[Pulp-list] pulpcore-client 3.2 ldap authentication

Dennis Kliban dkliban at redhat.com
Wed Apr 22 10:52:11 UTC 2020 

You need to replace

REST_FRAMEWORK['DEFAULT_AUTHENTICATION_CLASSES'] =

with

REST_FRAMEWORK__DEFAULT_AUTHENTICATION_CLASSES =

On Tue, Apr 21, 2020 at 10:09 PM Bin Li (BLOOMBERG/ 120 PARK) <
bli111 at bloomberg.net> wrote:

> This setting actually failed to restart pulp. See errors below.
>
> Apr 21 21:56:27 ip-1-76-158-49 gunicorn[24414]: NameError: name
> 'REST_FRAMEWORK' is not defined
> Apr 21 21:56:27 ip-1-76-158-49 gunicorn[24414]: [2020-04-21 21:56:27
> -0400] [24417] [INFO] Worker exiting (pid: 24417)
> Apr 21 21:56:27 ip-1-76-158-49 gunicorn[24414]: [2020-04-21 21:56:27
> -0400] [24414] [INFO] Shutting down: Master
> Apr 21 21:56:27 ip-1-76-158-49 gunicorn[24414]: [2020-04-21 21:56:27
> -0400] [24414] [INFO] Reason: Worker failed to boot.
> Apr 21 21:56:27 ip-1-76-158-49 systemd[1]: pulpcore-api.service: main
> process exited, code=exited, status=3/NOTIMPLEMENTED
> Apr 21 21:56:27 ip-1-76-158-49 systemd[1]: Unit pulpcore-api.service
> entered failed state.
> Apr 21 21:56:27 ip-1-76-158-49 systemd[1]: pulpcore-api.service failed.
> Apr 21 21:56:27 ip-1-76-158-49 systemd[1]:
> pulpcore-resource-manager.service holdoff time over, scheduling restart.
>
>
> From: Bin Li (BLOOMBERG/ 120 PARK) At: 04/21/20 21:32:49
> To: dkliban at redhat.com
> Cc: pulp-list at redhat.com
> Subject: Re: [Pulp-list] pulpcore-client 3.2 ldap authentication
>
> Yes, I did
> # pip list |grep dynaconf
> dynaconf 3.0.0rc1
>
>
> From: dkliban at redhat.com At: 04/21/20 20:01:00
> To: Bin Li (BLOOMBERG/ 120 PARK ) <bli111 at bloomberg.net>
> Cc: pulp-list at redhat.com
> Subject: Re: [Pulp-list] pulpcore-client 3.2 ldap authentication
>
> Did you update dynaconf to 3.0.0rc1? There was a bug that caused the
> settings to get merged instead of overwritten.
>
> [0] https://pulp.plan.io/issues/6244
> [1] https://pypi.org/project/dynaconf/3.0.0rc1/
>
> On Tue, Apr 21, 2020 at 5:59 PM Bin Li (BLOOMBERG/ 120 PARK) <
> bli111 at bloomberg.net> wrote:
>
>> I have followed the setup
>> https://www.nginx.com/blog/nginx-plus-authenticate-users/ to setup nginx
>> LDAP authentication.
>>
>> This command works "http -a admin:password GET
>> localhost/pulp/api/v3/repositories/rpm/rpm/ Cookie:nginxauth=XXXXXXX". The
>> Cookie is the base64 encoded ldap username and password.
>>
>> I assume I should follow the below so I don't have to specify admin:pwd
>>
>> https://docs.pulpproject.org/installation/authentication.html#webserver-auth-with-reverse-proxy
>>
>> Adding the below to settings.py doesn't seem to work.
>> REMOTE_USER_ENVIRON_NAME = 'HTTP_REMOTE_USER'
>> AUTHENTICATION_BACKENDS =
>> ['pulpcore.app.authentication.PulpNoCreateRemoteUserBackend']
>> REST_FRAMEWORK['DEFAULT_AUTHENTICATION_CLASSES'] = (
>> 'rest_framework.authentication.SessionAuthentication',
>> 'pulpcore.app.authentication.PulpRemoteUserAuthentication'
>>
>> I am a little confused what need to be added for this setup.
>> nginx <---http---> gunicorn <----WSGI----> pulpcore.app.wsgi application
>>
>> Please advise
