Story #4938

Updated by lmjachky 11 months ago

We need to add auth mechanism to Pulp registry - -basic or- token based.

This ticket will be complete when a token based auth mechanism will be added.

-Basic auth mechanism will be solved in a separate ticket.-


1. Create a separate endpoint for accessing a token server. It might be something similar to "" (localhost/token:PORT). A new app route will be required to add in the file (

An HTTP GET request for the token server will be created when a registry requires authorization. In our case, this is going to happen in every single time. Users are not managed by a centralized access control yet. -However, requests contain information about users in Basic Auth Header (username:password). If there is not used any authorization at all, the username will be set to "anonymous".-

While generating a token, it is required to pass a username and a secret key to the token generator. The secret key can be stored in a file system and fetched during the generation. -The username can be retrieved from Basic Auth Header ("sub": "real_user_name", where real_user_name is passed via Basic Auth Header). Header).- The password of the user will be ignored.- The username will be always empty ("sub": ""; from the docs: "This should be empty (`""`) if the client did not authenticate."). authenticate.")The password of the user will be ignored. An authentication of users is not handled by this issue. See the issue to learn more.

2. If the user is attempting to access a permitted scope, the token server generates an implementation specific token and returns it in a response.

<pre><code class="text">
HTTP/1.1 200 OK
Content-Type: application/json

{"token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6IlBZWU86VEVXVTpWN0pIOjI2SlY6QVFUWjpMSkMzOlNYVko6WEdIQTozNEYyOjJMQVE6WlJNSzpaN1E2In0.eyJpc3MiOiJhdXRoLmRvY2tlci5jb20iLCJzdWIiOiJqbGhhd24iLCJhdWQiOiJyZWdpc3RyeS5kb2NrZXIuY29tIiwiZXhwIjoxNDE1Mzg3MzE1LCJuYmYiOjE0MTUzODcwMTUsImlhdCI6MTQxNTM4NzAxNSwianRpIjoidFlKQ08xYzZjbnl5N2tBbjBjN3JLUGdiVjFIMWJGd3MiLCJhY2Nlc3MiOlt7InR5cGUiOiJyZXBvc2l0b3J5IiwibmFtZSI6InNhbWFsYmEvbXktYXBwIiwiYWN0aW9ucyI6WyJwdXNoIl19XX0.QhflHPfbd6eVF4lM9bwYpFZIV0PfikbyXuLx959ykRTBpe3CYnzs6YBK8FToVb5R47920PVLrh8zuLzdCr9t3w", "expires_in": 3600,"issued_at": "2009-11-10T23:00:00Z"}

To generate a token, the library PyJWT ( can be used. The generated token will be then used by a client in subsequent requests. The registry will proceed further with authenticated pull/push calls along with the bearer token.

<pre><code class="text">
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6IkJWM0Q6MkFWWjpVQjVaOktJQVA6SU5QTDo1RU42Ok40SjQ6Nk1XTzpEUktFOkJWUUs6M0ZKTDpQT1RMIn0.eyJpc3MiOiJhdXRoLmRvY2tlci5jb20iLCJzdWIiOiJCQ0NZOk9VNlo6UUVKNTpXTjJDOjJBVkM6WTdZRDpBM0xZOjQ1VVc6NE9HRDpLQUxMOkNOSjU6NUlVTCIsImF1ZCI6InJlZ2lzdHJ5LmRvY2tlci5jb20iLCJleHAiOjE0MTUzODczMTUsIm5iZiI6MTQxNTM4NzAxNSwiaWF0IjoxNDE1Mzg3MDE1LCJqdGkiOiJ0WUpDTzFjNmNueXk3a0FuMGM3cktQZ2JWMUgxYkZ3cyIsInNjb3BlIjoiamxoYXduOnJlcG9zaXRvcnk6c2FtYWxiYS9teS1hcHA6cHVzaCxwdWxsIGpsaGF3bjpuYW1lc3BhY2U6c2FtYWxiYTpwdWxsIn0.Y3zZSwaZPqy4y9oRBVRImZyv3m_S9XDHF1tWwN7mL52C_IiA73SJkWVNsvNqpJIn5h7A2F8biv_S2ppQ1lgkbw

* We can implement exactly the same behavior as it is described in the authentication scheme Pulp only needs to generate a bearer token according to submitted scope and actions.

It is possible to utilize the deleted implementation of JWT It was deleted because there was a no viable use case for the that.