Pulp

Some pulp deployments may require additional repo auth checks when serving content. For example, an administrator may have a custom plugin that checks for a certain field on the HTTP request.

Currently, administrators have to patch repo_auth.wsgi to accomplish this. This is less than ideal because it means custom authenticators cannot be installed via RPM, and users have to edit pulp code directly.

Instead, we can modify repo_auth.wsgi to load scripts via python entrypoints. Any python module that wants to be included can specify something like this in their setup.py file:

    entry_points={
        'pulp_content_authenticators': [
            '<short keyword here>=python.module.name:method_name'
        ]
    },

For example, the existing OID plugin would be: 'oid_validation=pulp.repoauth.oid_validation:authenticate'

When repo_auth.wsgi is invoked, it will walk through this list of methods and pass 'environ' in to each method. If one says that the user is valid, then further plugins are not checked and the user is granted access.

Deliverables:

• Port the existing repo_auth.wsgi code to discover the plugins via entry points
• Ensure the oid validator loads correctly: https://github.com/pulp/pulp/blob/master/server/srv/pulp/repo_auth.wsgi#L22
• Update the docs to document this behavior, and create docs on how to add a new example authenticator
• All new code needs to have 100% test coverage
• All existing tests need to continue to pass correctly in Jenkins
• Add a release notes about this new feature

QE note: This will not result in any changes to Pulp's functionality, a no-break test via regression testing should be OK.