Project

Profile

Help

Story #720

Updated by cduryee almost 10 years ago

Some pulp deployments may require additional repo auth checks when serving content. For example, an administrator may have a custom plugin that checks for a certain field on the HTTP request. 

 Currently, administrators have to patch repo_auth.wsgi to accomplish this. This is less than ideal because it means custom authenticators cannot be installed via RPM, and users have to edit pulp code directly. 

 Instead, we can modify repo_auth.wsgi to load scripts from /etc/pulp/auth_plugins.d. This directory /etc/pulp/auth_plugins.required.d and auth_plugins.optional.d. These two directories can have symlinks to python code that provides provide authenticate(environ, host) methods. 

 When repo_auth.wsgi is invoked, it will check AND the results of each plugin's output in auth_plugins.d. auth_plugins.required.d. Assuming the required plugins all return returns True, it will then OR the results of everything in auth_plugins.optional.d. If the result of all required auth and at least one optional auth is True, the request is allowed to continue. 

 Deliverables: 
 * Port the existing repo_auth.wsgi code to discover the plugins in these locations 
 * Ensure the oid validator loads correctly: https://github.com/pulp/pulp/blob/master/server/srv/pulp/repo_auth.wsgi#L22 
 * get rid of https://github.com/pulp/pulp/blob/master/repoauth/pulp/repoauth/auth_enabled_validation.py and refactor it into repo_auth.wsgi if possible 
 * Update the docs to document this behavior 
 * Update pulp.spec to create auth_plugins.d both of these directories at install time 
 * Update pulp.spec to lay down the optional plugins into the auth_plugin.optional.d directory at install time 
 * Delete the optional plugins from the installed codebase since they will live in auth_plugins.d auth_plugins.optional.d 
 * All new code needs to have 100% test coverage 
 * All existing tests need to continue to pass correctly in Jenkins 
 * updates to pulp-dev.py to create /etc/pulp/auth_plugins.d these two new dirs and create symlinks as appropriate to auth plugin code 
 * Add a release notes about this new feature

Back