Project

Profile

Help

Story #7118

As an ansible-galaxy CLI user, I can configure a token and auth_url and have pulp_ansible protect my content

Added by bmbouter 10 months ago. Updated about 1 month ago.

Status:
NEW
Priority:
Normal
Assignee:
-
Sprint/Milestone:
Start date:
Due date:
% Done:

0%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Katello
Sprint:
Quarter:

Description

Background

The authentication capabilities of the ansible-galaxy CLI are described here: https://docs.ansible.com/ansible/latest/user_guide/collections_using.html#configuring-the-ansible-galaxy-client

There are two credentials:

  • auth_url: The url to fetch the session token from
  • token: The long-lived credential that will give a user a session-token

Requirements

  • pulp_ansible needs to have some way to hand out a session-token.
  • An AnsibleContentGuard that will protect a Distribution, requiring the user to use a session-token when fetching content.

History

#1 Updated by bmbouter 9 months ago

  • Project changed from Pulp to Ansible Plugin

#2 Updated by bmbouter 2 months ago

  • Tags Katello added

#3 Updated by alikins 2 months ago

What would be doing the auth checks in this scenario?

Would satellite be issuing and authenticating the tokens (and passing requests onto pulp_ansible / galaxy_ng)?

AnsibleContentGuard implies pulp_ansible (content app?) would be enforcing authentication when fetching content. Would API use be different? Is the goal to require authentication for galaxy_ng / pulp_ansible API? And/or fetching content?

Are the auth tokens described here intended to be used across Satellite / galaxy_ng_pulp_ansible / tower API? ie, will the same auth token instance be used for all the API's (and content access)?

I like the idea of a AnsibleContentGuard that is tied to the session auth used by galaxy_ng/pulp_ansible.

#4 Updated by alikins about 2 months ago

Note: "I can configure a token and auth_url" pretty much requires that auth_url points to a keycloak server

Or I guess, something that implements the same API...

#5 Updated by alikins about 2 months ago

I'd also mention that auth_url is pretty much just a special case for handling RH SSO for cloud.redhat.com.

I don't think it needs to be or should be implemented for other cases (short of deployment scenarios that have keycloak servers with similar setup as sso.redhat.com).

#6 Updated by fao89 about 1 month ago

  • Sprint/Milestone set to 0.9.0 - Candidates

Please register to edit this issue

Also available in: Atom PDF