Story #7118
closedAs an ansible-galaxy CLI user, I can configure a token and auth_url and have pulp_ansible protect my content
0%
Description
Ticket moved to GitHub: "pulp/pulp_ansible/711":https://github.com/pulp/pulp_ansible/issues/711
Background¶
The authentication capabilities of the ansible-galaxy CLI are described here: https://docs.ansible.com/ansible/latest/user_guide/collections_using.html#configuring-the-ansible-galaxy-client
There are two credentials:
- auth_url: The url to fetch the session token from
- token: The long-lived credential that will give a user a session-token
Requirements¶
- pulp_ansible needs to have some way to hand out a session-token.
- An AnsibleContentGuard that will protect a Distribution, requiring the user to use a session-token when fetching content.
Related issues
Updated by bmbouter over 4 years ago
- Project changed from Pulp to Ansible Plugin
Updated by alikins almost 4 years ago
What would be doing the auth checks in this scenario?
Would satellite be issuing and authenticating the tokens (and passing requests onto pulp_ansible / galaxy_ng)?
AnsibleContentGuard implies pulp_ansible (content app?) would be enforcing authentication when fetching content. Would API use be different? Is the goal to require authentication for galaxy_ng / pulp_ansible API? And/or fetching content?
Are the auth tokens described here intended to be used across Satellite / galaxy_ng_pulp_ansible / tower API? ie, will the same auth token instance be used for all the API's (and content access)?
I like the idea of a AnsibleContentGuard that is tied to the session auth used by galaxy_ng/pulp_ansible.
Updated by alikins almost 4 years ago
Note: "I can configure a token and auth_url" pretty much requires that auth_url points to a keycloak server
Or I guess, something that implements the same API...
Updated by alikins almost 4 years ago
I'd also mention that auth_url is pretty much just a special case for handling RH SSO for cloud.redhat.com.
I don't think it needs to be or should be implemented for other cases (short of deployment scenarios that have keycloak servers with similar setup as sso.redhat.com).
Updated by gerrod over 3 years ago
- Related to Story #8939: Add token authentication to pulpcore added
Updated by pulpbot about 3 years ago
- Description updated (diff)
- Status changed from NEW to CLOSED - DUPLICATE