Story #4938

Updated by lmjachky 12 months ago

We need to add auth mechanism to Pulp registry - -basic or- token based.

This ticket will be complete when a token based auth mechanism will be added.

-Basic auth mechanism will be solved in a separate ticket.-


1. Create a separate endpoint for accessing a token server. It might be something similar to "" (localhost/token:PORT). A new app route will be required to add in the file (

An HTTP GET request for the token server will be created when a registry requires authorization. In our case, this is going to happen in every single time. -Users are not managed by a centralized access control yet. However, requests contain information about users in Basic Auth Header (username:password). If there is not used any authorization at all, the username will be set to "anonymous".-

While generating a token, it is required to pass a username and a secret key to the token generator. The secret key can be stored in a file system and fetched during the generation. -The username can be retrieved from Basic Auth Header ("sub": "real_user_name", where real_user_name is passed via Basic Auth Header). The password of the user will be ignored.- The username will be always empty ("sub": ""; from the docs: "This should be empty (`""`) if the client did not authenticate."). An authentication of users is not handled by this issue. See the issue to learn more.

2. If the user is attempting to access a permitted scope, the token server generates an implementation specific token and returns it in a response.

<pre><code class="text">
HTTP/1.1 200 OK
Content-Type: application/json

{"token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6IlBZWU86VEVXVTpWN0pIOjI2SlY6QVFUWjpMSkMzOlNYVko6WEdIQTozNEYyOjJMQVE6WlJNSzpaN1E2In0.eyJpc3MiOiJhdXRoLmRvY2tlci5jb20iLCJzdWIiOiJqbGhhd24iLCJhdWQiOiJyZWdpc3RyeS5kb2NrZXIuY29tIiwiZXhwIjoxNDE1Mzg3MzE1LCJuYmYiOjE0MTUzODcwMTUsImlhdCI6MTQxNTM4NzAxNSwianRpIjoidFlKQ08xYzZjbnl5N2tBbjBjN3JLUGdiVjFIMWJGd3MiLCJhY2Nlc3MiOlt7InR5cGUiOiJyZXBvc2l0b3J5IiwibmFtZSI6InNhbWFsYmEvbXktYXBwIiwiYWN0aW9ucyI6WyJwdXNoIl19XX0.QhflHPfbd6eVF4lM9bwYpFZIV0PfikbyXuLx959ykRTBpe3CYnzs6YBK8FToVb5R47920PVLrh8zuLzdCr9t3w", "expires_in": 3600,"issued_at": "2009-11-10T23:00:00Z"}

To generate a token, the library PyJWT ( can be used. The generated token will be then used by a client in subsequent requests. The registry will proceed further with authenticated pull/push calls along with the bearer token.

<pre><code class="text">
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6IkJWM0Q6MkFWWjpVQjVaOktJQVA6SU5QTDo1RU42Ok40SjQ6Nk1XTzpEUktFOkJWUUs6M0ZKTDpQT1RMIn0.eyJpc3MiOiJhdXRoLmRvY2tlci5jb20iLCJzdWIiOiJCQ0NZOk9VNlo6UUVKNTpXTjJDOjJBVkM6WTdZRDpBM0xZOjQ1VVc6NE9HRDpLQUxMOkNOSjU6NUlVTCIsImF1ZCI6InJlZ2lzdHJ5LmRvY2tlci5jb20iLCJleHAiOjE0MTUzODczMTUsIm5iZiI6MTQxNTM4NzAxNSwiaWF0IjoxNDE1Mzg3MDE1LCJqdGkiOiJ0WUpDTzFjNmNueXk3a0FuMGM3cktQZ2JWMUgxYkZ3cyIsInNjb3BlIjoiamxoYXduOnJlcG9zaXRvcnk6c2FtYWxiYS9teS1hcHA6cHVzaCxwdWxsIGpsaGF3bjpuYW1lc3BhY2U6c2FtYWxiYTpwdWxsIn0.Y3zZSwaZPqy4y9oRBVRImZyv3m_S9XDHF1tWwN7mL52C_IiA73SJkWVNsvNqpJIn5h7A2F8biv_S2ppQ1lgkbw

* We can implement exactly the same behavior as it is described in the authentication scheme Pulp only needs to generate a bearer token according to submitted scope and actions.

It is possible to utilize the deleted implementation of JWT It was deleted because there was a no viable use case for the that.