[Pulp-list] external authentication/authorization

Brian Bouterse bbouters at redhat.com
Fri Sep 2 14:14:36 UTC 2016 

FYI, the planning for user/auth for 3.0 is happening here [0]. Consider 
posting thoughts/requirements/ideas onto that issue. I'm particularly 
interested in answers to these two questions:

What are your authentication use cases?
What are your authorization use cases?

[0]: https://pulp.plan.io/issues/2090

-Brian

On 09/02/2016 04:16 AM, Vladimir Vasilev wrote:
> Still same problem, no authorization.
>
> Kodiak, I found the old thread [1] and will talk with Michael.
> Thanks
>
> [1] https://www.redhat.com/archives/pulp-list/2016-July/msg00034.html
>
> On 09/02/16 09:53, Konstantin M. Khankin wrote:
>> You may try to use PAM to hook up authentication to any external
>> source. This is how I connected it to FreeIPA:
>> <Location /pulp/api/v2/actions/login>
>>     AuthType Basic
>>     AuthBasicProvider PAM
>>     AuthPAMService pulp
>>     AuthName "Pulp"
>>     Require valid-user
>> </Location>
>>
>> # cat /etc/pam.d/pulp
>> auth    required   pam_sss.so
>> account required   pam_sss.so
>>
>> 2016-09-02 0:50 GMT+03:00 Jay Medrano <jay.medrano at neulion.com
>> <mailto:jay.medrano at neulion.com>>:
>>
>>     I have the exact same issue... my cookbook/runbook instructions
>>     for setting up a pulp server require setting up users with
>>     passwords that are never actually used. The users are created that
>>     way so that they can be added to the admin group. If the LDAP
>>     feature is deprecated, there should be a better way to manage
>>     users via Apache auth groups, but at this point it doesn't seem
>>     that way.
>>
>>
>>
>>     On a similar topic... Here is a code snippet related to some
>>     changes I made to the Apache auth section to allow LDAP auth when
>>     using the pulp-admin client. Notice that I'm using the User-Agent
>>     header to determine if LDAP auth is required, and I'm also
>>     defaulting apache auth when the login page is requested. This
>>     allows LDAP auth to work when requesting a cert from the
>>     pulp-admin client and also for the REST api. This also works when
>>     wget/curl calls submit data to pulp.
>>
>>
>>
>>     <Files webservices.wsgi>
>>
>>         # pass everything that isn't a Basic auth request through to Pulp
>>
>>         SetEnvIf Request_URI "^/pulp/api/v2/actions/login/"
>>     USE_APACHE_AUTH=1
>>
>>         SetEnvIfNoCase ^User-Agent$ .+ USE_APACHE_AUTH=1
>>
>>         Order allow,deny
>>
>>         Allow from env=!USE_APACHE_AUTH
>>
>>         Satisfy Any
>>
>>
>>
>>
>>
>>     *From:*pulp-list-bounces at redhat.com
>>     <mailto:pulp-list-bounces at redhat.com>
>>     [mailto:pulp-list-bounces at redhat.com
>>     <mailto:pulp-list-bounces at redhat.com>] *On Behalf Of *Kodiak Firesmith
>>     *Sent:* Thursday, September 01, 2016 2:46 PM
>>     *To:* Vladimir Vasilev <vvasilev at redhat.com
>>     <mailto:vvasilev at redhat.com>>
>>     *Cc:* pulp-list <pulp-list at redhat.com <mailto:pulp-list at redhat.com>>
>>     *Subject:* Re: [Pulp-list] external authentication/authorization
>>
>>
>>
>>     I'm pretty sure the answer in Pulp's current form is: no.
>>
>>     But your request might be a great suggestion to make in an earlier
>>     (June? July?) thread requesting feedback on Pulp 3.x auth - it'll
>>     be completely different so it's a blank slate to work with.
>>     Please check out the archives and reply to that thread with your
>>     auth needs and wants.
>>
>>
>>
>>     As an Active Directory user (mod_auth_gssapi), I agree that being
>>     able to tie in AD names and groups in authorization would be a
>>     great improvement.
>>
>>
>>
>>      - Kodiak
>>
>>
>>
>>     On Thu, Sep 1, 2016 at 3:47 PM, Vladimir Vasilev
>>     <vvasilev at redhat.com <mailto:vvasilev at redhat.com>> wrote:
>>
>>         Hi all,
>>
>>         I'm trying to setup Pulp with external authentication and
>>         authorization
>>         against LDAP server.
>>         According to the docs direct LDAP access from pulp is
>>         deprecated so I
>>         followed "Apache Preauthentication" [1]
>>         Authentication works fine, pulp is trusting apache httpd with
>>         REMOTE_USER variable set.
>>         Problem is that the same LDAP user needs to exist in the
>>         internal pulp
>>         database as well.
>>
>>         Is there a way to move both authentication and authorization
>>         to external
>>         provider like LDAP?
>>         At the end of the day I want to grant admin access to all LDAP
>>         accounts
>>         which are member of particular group (memberOf attribute)
>>         without making
>>         local pulp accounts.
>>
>>         Thanks,
>>         Vova
>>
>>         [1]
>>         https://docs.pulpproject.org/user-guide/authentication.html
>>         <https://docs.pulpproject.org/user-guide/authentication.html>
>>
>>
>>
>>         _______________________________________________
>>         Pulp-list mailing list
>>         Pulp-list at redhat.com <mailto:Pulp-list at redhat.com>
>>         https://www.redhat.com/mailman/listinfo/pulp-list
>>         <https://www.redhat.com/mailman/listinfo/pulp-list>
>>
>>
>>
>>
>>     _______________________________________________
>>     Pulp-list mailing list
>>     Pulp-list at redhat.com <mailto:Pulp-list at redhat.com>
>>     https://www.redhat.com/mailman/listinfo/pulp-list
>>     <https://www.redhat.com/mailman/listinfo/pulp-list>
>>
>>
>>
>>
>> --
>> Ханкин Константин
>
> --
> Vladimir Vasilev
> Senior Systems Administrator
> PnT DevOps - System Operations
> Red Hat Czech s.r.o., Purkynova 99, 612 00 Brno, Czech Republic
> Work: +420 532-294-569
> Cell: +420 737-080-404
>
>
>
> _______________________________________________
> Pulp-list mailing list
> Pulp-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pulp-list
>

More information about the Pulp-list mailing list