Bug 831937
Summary: | [RFE] Support web server provided authentication for REST API | ||||||
---|---|---|---|---|---|---|---|
Product: | [Retired] Pulp | Reporter: | Nick Coghlan <ncoghlan> | ||||
Component: | user-experience | Assignee: | Sayli Karmarkar <skarmark> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Preethi Thomas <pthomas> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 2.0.6 | CC: | achvatal, cperry, dgregor, jason.dobies, skarmark, tbielawa | ||||
Target Milestone: | --- | Keywords: | Triaged | ||||
Target Release: | Sprint 40 | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2013-01-09 17:07:28 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Nick Coghlan
2012-06-14 06:31:58 UTC
I've done some initial investigation into patching the version I'm currently using (since rebasing to a more recent version isn't an option right now), and it *looks* like the changes needed would be localised to: src/pulp/server/webservices/controllers/decorators.py src/pulp/server/webservices/http.py src/pulp/server/auth/authentication.py And, of course, a customised version of /etc/httpd/conf.d/pulp.conf that disables WSGIPassAuthorization and configures mod_auth_kerb (and probably mod_authnz_ldap) appropriately instead. (these are the old paths - adjust appropriately for the new tree layout) I'm currently thinking an API like the following would make sense: Add the following function to pulp.server.webservices.http: def preauthenticated_username(): """Checks for a user that has been preauthenticated by the web server""" auth = request_info('HTTP_REMOTE_USER') if auth is not None: # Strip any Kerberos realm information # This won't be needed if KrbLocalUserMapping can handle it auth, __, __ = auth.partition("@") return auth Modify pulp.server.webservices.controllers.decorators.auth_required to include an additional step before failing: # check_preauthenticated is a new authentication checker if user is None: username = http.preauthenticated_username() if username is not None: user = check_preauthenticated(username) pulp.server.auth.authentication.check_preauthenticated would work as follows: - new optional [preauthenticated] section in pulp.conf - default-role setting in this section determines role assigned to previously unknown pre-authenticated users (as with the [ldap] section) The behaviour of pulp.server.auth.authentication.check_preauthenticated would be: - if there is no "[preauthenticated]" section defined, fail immediately - if the user already exists locally, return their entry - if the user does not exist, and "default-role" is not set, fail - otherwise create them with the specified default role Created attachment 595626 [details]
Patch to allow web server level preauthentication
Attached patch adds preauthentication support by always checking for REMOTE_USER before checking HTTP_AUTHORIZATION (or the SSL client cert).
To create the user correctly, the existing "password=None" idiom is extended down into the LDAP lookup mechanism - if the user is preauthenticated, and exists in LDAP, then they will be added automatically with the default role configured in the LDAP settings.
If LDAP is not configured, then the user will be accepted only if they already exist in the database.
The patch is against the old tree layout - hopefully git will be able to follow the file moves and add the extra "platform/" directory in the appropriate places when importing the patch.
As an example of how this can be used in practice, a separate WSGIScriptAlias can be defined that refers to the Pulp API web service, but is configured for Apache level authentication checks: WSGIScriptAlias /pulp/krb /srv/pulp/webservices.wsgi <Location /pulp/krb> AuthName "Pulp API: Kerberos Login" AuthType Kerberos KrbMethodNegotiate on Require valid-user KrbAuthRealm EXAMPLE.COM KrbVerifyKDC off KrbMethodK5Passwd on Krb5Keytab /etc/httpd/conf/httpd.keytab KrbSaveCredentials on KrbLocalUserMapping On </Location> If a custom client is set up to connect to /pulp/krb instead of /pulp/api, then it can access all the usual Pulp REST API services, while using Kerberos (or any other Apache level authentication mechanism) for authentication checks. Also of potential interest is the custom client I use to connect via Kerberos: http://git.fedorahosted.org/git/?p=pulpdist.git;a=blob;f=src/pulpdist/core/pulpapi.py;h=07dd04f40f474c6e8ab0fc99d8b0211020ab316f;hb=HEAD#l292 (there is also one in that file for connecting via OAuth) Submitted pull request as part of authentication refactor and improvement. commit ede2c0ce311282729a0fd0a9bbac908b6477975c Merge: 020e58a 60ee634 Author: skarmark <skarmark> Date: Fri Oct 5 15:30:48 2012 -0700 Merge pull request #99 from pulp/sayli-authentication 831937 - Added support for webs server level authentication and major refactoring of authentication and auth decorator area. build: 0.332 Pulp v2.0 released |