Project

Profile

Help

Story #4666

closed

As a user I have path checking features for to the X.509 certguard

Added by bmbouter almost 5 years ago. Updated about 2 years ago.

Status:
CLOSED - DUPLICATE
Priority:
Normal
Assignee:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Platform Release:
Groomed:
Yes
Sprint Candidate:
Tags:
Sprint:
Quarter:

Description

Ticket moved to GitHub: "pulp/pulp-certguard/138":https://github.com/pulp/pulp-certguard/issues/138


Motivation

It would be very useful for paths to be put into the x.509 extended attributes to see if this client is authorized to access this specific distribution's content. This way whoever is generating the certs (and their expiration dates) determines the access.

Solution

The existing X.509 certguard could automatically be updated to check this correctly. We also need docs with how the openssl tooling can easily make these kind of certs.

How will we ensure path checking is required?

A boolean will be added to the X.509 certguard called path_check_required which will default to False. If True, the certificate check must contain a matching path for the content requested.

Actions #1

Updated by bmbouter almost 5 years ago

  • Description updated (diff)

revising with details about how users can configure that path checking is required

Actions #2

Updated by bmbouter almost 5 years ago

  • Description updated (diff)
Actions #3

Updated by bmbouter almost 5 years ago

  • Tags deleted (Pulp 3)
Actions #4

Updated by bmbouter almost 5 years ago

  • Groomed changed from No to Yes
  • Sprint Candidate changed from No to Yes

We should add this to the sprint.

Actions #5

Updated by bmbouter almost 5 years ago

  • Sprint set to Sprint 54

These weren't added to Sprint 54, but they were OK'd at sprint planning.

Actions #6

Updated by ttereshc over 4 years ago

  • Sprint changed from Sprint 54 to Sprint 55
Actions #7

Updated by dkliban@redhat.com over 4 years ago

  • Sprint changed from Sprint 55 to Sprint 56
Actions #8

Updated by rchan over 4 years ago

  • Sprint changed from Sprint 56 to Sprint 57
Actions #9

Updated by rchan over 4 years ago

  • Sprint changed from Sprint 57 to Sprint 58
Actions #10

Updated by rchan over 4 years ago

  • Sprint deleted (Sprint 58)
Actions #11

Updated by rchan over 4 years ago

Not moving forward to next Sprint to make room for highest priority Katello blockers.

Actions #12

Updated by rchan about 4 years ago

  • Sprint Candidate deleted (Yes)
Actions #13

Updated by bmbouter over 3 years ago

  • Sprint/Milestone deleted (1.0.0 Release)
Actions #14

Updated by dustball over 3 years ago

I'm interested in this feature as well, we're serving a large amount of customers with all different kinds of systems.

We want to offer our customers staging for licensed products via a central pulpserver as well and individually allow or deny access to those repositories.

Actions #15

Updated by pulpbot about 2 years ago

  • Description updated (diff)
  • Status changed from NEW to CLOSED - DUPLICATE

Also available in: Atom PDF