Project

Profile

Help

Maintenance. Planio will be undergoing a scheduled maintenance this weekend. Between Saturday, July 24 at 9:00 UTC and Sunday, July 25, 22:00 UTC your account might observe occasional downtimes which may last up to several minutes in some cases.

Story #4664

As a user, I can use a RHSMCertGuard

Added by bmbouter over 2 years ago. Updated about 1 year ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
High
Assignee:
Sprint/Milestone:
Start date:
Due date:
% Done:

100%

Estimated time:
Platform Release:
Groomed:
Yes
Sprint Candidate:
No
Tags:
Katello
Sprint:
Sprint 69
Quarter:

Description

NOTE

Pulp is blocked on merging any work creating this certguard until python-rhsm is installable on Travis' Debian environment.

Problem

Katello uses Pulp with RHSM based certificates. Pulp3 needs to protect content and validate a client's access when they present this type of a certificate.

What is a RHSM Certificate?

It's an X.509 certificates that use encoding and compression techniques to compress the data in a format RHSM understands. There are two formats:

  • V1 which uses repo paths in plaintext inside the extended X.509 attributes. The
  • V3 which encodes and compresses the pathing data into the X.509 cert. This version was developed as a workaround to not being able to specify enough urls in the V1 cert before hitting the maximums of X.509 data extension limits. The V3 format was called a OID Certificate in Pulp2.

Solution

A new certguard will be added to the pulp-certguard project called RHSMCertGuard.

What versions will it support V1, V3, both?

Both V1 and V3 will be supported. The user can use either and does not have to indicate which they are using. python-RHSM will "do the right thing".

What crypto libraries will handle this RHSMCertGuard?

The python-rhsm library that would be an optional dependency of pulp-certguard is in charge of the crypto entirely. Pulp will present the cert data and ask python-RHSM if its valid for a given path being requested. This is similar to how it worked in Pulp2: https://github.com/pulp/pulp/blob/e5a22e13ae46fe86dccedc5bf214537c2b90ad0d/oid_validation/pulp/oid_validation/oid_validation.py#L20

Where will python-rhsm come from?

It has C components so bcourt from the Candlepin team indicated they are only able to have this dependency delivered via system packagers. So not PyPI installs of python-rhsm as a dependency won't work.

It is available for Fedora, CentOS, and RHEL already via their package managers already. It is not available via Debian's package manager.

How will this be tested?

We'll add additional functional tests for this certguard type next to the existing functional tests Test planning will happen over on issue 4363

How will this work with CI?

We'll CI it the same as we CI the existing pulp-certguard plugin using funcitonal tests and via Travis running them with each merge, nightly, and at release time.

Pulp is blocked on merging any work creating this certguard until python-rhsm is installable on Travis' Debian environment.


Related issues

Related to Pulp - Issue #6422: Plugins cannot modify the CI pulp-content containers easily because there are 2 of themCLOSED - CURRENTRELEASE<a title="Actions" class="icon-only icon-actions js-contextmenu" href="#">Actions</a>
Has duplicate CertGuard - Test #4363: Test the RHSMCertGuardCLOSED - DUPLICATE<a title="Actions" class="icon-only icon-actions js-contextmenu" href="#">Actions</a>

Associated revisions

Revision 61289fad View on GitHub
Added by Mike DePaulo over 1 year ago

Problem: Plugins cannot modify the pulp-content containers easily because there are 2 of them.

Solution: Use only 1 pulp-content pod.

We can make their # configurable if there is a need in the future.

Fixes: #6422 Plugins cannot modify the CI pulp-content containers easily because there are 2 of them https://pulp.plan.io/issues/6422

re: #4664 As a user, I can use a RHSMCertGuard https://pulp.plan.io/issues/4664

Revision 3555d8b5 View on GitHub
Added by Mike DePaulo over 1 year ago

Problem: travis config is out-of-date

Solution: Regenerate with latest template

[noissue]

re: #6422 Plugins cannot modify the CI pulp-content containers easily because there are 2 of them https://pulp.plan.io/issues/6422

re: #4664 As a user, I can use a RHSMCertGuard https://pulp.plan.io/issues/4664

Revision 4d3e0048 View on GitHub
Added by bmbouter over 1 year ago

Adds RHSMCertGuard model, viewset, and serializer

The RHSMCertGuard provides both client certificate checking against the stored ca_certificate and path-based authorization based on the RHSM paths named in the certificate.

This also adds documentation on how the RHSM Authorization works and that there are two types of CertGuards now.

https://pulp.plan.io/issues/4664 closes #4664

History

#1 Updated by bmbouter over 2 years ago

  • Description updated (diff)
  • Tags Katello-P1 added

Updating the description and since it's a usage blocker it gets the P1 label.

#2 Updated by bmbouter over 2 years ago

  • Related to Test #4363: Test the RHSMCertGuard added

#3 Updated by bmbouter over 2 years ago

  • Description updated (diff)

link to the testing story

#4 Updated by bmbouter over 2 years ago

  • Sprint/Milestone set to 1.0.0 Release

#5 Updated by bmbouter about 2 years ago

  • Tags deleted (Pulp 3)

#6 Updated by bmbouter about 2 years ago

  • Groomed changed from No to Yes
  • Sprint Candidate changed from No to Yes

We should add this to the sprint.

#7 Updated by bmbouter about 2 years ago

  • Sprint set to Sprint 54

These weren't added to Sprint 54, but they were OK'd at sprint planning.

#8 Updated by ttereshc about 2 years ago

  • Sprint changed from Sprint 54 to Sprint 55

#9 Updated by dkliban@redhat.com about 2 years ago

  • Sprint changed from Sprint 55 to Sprint 56

#10 Updated by rchan almost 2 years ago

  • Sprint changed from Sprint 56 to Sprint 57

#11 Updated by rchan almost 2 years ago

  • Sprint changed from Sprint 57 to Sprint 58

#12 Updated by rchan almost 2 years ago

  • Sprint deleted (Sprint 58)

Not moving forward to next Sprint to make room for highest priority Katello blockers.

#13 Updated by rchan over 1 year ago

  • Sprint Candidate deleted (Yes)

#14 Updated by bmbouter over 1 year ago

  • Status changed from NEW to ASSIGNED
  • Sprint Candidate set to No
  • Sprint set to Sprint 67

It's a Katello P1 so I'm moving onto the sprint.

#15 Updated by rchan over 1 year ago

  • Sprint changed from Sprint 67 to Sprint 68

#16 Updated by bmbouter over 1 year ago

  • Related to deleted (Test #4363: Test the RHSMCertGuard)

#17 Updated by bmbouter over 1 year ago

  • Has duplicate Test #4363: Test the RHSMCertGuard added

#18 Updated by rchan over 1 year ago

  • Sprint changed from Sprint 68 to Sprint 69

#19 Updated by bmbouter over 1 year ago

  • Assignee set to bmbouter

#20 Updated by bmbouter over 1 year ago

  • Status changed from ASSIGNED to POST

#21 Updated by mdepaulo@redhat.com over 1 year ago

  • Related to Issue #6422: Plugins cannot modify the CI pulp-content containers easily because there are 2 of them added

#22 Updated by bmbouter over 1 year ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100

#23 Updated by ggainey about 1 year ago

  • Priority changed from Normal to High

#24 Updated by ggainey about 1 year ago

  • Tags Katello added
  • Tags deleted (Katello-P1)

#25 Updated by bmbouter about 1 year ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE

Please register to edit this issue

Also available in: Atom PDF