Pulp

Right now Pulp uses httpd's REMOTE_USER environment variable to authenticate remote users, except for the /login call. This is great, except that /login works in a way that causes our users lots of trouble. Right now, /login uses a username:password combo to authenticate, and if successful /etc/pki/pulp/ca.crt is used to generate a client SSL certificate. This /etc/pki/pulp/ca.crt file is far too tempting for our users, and I think that it might be trust to say that 100% of people's SSL issues are related to messing with this file. We need a plan to rethink the /login call so that it does not require any such file, and no such file should be generated by our RPM!

Some things to think about:

• It would be nice if Pulp and pulp-admin used something like a session key instead of a client SSL cert by default
• Since Pulp trusts REMOTE_USER, admins are still free to generate their own SSL client certs if they please. We should document how to form the CN for this to work, and we should ensure that pulp-admin can still be configured to use such a cert if it's provided
• Kerberos should work!
• Really, any httpd auth module should work.

Deliverable

• A set of stories that achieve a better set of authentication user stories than we currently achieve (nebulous!)
• Remember that these changes are very likely backwards incompatible when you file them

I think this is important, because I and others have lost a lot of time supporting users who have tried to use that file as a CA and have really confused their Pulp installations. If we improve Pulp such that that file no longer exists (and none like it), we will save ourselves more time than it takes to make this change, and at the same time we will greatly improve our authentication offerings!