Project

Profile

Help

Task #6323

[Epic] Move certguard authentication from pulp-content to apache and nginx access scripts

Added by bmbouter 9 months ago. Updated 9 months ago.

Status:
CLOSED - WONTFIX
Priority:
Normal
Assignee:
-
Start date:
Due date:
% Done:

100%

Estimated time:
(Total: 0:00 h)
Platform Release:
Groomed:
Yes
Sprint Candidate:
Yes
Tags:
Sprint:
Sprint 68
Quarter:

Description

Problem

Certificates cannot be passed as a header from the webserver that is reverse proxying to the content app because the newlines are invalid header characters. See how the current docs require the user to strip newlines here.

Also, we can't have the content app run "inside" the webserver because aiohttp doesn't run inside Apache. aiohttp is not wsgi so it won't run in Apache.

Solution

We need to move the authorization check of Content Guards to the webserver and out of the content app. In that environment it would have a PostgreSQL connection and Django models to query Distributions and ContentGuards with.


Subtasks

Pulp - Story #6324: As a user, CertGuard checking does *not* happen in pulp-contentCLOSED - WONTFIX

Actions
Pulp - Story #6325: As a user, I have an Nginx config that performs ContentGuard authorization checkingCLOSED - WONTFIX

Actions
Pulp - Story #6326: As a user, I have an Apache config that performs ContentGuard authorization checkingCLOSED - WONTFIX

Actions

History

#1 Updated by bmbouter 9 months ago

One concern with this plan is that it will require the pulpcore stack to be installed on the reverse proxy in front of pulp-content and that may not be possible in some deployments where the reverse proxy is a service you don't control. For example a load balancer on Amazon or a k8s service.

One option is to have the pulp-content app default to not checking authorization and use a setting to enable its checking. This issue though is that even if we make pulp-content optionall call CertGuard.permit() we can't be sure the reverse proxy can forward the necessary auth data correctly to pulp-content. For example to correctly receive an RHSMCertGuard you would need to base64 encode the client certificate, you can't send it as it was submitted via the TLS connection from the client to the reverse proxy.

#2 Updated by dkliban@redhat.com 9 months ago

  • Groomed changed from No to Yes
  • Sprint Candidate changed from No to Yes
  • Sprint set to Sprint 68

#3 Updated by bmbouter 9 months ago

  • Status changed from NEW to CLOSED - WONTFIX

We are keeping authorization in the Pulp services and not in the webserver themselves. The summary of reasons is here: https://www.redhat.com/archives/pulp-dev/2020-March/msg00035.html As such this story should be closed.

Please register to edit this issue

Also available in: Atom PDF