As an ansible-galaxy CLI user, I can configure a token and auth_url and have pulp_ansible protect my content
The authentication capabilities of the ansible-galaxy CLI are described here: https://docs.ansible.com/ansible/latest/user_guide/collections_using.html#configuring-the-ansible-galaxy-client
There are two credentials:
- auth_url: The url to fetch the session token from
- token: The long-lived credential that will give a user a session-token
- pulp_ansible needs to have some way to hand out a session-token.
- An AnsibleContentGuard that will protect a Distribution, requiring the user to use a session-token when fetching content.
What would be doing the auth checks in this scenario?
Would satellite be issuing and authenticating the tokens (and passing requests onto pulp_ansible / galaxy_ng)?
AnsibleContentGuard implies pulp_ansible (content app?) would be enforcing authentication when fetching content. Would API use be different? Is the goal to require authentication for galaxy_ng / pulp_ansible API? And/or fetching content?
Are the auth tokens described here intended to be used across Satellite / galaxy_ng_pulp_ansible / tower API? ie, will the same auth token instance be used for all the API's (and content access)?
I like the idea of a AnsibleContentGuard that is tied to the session auth used by galaxy_ng/pulp_ansible.
I'd also mention that auth_url is pretty much just a special case for handling RH SSO for cloud.redhat.com.
I don't think it needs to be or should be implemented for other cases (short of deployment scenarios that have keycloak servers with similar setup as sso.redhat.com).
Please register to edit this issue