Story #720: As a pulp administrator, I would like to enable a custom auth check for content downloads

Story #720

Some pulp deployments may require additional repo auth checks when serving content. For example, an administrator may have a custom plugin that checks for a certain field on the HTTP request. 

 Currently, administrators have to patch repo_auth.wsgi to accomplish this. This is less than ideal because it means custom authenticators cannot be installed via RPM, and users have to edit pulp code directly. 

 Instead, we can modify repo_auth.wsgi to load scripts via from /etc/pulp/content_auth_plugins.d. This directory can have symlinks to python entrypoints. Any python module code that wants to be included can specify something like this in their setup.py file: 

 <pre> 
     entry_points={ 
         'pulp_content_authenticators': [ 
             '<short keyword here>=python.module.name:method_name' 
         ] 
     }, 
 </pre> 

 provides authenticate(environ, host) methods. For example, the existing OID plugin by default there would be: 'oid_validation=pulp.repoauth.oid_validation:authenticate' be a symlink from /etc/pulp/content_auth_plugins.d to /usr/lib/python2.7/site-packages/pulp_rpm/repo_auth/oid_validation.py. 

 When repo_auth.wsgi is invoked, it will walk through this list of methods and pass 'environ' check each plugin's output in to each method. If one says that content_auth_plugins.d. Assuming the user is valid, then further required plugins are not checked and all return True, the user request is granted access. allowed to continue. 

 Deliverables: 
 * Port the existing repo_auth.wsgi code to discover the plugins via entry points in these locations 
 * Ensure the oid validator loads correctly: https://github.com/pulp/pulp/blob/master/server/srv/pulp/repo_auth.wsgi#L22 
 * get rid of https://github.com/pulp/pulp/blob/master/repoauth/pulp/repoauth/auth_enabled_validation.py and refactor it into repo_auth.wsgi if possible 
 * Update the docs to document this behavior, behavior 
 * Update pulp.spec to create content_auth_plugins.d at install time and create docs on how symlink to add a new example authenticator oid_validation.py. 
 * Delete the optional plugins from the installed codebase since they will live in auth_plugins.d 
 * All new code needs to have 100% test coverage 
 * All existing tests need to continue to pass correctly in Jenkins 
 * updates to pulp-dev.py to create /etc/pulp/content_auth_plugins.d and create symlinks as appropriate to auth plugin code 
 * Add a release notes about this new feature 

 QE note: This will not result in any changes to Pulp's functionality, a no-break test via regression testing should be OK.
Back
Project

Profile

Help

Pulp

Story #720
