[Pulp-list] Issuing API commands to CDS
Stephen Benjamin
stbenjam at redhat.com
Fri Feb 24 14:14:17 UTC 2012
Also to make this work I installed qpid-server and qpid-tools on the CDS, and linked them and shared the heartbeat topic:
On Server:
qpid-route link add pulp-server.example.com pulp-cds.example.com --durable
qpid-route dynamic add pulp-server.example.com pulp-cds.example.com heartbeat --durable
On CDS:
qpid-route link add pulp-cds.example.com pulp-server.example.com --durable
qpid-route dynamic add pulp-cds.example.com pulp-server.example.com heartbeat --durable
Should any other topics be shared? And perhaps there's a better way to setup the qpidd on the CDS?
- Steve
----- Original Message -----
> From: "Stephen Benjamin" <stbenjam at redhat.com>
> To: pulp-list at redhat.com
> Sent: Friday, February 24, 2012 2:24:42 PM
> Subject: [Pulp-list] Issuing API commands to CDS
>
> Hi,
>
> I have a situation where the clients can only talk to the CDS in the
> datacenter, not the pulp server itself. It seems like a good idea
> that consumers could issue commands to the API instead of the CDS
> (like rhnproxy can accept API requests).
>
> Now I have it working to the CDS when you authenticate with with
> pulp-consumer (pulp-consumer -u blah -p blah consumer history) since
> that bypasses client certificate authentication, but I'd like to be
> able to use the certificate. Of course passing the client
> authentication would be difficult or impossible, since it's
> effectively a man-in-the-middle attack.
>
> I was thinking that maybe something like this would work:
>
> API call, auth to cds w/ client cert forwards api
> call, auth to pulp w/ cds ubercertificate
> [consumer] --------------------------------> [cds]
> --------------------------------------------------------> [pulp]
>
>
> If this were possible, then I guess a consumer could issue basically
> any command to pulp. This does work for our needs, though. Would
> this be possible today, for the cds to have it's own client
> certificate w/ more permissions?
>
> A complete solution would have the cds only let consumers issue
> commands for their own hostname I guess. Here's my
> /etc/httpd/conf.d/pulp-api.conf on my CDS, working w/
> username/password authentication:
>
>
> SSLProxyEngine on
> ProxyRequests On
>
> <Proxy *>
> Order deny,allow
> Allow from *.example.com
> </Proxy>
>
> <Location /pulp/api>
> SSLCACertificateFile /etc/pki/pulp/ca.crt
> SSLVerifyClient optional
> SSLVerifyDepth 2
> SSLOptions +StdEnvVars +ExportCertData +FakeBasicAuth
>
> ProxyPass https://pulp.example.com/pulp/api
> ProxyPassReverse https://pulp.example.com/pulp/api
> </Location>
>
>
>
> - Steve
>
>
>
> --
> Stephen Benjamin
> Red Hat GmbH
> http://europe.redhat.com/
> Mobile:+49(0)173-728-5703
>
>
>
> ______________________________________________________
> Reg. Adresse: Rudower Chaussee 29, D-12489 Berlin
> Handelsregister: Amtsgericht Muenchen HRB 153243
> Geschaeftsfuehrer: Mark Hegarty,Charlie Peters, Michael Cunningham,
> Charles Cachera
>
> _______________________________________________
> Pulp-list mailing list
> Pulp-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pulp-list
>
More information about the Pulp-list
mailing list