Project

Profile

Help

Story #7118

closed

As an ansible-galaxy CLI user, I can configure a token and auth_url and have pulp_ansible protect my content

Added by bmbouter over 3 years ago. Updated over 2 years ago.

Status:
CLOSED - DUPLICATE
Priority:
Normal
Assignee:
-
Sprint/Milestone:
Start date:
Due date:
% Done:

0%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Katello
Sprint:
Quarter:

Description

Ticket moved to GitHub: "pulp/pulp_ansible/711":https://github.com/pulp/pulp_ansible/issues/711


Background

The authentication capabilities of the ansible-galaxy CLI are described here: https://docs.ansible.com/ansible/latest/user_guide/collections_using.html#configuring-the-ansible-galaxy-client

There are two credentials:

  • auth_url: The url to fetch the session token from
  • token: The long-lived credential that will give a user a session-token

Requirements

  • pulp_ansible needs to have some way to hand out a session-token.
  • An AnsibleContentGuard that will protect a Distribution, requiring the user to use a session-token when fetching content.

Related issues

Related to Pulp - Story #8939: Add token authentication to pulpcoreCLOSED - DUPLICATEgerrod

Actions
Actions #1

Updated by bmbouter over 3 years ago

  • Project changed from Pulp to Ansible Plugin
Actions #2

Updated by bmbouter about 3 years ago

  • Tags Katello added
Actions #3

Updated by alikins about 3 years ago

What would be doing the auth checks in this scenario?

Would satellite be issuing and authenticating the tokens (and passing requests onto pulp_ansible / galaxy_ng)?

AnsibleContentGuard implies pulp_ansible (content app?) would be enforcing authentication when fetching content. Would API use be different? Is the goal to require authentication for galaxy_ng / pulp_ansible API? And/or fetching content?

Are the auth tokens described here intended to be used across Satellite / galaxy_ng_pulp_ansible / tower API? ie, will the same auth token instance be used for all the API's (and content access)?

I like the idea of a AnsibleContentGuard that is tied to the session auth used by galaxy_ng/pulp_ansible.

Actions #4

Updated by alikins about 3 years ago

Note: "I can configure a token and auth_url" pretty much requires that auth_url points to a keycloak server

Or I guess, something that implements the same API...

Actions #5

Updated by alikins about 3 years ago

I'd also mention that auth_url is pretty much just a special case for handling RH SSO for cloud.redhat.com.

I don't think it needs to be or should be implemented for other cases (short of deployment scenarios that have keycloak servers with similar setup as sso.redhat.com).

Actions #6

Updated by fao89 about 3 years ago

  • Sprint/Milestone set to 1.0.0 - Candidates
Actions #7

Updated by gerrod almost 3 years ago

  • Related to Story #8939: Add token authentication to pulpcore added
Actions #8

Updated by pulpbot over 2 years ago

  • Description updated (diff)
  • Status changed from NEW to CLOSED - DUPLICATE

Also available in: Atom PDF