Task #6323
closed
[Epic] Move certguard authentication from pulp-content to apache and nginx access scripts
100%
Description
Problem¶
Certificates cannot be passed as a header from the webserver that is reverse proxying to the content app because the newlines are invalid header characters. See how the current docs require the user to strip newlines here.
Also, we can't have the content app run "inside" the webserver because aiohttp doesn't run inside Apache. aiohttp is not wsgi so it won't run in Apache.
Solution¶
We need to move the authorization check of Content Guards to the webserver and out of the content app. In that environment it would have a PostgreSQL connection and Django models to query Distributions and ContentGuards with.
Updated by bmbouter about 4 years ago
One concern with this plan is that it will require the pulpcore stack to be installed on the reverse proxy in front of pulp-content and that may not be possible in some deployments where the reverse proxy is a service you don't control. For example a load balancer on Amazon or a k8s service.
One option is to have the pulp-content app default to not checking authorization and use a setting to enable its checking. This issue though is that even if we make pulp-content optionall call CertGuard.permit() we can't be sure the reverse proxy can forward the necessary auth data correctly to pulp-content. For example to correctly receive an RHSMCertGuard you would need to base64 encode the client certificate, you can't send it as it was submitted via the TLS connection from the client to the reverse proxy.
Updated by dkliban@redhat.com about 4 years ago
- Groomed changed from No to Yes
- Sprint Candidate changed from No to Yes
- Sprint set to Sprint 68
Updated by bmbouter about 4 years ago
- Status changed from NEW to CLOSED - WONTFIX
We are keeping authorization in the Pulp services and not in the webserver themselves. The summary of reasons is here: https://www.redhat.com/archives/pulp-dev/2020-March/msg00035.html As such this story should be closed.
.