>> Thanks
>>
>>
>> From: dkliban at redhat.com At: 04/17/20 10:45:31
>> To: Bin Li (BLOOMBERG/ 120 PARK ) <bli111 at bloomberg.net>
>> Cc: pulp-list at redhat.com
>> Subject: Re: [Pulp-list] pulpcore-client 3.2 ldap authentication
>>
>> Theoretically you should be able to use pulpcore-client even with LDAP
>> authentication in the web server. However, I have not tested this. I've
>> only helped users that use certificate authentication in the webserver.
>> What error are you seeing on the client side? Do you see any errors in pulp
>> logs?
>>
>> On Fri, Apr 17, 2020 at 10:20 AM Bin Li (BLOOMBERG/ 120 PARK) <
>> bli111 at bloomberg.net> wrote:
>>
>>> Thanks Dennis.
>>>
>>> We use pulpcore python client to interact with api. Once we enable ldap
>>> on nginx, the below code that pulpcore-client authenticate will not work
>>> any more. I am wonder if we are still be able to use pulpcore-client? or we
>>> have to rewrite the client code. This sounds too much work for us for now.
>>> configuration = pulpcore.Configuration()
>>> configuration.host = 'http://localhost'
>>> configuration.username = 'admin'
>>> configuration.password = 'pwd'
>>> rpm_client = pulp_rpm.ApiClient(configuration)
>>>
>>> From: dkliban at redhat.com At: 04/16/20 08:38:38
>>> To: Bin Li (BLOOMBERG/ 120 PARK ) <bli111 at bloomberg.net>
>>> Cc: pulp-list at redhat.com
>>> Subject: Re: [Pulp-list] pulpcore-client 3.2 ldap authentication
>>>
>>> Please be aware that there is a bug in dynaconf 2.2 with how settings
>>> are merged[0]. I recommend upgrading it to dynaconf 3.0.0rc1 for best
>>> results when configuring authentication backends in pulp.
>>>
>>> [0] https://pulp.plan.io/issues/6244
>>> [1] https://pypi.org/project/dynaconf/3.0.0rc1/
>>>
>>>
>>> On Wed, Apr 15, 2020 at 7:02 PM Dennis Kliban <dkliban at redhat.com>
>>> wrote:
>>>
>>>> Pulp 3 does not currently support multiple users. We are planning to
>>>> add support for RBAC in the near future. However, I don't have a concrete
>>>> timeline for that. With all that said, you still can configure the web
>>>> server to perform authentication[0]. In this case Pulp will stop performing
>>>> authentication and will simply look for a WSGI environment variable that
>>>> contains the username.
>>>>
>>>> [0]
>>>> https://docs.pulpproject.org/installation/authentication.html#webserver-auth
>>>> [1]
>>>> https://docs.pulpproject.org/settings.html?highlight=remote_user#remote-user-environ-name
>>>>
>>>> On Wed, Apr 15, 2020 at 3:19 PM Bin Li (BLOOMBERG/ 120 PARK) <
>>>> bli111 at bloomberg.net> wrote:
>>>>
>>>>>
>>>>> I am thinking to configure nginx with ldap authentication, but I
>>>>> couldn't find a way to interact with the api. Does pulpcore-client work
>>>>> with ldap authentication? Has anyone made httpie work with ldap?
>>>>>
>>>>> Thanks
>>>>> _______________________________________________
>>>>> Pulp-list mailing list
>>>>> Pulp-list at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/pulp-list
>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20200422/200c4b85/attachment.htm>

More information about the Pulp-list mailing list