Project

Profile

Help

Story #720

Updated by bmbouter almost 10 years ago

Some pulp deployments may require additional repo auth checks when serving content. For example, an administrator may have a custom plugin that checks for a certain field on the HTTP request. 

 Currently, administrators have to patch repo_auth.wsgi to accomplish this. This is less than ideal because it means custom authenticators cannot be installed via RPM, and users have to edit pulp code directly. 

 Instead, we can modify repo_auth.wsgi to load scripts from /etc/pulp/auth_plugins.required.d and auth_plugins.optional.d. These two directories can have symlinks to python code that provide authenticate(environ, host) methods. 

 When repo_auth.wsgi is invoked, it will AND the results of each plugin's output in auth_plugins.required.d. Assuming the required plugins all this is returns True, it will then OR the results of everything in auth_plugins.optional.d. If the result of all required auth and at least one optional auth of this is True, the request is allowed to continue. 

 Deliverables: 
 * Port the existing repo_auth.wsgi code This story is to discover the plugins in these locations 
 * Ensure the two "default optional plugins":https://github.com/pulp/pulp/blob/master/server/srv/pulp/repo_auth.wsgi#L21 both load correctly 
 * Update the docs to document implement this behavior 
 * Update the rpm installer to create both style of these directories at install time 
 * Update the rpm installer authentication and to move port the optional plugins into the auth_plugin.optional.d directory at install time 
 * Delete the optional plugins from the installed codebase since they will live in auth_plugins.optional.d 
 * All new existing repo_auth.wsgi code needs to have 100% test coverage 
 * All existing tests need to continue to pass correctly in Jenkins 
 * Add a release notes about this new feature style.

Back