[Epic] Move certguard authentication from pulp-content to apache and nginx access scripts
Certificates cannot be passed as a header from the webserver that is reverse proxying to the content app because the newlines are invalid header characters. See how the current docs require the user to strip newlines here.
Also, we can't have the content app run "inside" the webserver because aiohttp doesn't run inside Apache. aiohttp is not wsgi so it won't run in Apache.
We need to move the authorization check of Content Guards to the webserver and out of the content app. In that environment it would have a PostgreSQL connection and Django models to query Distributions and ContentGuards with.
One concern with this plan is that it will require the pulpcore stack to be installed on the reverse proxy in front of pulp-content and that may not be possible in some deployments where the reverse proxy is a service you don't control. For example a load balancer on Amazon or a k8s service.
One option is to have the pulp-content app default to not checking authorization and use a setting to enable its checking. This issue though is that even if we make pulp-content optionall call CertGuard.permit() we can't be sure the reverse proxy can forward the necessary auth data correctly to pulp-content. For example to correctly receive an RHSMCertGuard you would need to base64 encode the client certificate, you can't send it as it was submitted via the TLS connection from the client to the reverse proxy.
- Status changed from NEW to CLOSED - WONTFIX
We are keeping authorization in the Pulp services and not in the webserver themselves. The summary of reasons is here: https://www.redhat.com/archives/pulp-dev/2020-March/msg00035.html As such this story should be closed.
Please register to edit this issue