-
Notifications
You must be signed in to change notification settings - Fork 112
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Refactor repo auth to use entrypoints
Pulp's repo auth now allows for pluggable authentication methods. These can be configured via a new entry point. The `repo_auth.wsgi` file was also refactored to move code into a Python module to make testing easier. More information is available in the 'contentauth' doc. Additionally, the 'auth_handler_framework' was determined to be unused and has been removed. fixes #720
- Loading branch information
Showing
11 changed files
with
257 additions
and
294 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
.. _content_auth_mechanisms: | ||
|
||
Content Authentication Mechanisms | ||
================================= | ||
|
||
Pulp allows administrators to require users to authenticate in order to receive | ||
content. Typically this is done by checking an SSL client certificate. | ||
|
||
Content authentication is primarly done in conjunction with a Katello instance | ||
and is outside the scope of this document. However, users may want to add their | ||
own authentication methods. This is done by writing a method that returns | ||
either True or False depending on if the user is allowed access and then | ||
telling Pulp about this method via Python entry points. | ||
|
||
Note that **all** authenticators must return True in order to let the request | ||
through. Authentication is typically based on the contents of the ``environ`` | ||
parameter. This is a dictionary containing various environment variables from | ||
Apache. When authoring plugins, it may be helpful to log the contents of | ||
``environ`` to see what is being passed in. | ||
|
||
For example, if you wanted to create a simple method that let everyone through | ||
but logged a message, you could do something like this: | ||
|
||
:: | ||
def authenticate(environ): | ||
print "No checking here, just let the user through!" | ||
return True | ||
|
||
Then, tell Pulp about this via an entry point in ``setup.py``. In this example, | ||
our ``authenticate()`` method lives in ``example_auth.example``. | ||
|
||
:: | ||
|
||
entry_points={ | ||
'pulp_content_authenticators': [ | ||
'example_auth=example_auth.example:authenticate' | ||
] | ||
} | ||
|
||
You should be all set at this point. Simply make a request and check | ||
``/var/log/httpd/error_log`` to see if the message printed. Your request will | ||
need to pass all auth checks to see the log message; once one check fails then | ||
the rest are not executed. If the ``authenticate`` method raises an exception | ||
for any reason then mod_wsgi will write a message to ``ssl_error_log`` and deny | ||
the request. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,65 @@ | ||
======================= | ||
Pulp 2.7 Release Notes | ||
======================= | ||
|
||
Pulp 2.7.0 | ||
========== | ||
|
||
New Features | ||
------------ | ||
|
||
- Pulp now allows users to add their own :ref:`content authentication mechanisms <content_auth_mechanisms>`. | ||
|
||
Deprecation | ||
----------- | ||
|
||
.. _2.6.x_upgrade_to_2.7.0: | ||
|
||
Upgrade Instructions for 2.6.x --> 2.7.0 | ||
----------------------------------------- | ||
|
||
All services should be stopped. At that point you can issue an upgrade via: | ||
|
||
:: | ||
|
||
sudo yum update | ||
|
||
After yum completes you should migrate the database using: | ||
|
||
:: | ||
|
||
sudo -u apache pulp-manage-db | ||
|
||
After the database migrations finish, restart `httpd`, `pulp_workers`, `pulp_celerybeat`, and | ||
`pulp_resource_manager`. | ||
|
||
Bugs | ||
---- | ||
|
||
This release has fixes for :fixedbugs:`these issues <2.7.0>`. | ||
|
||
Known Issues | ||
------------ | ||
|
||
* None at this time. | ||
|
||
Client Changes | ||
-------------- | ||
|
||
Agent Changes | ||
------------- | ||
|
||
Rest API Changes | ||
---------------- | ||
|
||
Binding API Changes | ||
------------------- | ||
|
||
Plugin API Changes | ||
------------------ | ||
|
||
Thank You | ||
--------- | ||
|
||
Thank you to all of Pulp's contributors, especially these new ones! | ||
|
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
from pkg_resources import iter_entry_points | ||
|
||
from pulp.repoauth import auth_enabled_validation | ||
|
||
AUTH_ENTRY_POINT = 'pulp_content_authenticators' | ||
|
||
|
||
def allow_access(environ, host): | ||
""" | ||
Hook into mod_wsgi to be invoked when a request is determining | ||
authentication. If the authentication is successful, this method returns | ||
True. If validation fails, False is returned. | ||
:param environ: environ passed in from mod_wsgi | ||
:type environ: dict of env vars | ||
:param host: hostname passed from mod_wsgi (not used) | ||
:type host: str | ||
:return: True if the request is authorized or validation is disabled, otherwise False. | ||
:rtype: Boolean | ||
""" | ||
|
||
# If auth is disabled, then let the request continue. Note that this returns | ||
# True if auth is disabled. | ||
if auth_enabled_validation.authenticate(environ): | ||
return True | ||
|
||
# find all of the authenticator methods we need to try | ||
authenticators = {} | ||
for ep in iter_entry_points(group=AUTH_ENTRY_POINT): | ||
authenticators.update({ep.name: ep.load()}) | ||
|
||
# loop through authenticators. If any return False, kick the user out. | ||
for auth_method in authenticators: | ||
if not authenticators[auth_method](environ): | ||
return False | ||
|
||
# if we get this far then the user is authorized | ||
return True |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
Oops, something went wrong.