 5 years ago
- Subject changed from As a user, I am able to use the REMOTE_USER header to authenticate with the Pulp api to As a user, I am able to use the REMOTE_USER compatible authentication with the Pulp api
Updated by bmbouter over 5 years ago
- Status changed from ASSIGNED to POST
PR available at: https://github.com/pulp/pulpcore/pull/174
Added by bmbouter over 5 years ago
Updated by bmbouter over 5 years ago
- Status changed from POST to MODIFIED
- % Done changed from 0 to 100
Applied in changeset pulpcore|4cd8479958b34ef1e6df7591e08e2ca329eada04.
Updated by bmbouter about 5 years ago
- Status changed from MODIFIED to CLOSED - CURRENTRELEASE
Add REMOTE_USER support
This adds REMOTE_USER support which is enabled by default. For reverse proxy deployments, a new setting is introduced controlling which WSGI environment var contains the trusted authenticated username.
A new authentication section is added which contains docs on the default authentication, how to customize or disable them, and how to install custom authentication.
https://pulp.plan.io/issues/3808 closes #3808