Project

Profile

Help

Story #720

closed

As a pulp administrator, I would like to enable a custom auth check for content downloads

Added by cduryee almost 10 years ago. Updated over 5 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
High
Assignee:
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
% Done:

100%

Estimated time:
Platform Release:
2.7.0
Groomed:
Yes
Sprint Candidate:
Yes
Tags:
Pulp 2
Sprint:
April 2015
Quarter:

Description

Some pulp deployments may require additional repo auth checks when serving content. For example, an administrator may have a custom plugin that checks for a certain field on the HTTP request.

Currently, administrators have to patch repo_auth.wsgi to accomplish this. This is less than ideal because it means custom authenticators cannot be installed via RPM, and users have to edit pulp code directly.

Instead, we can modify repo_auth.wsgi to load scripts via python entrypoints. Any python module that wants to be included can specify something like this in their setup.py file:

    entry_points={
        'pulp_content_authenticators': [
            '<short keyword here>=python.module.name:method_name'
        ]
    },

For example, the existing OID plugin would be: 'oid_validation=pulp.repoauth.oid_validation:authenticate'

When repo_auth.wsgi is invoked, it will walk through this list of methods and pass 'environ' in to each method. If one says that the user is valid, then further plugins are not checked and the user is granted access.

Deliverables:

  • Port the existing repo_auth.wsgi code to discover the plugins via entry points
  • Ensure the oid validator loads correctly: https://github.com/pulp/pulp/blob/master/server/srv/pulp/repo_auth.wsgi#L22
  • Update the docs to document this behavior, and create docs on how to add a new example authenticator
  • All new code needs to have 100% test coverage
  • All existing tests need to continue to pass correctly in Jenkins
  • Add a release notes about this new feature

QE note: This will not result in any changes to Pulp's functionality, a no-break test via regression testing should be OK.


Related issues

Has duplicate Pulp - Task #153: Determine how to add additional content protectionCLOSED - DUPLICATEcduryee

Actions
Actions #1

Updated by cduryee almost 10 years ago

  • Tags Sprint Candidate added
Actions #2

Updated by bmbouter almost 10 years ago

  • Description updated (diff)

I added a list of deliverables. Two questions to check my understanding:

1) Is the idea is that the two existing optional plugins are going to be loaded from the auth_plugin.optional.d directory? That way users can disable or replace them if they want.

2) How will this work for the dev installs? Should these directories and optional policies get symlinked in the pulp dev script? That is currently not in the list of deliverables.

Actions #3

Updated by cduryee almost 10 years ago

  • Description updated (diff)
Actions #4

Updated by cduryee almost 10 years ago

  • Description updated (diff)
Actions #5

Updated by cduryee almost 10 years ago

  • Description updated (diff)
Actions #6

Updated by bmbouter almost 10 years ago

Also can we change the name of that directory to have the word "content" since this auth is for content serving only? Maybe /etc/pulp/content_auth_plugins ?

Actions #7

Updated by cduryee almost 10 years ago

  • Description updated (diff)
Actions #8

Updated by cduryee almost 10 years ago

  • Description updated (diff)
Actions #9

Updated by cduryee almost 10 years ago

good point, I just updated the desc for this.

Actions #10

Updated by cduryee almost 10 years ago

  • Description updated (diff)
Actions #11

Updated by bcourt almost 10 years ago

Is there a reason to use filesystem loading instead of an entry point?

Actions #12

Updated by cduryee almost 10 years ago

bcourt wrote:

Is there a reason to use filesystem loading instead of an entry point?

Could this be done so that a new plugin would not have to modify any existing configs to get loaded?

Actions #13

Updated by mhrivnak almost 10 years ago

I think we could and probably should use an entry point to discover the installed code, but we definitely need some other mechanism for turning it on and off.

Actions #14

Updated by mhrivnak almost 10 years ago

  • Priority changed from Normal to High
Actions #15

Updated by bmbouter almost 10 years ago

  • Tags Groomed added
  • Tags deleted (Sprint Candidate)
Actions #16

Updated by bmbouter almost 10 years ago

  • Tags Sprint Candidate added
Actions #17

Updated by bmbouter almost 10 years ago

  • Has duplicate Task #153: Determine how to add additional content protection added
Actions #18

Updated by cduryee over 9 years ago

  • Status changed from NEW to ASSIGNED
  • Sprint/Milestone set to 15
Actions #19

Updated by cduryee over 9 years ago

  • Description updated (diff)

Added by cduryee over 9 years ago

Revision ffd9f9c3 | View on GitHub

Refactor repo auth to use entrypoints

Pulp's repo auth now allows for pluggable authentication methods. These can be configured via a new entry point. The repo_auth.wsgi file was also refactored to move code into a Python module to make testing easier.

More information is available in the 'contentauth' doc.

Additionally, the 'auth_handler_framework' was determined to be unused and has been removed.

fixes #720

Actions #20

Updated by cduryee over 9 years ago

  • Status changed from ASSIGNED to POST
Actions #21

Updated by cduryee over 9 years ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100
Actions #22

Updated by cduryee over 9 years ago

  • Status changed from MODIFIED to POST

not sure how this got moved to modified, setting back to post

Added by cduryee over 9 years ago

Revision 602ca896 | View on GitHub

Refactor repo auth to use entrypoints

Pulp's repo auth now allows for pluggable authentication methods. These can be configured via a new entry point. The repo_auth.wsgi file was also refactored to move code into a Python module to make testing easier.

More information is available in the 'contentauth' doc.

Additionally, the 'auth_handler_framework' was determined to be unused and has been removed.

fixes #720

Added by cduryee over 9 years ago

Revision 602ca896 | View on GitHub

Refactor repo auth to use entrypoints

Pulp's repo auth now allows for pluggable authentication methods. These can be configured via a new entry point. The repo_auth.wsgi file was also refactored to move code into a Python module to make testing easier.

More information is available in the 'contentauth' doc.

Additionally, the 'auth_handler_framework' was determined to be unused and has been removed.

fixes #720

Actions #23

Updated by cduryee over 9 years ago

  • Status changed from POST to MODIFIED
Actions #24

Updated by bmbouter over 9 years ago

  • Groomed set to Yes
  • Tags deleted (Groomed)
Actions #25

Updated by bmbouter over 9 years ago

  • Sprint Candidate set to Yes
  • Tags deleted (Sprint Candidate)
Actions #26

Updated by dkliban@redhat.com over 9 years ago

  • Platform Release set to 2.7.0
Actions #27

Updated by cduryee over 9 years ago

  • Assignee set to cduryee
Actions #28

Updated by dkliban@redhat.com over 9 years ago

  • Status changed from MODIFIED to 5
Actions #29

Updated by dkliban@redhat.com over 9 years ago

There is no visible change to the user. Just doing regression testing for this feature will be enough to verify.

Actions #30

Updated by rbarlow almost 9 years ago

  • Status changed from 5 to CLOSED - CURRENTRELEASE
Actions #31

Updated by bmbouter almost 7 years ago

  • Sprint set to April 2015
Actions #32

Updated by bmbouter almost 7 years ago

  • Sprint/Milestone deleted (15)
Actions #33

Updated by bmbouter over 5 years ago

  • Tags Pulp 2 added

Also available in: Atom PDF