[Pulp-list] external authentication/authorization
Brian Bouterse
bbouters at redhat.com
Fri Sep 2 14:14:36 UTC 2016
FYI, the planning for user/auth for 3.0 is happening here [0]. Consider
posting thoughts/requirements/ideas onto that issue. I'm particularly
interested in answers to these two questions:
What are your authentication use cases?
What are your authorization use cases?
[0]: https://pulp.plan.io/issues/2090
-Brian
On 09/02/2016 04:16 AM, Vladimir Vasilev wrote:
> Still same problem, no authorization.
>
> Kodiak, I found the old thread [1] and will talk with Michael.
> Thanks
>
> [1] https://www.redhat.com/archives/pulp-list/2016-July/msg00034.html
>
> On 09/02/16 09:53, Konstantin M. Khankin wrote:
>> You may try to use PAM to hook up authentication to any external
>> source. This is how I connected it to FreeIPA:
>> <Location /pulp/api/v2/actions/login>
>> AuthType Basic
>> AuthBasicProvider PAM
>> AuthPAMService pulp
>> AuthName "Pulp"
>> Require valid-user
>> </Location>
>>
>> # cat /etc/pam.d/pulp
>> auth required pam_sss.so
>> account required pam_sss.so
>>
>> 2016-09-02 0:50 GMT+03:00 Jay Medrano <jay.medrano at neulion.com
>> <mailto:jay.medrano at neulion.com>>:
>>
>> I have the exact same issue... my cookbook/runbook instructions
>> for setting up a pulp server require setting up users with
>> passwords that are never actually used. The users are created that
>> way so that they can be added to the admin group. If the LDAP
>> feature is deprecated, there should be a better way to manage
>> users via Apache auth groups, but at this point it doesn't seem
>> that way.
>>
>>
>>
>> On a similar topic... Here is a code snippet related to some
>> changes I made to the Apache auth section to allow LDAP auth when
>> using the pulp-admin client. Notice that I'm using the User-Agent
>> header to determine if LDAP auth is required, and I'm also
>> defaulting apache auth when the login page is requested. This
>> allows LDAP auth to work when requesting a cert from the
>> pulp-admin client and also for the REST api. This also works when
>> wget/curl calls submit data to pulp.
>>
>>
>>
>> <Files webservices.wsgi>
>>
>> # pass everything that isn't a Basic auth request through to Pulp
>>
>> SetEnvIf Request_URI "^/pulp/api/v2/actions/login/"
>> USE_APACHE_AUTH=1
>>
>> SetEnvIfNoCase ^User-Agent$ .+ USE_APACHE_AUTH=1
>>
>> Order allow,deny
>>
>> Allow from env=!USE_APACHE_AUTH
>>
>> Satisfy Any
>>
>>
>>
>>
>>
>> *From:*pulp-list-bounces at redhat.com
>> <mailto:pulp-list-bounces at redhat.com>
>> [mailto:pulp-list-bounces at redhat.com
>> <mailto:pulp-list-bounces at redhat.com>] *On Behalf Of *Kodiak Firesmith
>> *Sent:* Thursday, September 01, 2016 2:46 PM
>> *To:* Vladimir Vasilev <vvasilev at redhat.com
>> <mailto:vvasilev at redhat.com>>
>> *Cc:* pulp-list <pulp-list at redhat.com <mailto:pulp-list at redhat.com>>
>> *Subject:* Re: [Pulp-list] external authentication/authorization
>>
>>
>>
>> I'm pretty sure the answer in Pulp's current form is: no.
>>
>> But your request might be a great suggestion to make in an earlier
>> (June? July?) thread requesting feedback on Pulp 3.x auth - it'll
>> be completely different so it's a blank slate to work with.
>> Please check out the archives and reply to that thread with your
>> auth needs and wants.
>>
>>
>>
>> As an Active Directory user (mod_auth_gssapi), I agree that being
>> able to tie in AD names and groups in authorization would be a
>> great improvement.
>>
>>
>>
>> - Kodiak
>>
>>
>>
>> On Thu, Sep 1, 2016 at 3:47 PM, Vladimir Vasilev
>> <vvasilev at redhat.com <mailto:vvasilev at redhat.com>> wrote:
>>
>> Hi all,
>>
>> I'm trying to setup Pulp with external authentication and
>> authorization
>> against LDAP server.
>> According to the docs direct LDAP access from pulp is
>> deprecated so I
>> followed "Apache Preauthentication" [1]
>> Authentication works fine, pulp is trusting apache httpd with
>> REMOTE_USER variable set.
>> Problem is that the same LDAP user needs to exist in the
>> internal pulp
>> database as well.
>>
>> Is there a way to move both authentication and authorization
>> to external
>> provider like LDAP?
>> At the end of the day I want to grant admin access to all LDAP
>> accounts
>> which are member of particular group (memberOf attribute)
>> without making
>> local pulp accounts.
>>
>> Thanks,
>> Vova
>>
>> [1]
>> https://docs.pulpproject.org/user-guide/authentication.html
>> <https://docs.pulpproject.org/user-guide/authentication.html>
>>
>>
>>
>> _______________________________________________
>> Pulp-list mailing list
>> Pulp-list at redhat.com <mailto:Pulp-list at redhat.com>
>> https://www.redhat.com/mailman/listinfo/pulp-list
>> <https://www.redhat.com/mailman/listinfo/pulp-list>
>>
>>
>>
>>
>> _______________________________________________
>> Pulp-list mailing list
>> Pulp-list at redhat.com <mailto:Pulp-list at redhat.com>
>> https://www.redhat.com/mailman/listinfo/pulp-list
>> <https://www.redhat.com/mailman/listinfo/pulp-list>
>>
>>
>>
>>
>> --
>> Ханкин Константин
>
> --
> Vladimir Vasilev
> Senior Systems Administrator
> PnT DevOps - System Operations
> Red Hat Czech s.r.o., Purkynova 99, 612 00 Brno, Czech Republic
> Work: +420 532-294-569
> Cell: +420 737-080-404
>
>
>
> _______________________________________________
> Pulp-list mailing list
> Pulp-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pulp-list
>
More information about the Pulp-list
mailing list