Project

Profile

Help

Story #720

closed

As a pulp administrator, I would like to enable a custom auth check for content downloads

Added by cduryee about 9 years ago. Updated almost 5 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
High
Assignee:
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
% Done:

100%

Estimated time:
Platform Release:
2.7.0
Groomed:
Yes
Sprint Candidate:
Yes
Tags:
Pulp 2
Sprint:
April 2015
Quarter:

Description

Some pulp deployments may require additional repo auth checks when serving content. For example, an administrator may have a custom plugin that checks for a certain field on the HTTP request.

Currently, administrators have to patch repo_auth.wsgi to accomplish this. This is less than ideal because it means custom authenticators cannot be installed via RPM, and users have to edit pulp code directly.

Instead, we can modify repo_auth.wsgi to load scripts via python entrypoints. Any python module that wants to be included can specify something like this in their setup.py file:

    entry_points={
        'pulp_content_authenticators': [
            '<short keyword here>=python.module.name:method_name'
        ]
    },

For example, the existing OID plugin would be: 'oid_validation=pulp.repoauth.oid_validation:authenticate'

When repo_auth.wsgi is invoked, it will walk through this list of methods and pass 'environ' in to each method. If one says that the user is valid, then further plugins are not checked and the user is granted access.

Deliverables:

  • Port the existing repo_auth.wsgi code to discover the plugins via entry points
  • Ensure the oid validator loads correctly: https://github.com/pulp/pulp/blob/master/server/srv/pulp/repo_auth.wsgi#L22
  • Update the docs to document this behavior, and create docs on how to add a new example authenticator
  • All new code needs to have 100% test coverage
  • All existing tests need to continue to pass correctly in Jenkins
  • Add a release notes about this new feature

QE note: This will not result in any changes to Pulp's functionality, a no-break test via regression testing should be OK.


Related issues

Has duplicate Pulp - Task #153: Determine how to add additional content protectionCLOSED - DUPLICATEcduryee

Actions
Actions #1

Updated by cduryee about 9 years ago

  • Tags Sprint Candidate added
Actions #2

Updated by bmbouter about 9 years ago

  • Description updated (diff)

I added a list of deliverables. Two questions to check my understanding:

1) Is the idea is that the two existing optional plugins are going to be loaded from the auth_plugin.optional.d directory? That way users can disable or replace them if they want.

2) How will this work for the dev installs? Should these directories and optional policies get symlinked in the pulp dev script? That is currently not in the list of deliverables.

Actions #3

Updated by cduryee about 9 years ago

  • Description updated (diff)
Actions #4

Updated by cduryee about 9 years ago

  • Description updated (diff)
Actions #5

Updated by cduryee about 9 years ago

  • Description updated (diff)
Actions #6

Updated by bmbouter about 9 years ago

Also can we change the name of that directory to have the word "content" since this auth is for content serving only? Maybe /etc/pulp/content_auth_plugins ?

Actions #7

Updated by cduryee about 9 years ago

  • Description updated (diff)
Actions #8

Updated by cduryee about 9 years ago

  • Description updated (diff)
Actions #9

Updated by cduryee about 9 years ago

good point, I just updated the desc for this.

Actions #10

Updated by cduryee about 9 years ago

  • Description updated (diff)
Actions #11

Updated by bcourt about 9 years ago

Is there a reason to use filesystem loading instead of an entry point?

Actions #12

Updated by cduryee about 9 years ago

bcourt wrote:

Is there a reason to use filesystem loading instead of an entry point?

Could this be done so that a new plugin would not have to modify any existing configs to get loaded?

Actions #13

Updated by mhrivnak about 9 years ago

I think we could and probably should use an entry point to discover the installed code, but we definitely need some other mechanism for turning it on and off.

Actions #14

Updated by mhrivnak about 9 years ago

  • Priority changed from Normal to High
Actions #15

Updated by bmbouter about 9 years ago

  • Tags Groomed added
  • Tags deleted (Sprint Candidate)
Actions #16

Updated by bmbouter about 9 years ago

  • Tags Sprint Candidate added
Actions #17

Updated by bmbouter almost 9 years ago

  • Has duplicate Task #153: Determine how to add additional content protection added
Actions #18

Updated by cduryee almost 9 years ago

  • Status changed from NEW to ASSIGNED
  • Sprint/Milestone set to 15
Actions #19

Updated by cduryee almost 9 years ago

  • Description updated (diff)

Added by cduryee almost 9 years ago

Revision ffd9f9c3 | View on GitHub

Refactor repo auth to use entrypoints

Pulp's repo auth now allows for pluggable authentication methods. These can be configured via a new entry point. The repo_auth.wsgi file was also refactored to move code into a Python module to make testing easier.

More information is available in the 'contentauth' doc.

Additionally, the 'auth_handler_framework' was determined to be unused and has been removed.

fixes #720

Actions #20

Updated by cduryee almost 9 years ago

  • Status changed from ASSIGNED to POST
Actions #21

Updated by cduryee almost 9 years ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100
Actions #22

Updated by cduryee almost 9 years ago

  • Status changed from MODIFIED to POST

not sure how this got moved to modified, setting back to post

Added by cduryee almost 9 years ago

Revision 602ca896 | View on GitHub

Refactor repo auth to use entrypoints

Pulp's repo auth now allows for pluggable authentication methods. These can be configured via a new entry point. The repo_auth.wsgi file was also refactored to move code into a Python module to make testing easier.

More information is available in the 'contentauth' doc.

Additionally, the 'auth_handler_framework' was determined to be unused and has been removed.

fixes #720

Added by cduryee almost 9 years ago

Revision 602ca896 | View on GitHub

Refactor repo auth to use entrypoints

Pulp's repo auth now allows for pluggable authentication methods. These can be configured via a new entry point. The repo_auth.wsgi file was also refactored to move code into a Python module to make testing easier.

More information is available in the 'contentauth' doc.

Additionally, the 'auth_handler_framework' was determined to be unused and has been removed.

fixes #720

Actions #23

Updated by cduryee almost 9 years ago

  • Status changed from POST to MODIFIED
Actions #24

Updated by bmbouter almost 9 years ago

  • Groomed set to Yes
  • Tags deleted (Groomed)
Actions #25

Updated by bmbouter almost 9 years ago

  • Sprint Candidate set to Yes
  • Tags deleted (Sprint Candidate)
Actions #26

Updated by dkliban@redhat.com almost 9 years ago

  • Platform Release set to 2.7.0
Actions #27

Updated by cduryee almost 9 years ago

  • Assignee set to cduryee
Actions #28

Updated by dkliban@redhat.com almost 9 years ago

  • Status changed from MODIFIED to 5
Actions #29

Updated by dkliban@redhat.com over 8 years ago

There is no visible change to the user. Just doing regression testing for this feature will be enough to verify.

Actions #30

Updated by rbarlow about 8 years ago

  • Status changed from 5 to CLOSED - CURRENTRELEASE
Actions #31

Updated by bmbouter about 6 years ago

  • Sprint set to April 2015
Actions #32

Updated by bmbouter about 6 years ago

  • Sprint/Milestone deleted (15)
Actions #33

Updated by bmbouter almost 5 years ago

  • Tags Pulp 2 added

Also available in: Atom PDF