Bug 758932

Summary: Apply and enforce user access controls
Product: [Community] PulpDist Reporter: Nick Coghlan <ncoghlan>
Component: Web AppAssignee: Nick Coghlan <ncoghlan>
Status: CLOSED NEXTRELEASE QA Contact:
Severity: unspecified Docs Contact:
Priority: medium    
Version: unspecified   
Target Milestone: 0.1.0   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-07 05:03:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 758933    

Description Nick Coghlan 2011-12-01 01:16:31 UTC 
The PulpDist web application is currently completely open - there's no requirement to be logged in as a recognised user.

This needs to change, with the following guidelines:

- *everything* requires an active login, including access to the REST API
- the *only* thing that can be updated via the web app is the list of registered servers. Everything else is handled via direct execution of commands against the back end Pulp servers (primarily via scripts that read JSON files).
- two forms of auth will be supported initially:
  - native (via Django's internal auth) (for Apache-independent automated testing)
  - external (e.g. via Apache Basic Auth or Kerberos)
Comment 1 Nick Coghlan 2011-12-14 01:02:30 UTC 
*Should* be done now, but needs to be tested with Apache handling the authentication (requires a staging server with Kerberos or some dummy Basic Auth users set up)
Comment 2 Nick Coghlan 2012-02-06 03:43:27 UTC 
Basic access is working, but:

1. Logging out doesn't currently work (since the web server just passes the user credentials back in anyway)
2. The remote user backend needs to be customised so that configured site administrators are correctly granted site administration privileges
Comment 3 Nick Coghlan 2012-02-07 05:03:17 UTC 
All done in Git. The log out issue is still unresolved (since the web browser retains the Kerberos token and the only way I know how to drop it is to restart the client), but this has been handled via the simple expedient of not displaying a "logout" link when using Kerberos.