Project

Profile

Help

Story #720

Updated by cduryee almost 10 years ago

Some pulp deployments may require additional repo auth checks when serving content. For example, an administrator may have a custom plugin that checks for a certain field on the HTTP request. 

 Currently, administrators have to patch repo_auth.wsgi to accomplish this. This is less than ideal because it means custom authenticators cannot be installed via RPM, and users have to edit pulp code directly. 

 Instead, we can modify repo_auth.wsgi to load scripts from /etc/pulp/auth_plugins.required.d and auth_plugins.optional.d. These two directories can have symlinks to python code that provide authenticate(environ, host) methods. 

 When repo_auth.wsgi is invoked, it will AND the results of each plugin's output in auth_plugins.required.d. Assuming the required plugins all returns True, it will then OR the results of everything in auth_plugins.optional.d. If the result of all required auth and at least one optional auth is True, the request is allowed to continue. 

 Deliverables: 
 * Port the existing repo_auth.wsgi code to discover the plugins in these locations 
 * Ensure the two "default optional plugins":https://github.com/pulp/pulp/blob/master/server/srv/pulp/repo_auth.wsgi#L21 both load correctly 
 * Update the docs to document this behavior 
 * Update pulp.spec the rpm installer to create both of these directories at install time 
 * Update pulp.spec the rpm installer to lay down move the optional plugins into the auth_plugin.optional.d directory at install time 
 * Delete the optional plugins from the installed codebase since they will live in auth_plugins.optional.d 
 * All new code needs to have 100% test coverage 
 * All existing tests need to continue to pass correctly in Jenkins 
 * Add a release notes about this new feature

Back