Story #720
Updated by cduryee about 9 years ago
Some pulp deployments may require additional repo auth checks when serving content. For example, an administrator may have a custom plugin that checks for a certain field on the HTTP request. Currently, administrators have to patch repo_auth.wsgi to accomplish this. This is less than ideal because it means custom authenticators cannot be installed via RPM, and users have to edit pulp code directly. Instead, we can modify repo_auth.wsgi to load scripts from /etc/pulp/content_auth_plugins.d. This directory can have symlinks to python code that provides authenticate(environ, host) methods. For example, by default there would be a symlink from /etc/pulp/content_auth_plugins.d to /usr/lib/python2.7/site-packages/pulp_rpm/repo_auth/oid_validation.py. When repo_auth.wsgi is invoked, it will check each plugin's output in content_auth_plugins.d. Assuming the required plugins all return True, the request is allowed to continue. Deliverables: * Port the existing repo_auth.wsgi code to discover the plugins in these locations * Ensure the oid validator loads correctly: https://github.com/pulp/pulp/blob/master/server/srv/pulp/repo_auth.wsgi#L22 * get rid of https://github.com/pulp/pulp/blob/master/repoauth/pulp/repoauth/auth_enabled_validation.py and refactor it into repo_auth.wsgi if possible * Update the docs to document this behavior * Update pulp.spec to create content_auth_plugins.d at install time and symlink to oid_validation.py. * Delete the optional plugins from the installed codebase since they will live in auth_plugins.d * All new code needs to have 100% test coverage * All existing tests need to continue to pass correctly in Jenkins * updates to pulp-dev.py to create /etc/pulp/content_auth_plugins.d and create symlinks as appropriate to auth plugin code * Add a release notes about this new feature
.