Bug 1159067 - [RFE] allow Pulp admin to read user credentials from users admin.conf
Summary: [RFE] allow Pulp admin to read user credentials from users admin.conf
Alias: None
Product: Pulp
Classification: Retired
Component: z_other
Version: unspecified
Hardware: x86_64
OS: Linux
Target Milestone: ---
: 2.6.0
Assignee: vijaykumar.jain
QA Contact: Preethi Thomas
Depends On:
TreeView+ depends on / blocked
Reported: 2014-10-30 20:55 UTC by vijaykumar.jain
Modified: 2015-02-28 23:43 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1218539 (view as bug list)
Last Closed: 2015-02-19 01:20:10 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Pulp Redmine 266 0 None None None Never

Description vijaykumar.jain 2014-10-30 20:55:15 UTC
Description of problem:
We are using ldap for pulp auth.
now if we use pulp-admin cli multiple times, user does not like to enter password every time he runs the command. also he would not like to use --password field bcoz of security issue (ps | grep will show the password)

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

Actual results:

Expected results:

Additional info:

Comment 1 Brian Bouterse 2014-11-03 17:47:38 UTC
A couple of notes on the things that should be done for this:

1) The username and password should be added as fields to admin.conf.

2) If they are supplied by the CLI options (--password) then the CLI supplied one should be used instead of the admin.conf one (for username or password).

3) The admin.conf should provide admin/admin as defaults so that this feature will allow someone to use pulp-admin with the default credentials without specifying -u or -p

4) Add docs describing the admin.conf attributes

Comment 2 vijaykumar.jain 2014-11-04 05:59:47 UTC
Thanks bbouters.

Please find my comments.

1)we would not like to have username/password in global admin.conf? we have put username/password(commented) in the admin.conf to server as a template to user's local admin.conf?

2)I was about to modify the command line but help, but got stuck with the English thinking it would become confusing.(--password -> credentials for the Pulp server; if specified will bypass any defaults stored in admin.conf or the stored certificate)do you think this is correct?also the authentication failure message mentions creation os cer

3)yes, it sounds correct, but then it will mask the entire effort of certificates even when we do not use apache ldap auth. does it sound ok?

also, I am getting a feeling that this(auth/cred in admin.conf) should be not be provided by pulp.wherever I store the password, environment variable or hidden file, it will be stored in plain text and that sounds like a concern for sure.
but pulp can allow plugin/extension or decorator/callback to pulp.client.launcher.main for the auth 

I will work on this and update you, but let me know if the concern is reasonable and callback/decorator workaround sounds reasonable.

Comment 3 Brian Bouterse 2014-11-04 17:16:03 UTC
Thanks for the comments, here are some thoughts I have on them.

1) Pulp creates the admin.conf in the users home directory. There is a template in the codebase already [0]. I think of [0] as the template that any user would start from the first time they run pulp-admin. I think that the username and password should be added to [0] and would be un-commented with the 'admin' as the value for both username and password.

If you want to have a 'global template' of admin.conf that you provide for your users that is fine and you could have the username and password uncommented for them to fill in as you describe. That would just be for your users, not all Pulp users. Normal pulp users will still receive [0].

2) Your English is good. Do your best in the PR, and I can help make sure it reads well. Regarding the sentence you did write, replace the word 'bypass' with 'override' and it will convey the meaning you want.

3) This username and password would not change the way pulp handles certificates. The current functionality is that when a user logs in with a username and password (ie: admin/admin) the server authenticates them, builds them a certificate that expires after some number of days, and then gives the certificate to the client pulp-admin. None of that would be adjusted. The only adjustment is that the username and password pulp-admin uses to authenticate and receive the certificate comes from admin.conf instead of exclusively from the command line.

I think keeping the file on the file system in plaintext is secure as long as the admin.conf is only readable by the users who should be able to read that password. I do not think the callback or decorator provides any additional security, but it does introduce complexity. Consider the fact that if someone has gained root access they can access everything on that system so nothing that is stored in plaintext (anywhere on the system) can be considered safe. In the case of root-access a callback on the same machine would be just as insecure.

Would keeping this in a file on the filesystem that has "safe" permissions be OK for your use case?

[0]: https://github.com/pulp/pulp/blob/master/client_admin/etc/pulp/admin/admin.conf

Comment 4 vijaykumar.jain 2014-11-04 18:33:40 UTC
Sounds good. Thanks for clearing my concerns.I will do the needful on the above requested work wrt config update and docs.

i guess long term solution should involve apache kerberos auth (mongo also supports kerberos so we should be good storing principals i guess). but i think that would be a separate RFE.

Comment 5 Brian Bouterse 2014-11-04 19:12:49 UTC
Sounds good vijay.

Another team member reviewed your PR [0] with some comments. I adjusted the title so that it includes [Work in Progress]. Once you are ready for us to re-review, remove [Work in Progress] from the title, and post a note on the BZ or the PR that it is ready for another review.

[0]: https://github.com/pulp/pulp/pull/1280

Comment 6 vijaykumar.jain 2014-11-06 17:45:16 UTC
Ready for review. :)

Comment 7 vijaykumar.jain 2014-11-11 17:37:56 UTC
Please check now.

Comment 8 vijaykumar.jain 2014-11-16 20:31:20 UTC

Comment 9 Chris Duryee 2014-11-19 23:34:23 UTC
PR appears to be merged to 2.6-dev and master.

Setting state to MODIFIED.

Thanks for the contribution!

Comment 10 vijaykumar.jain 2014-11-20 05:22:21 UTC
Hooray!!. Thanks a lot. Appreciate your effort in mentoring and being patient on my first pull request :)
I am pretty sure, I would want to be involved with more as I get more understanding of the product.

Comment 11 Brian Bouterse 2014-11-20 13:46:19 UTC
Great job Vijay! Your code will be included in the upcoming 2.6.0 alpha. Watch pulp-list to see the announcement of it. Thanks for your contribution.

Comment 12 Chris Duryee 2014-12-23 20:52:30 UTC
fixed in pulp 2.6.0-0.2.beta

Comment 13 Preethi Thomas 2015-02-02 21:41:55 UTC
Please add some steps to verify this bz.

Comment 14 Brian Bouterse 2015-02-02 21:58:46 UTC
I wrote out steps, but then I deleted them because I also want to ensure that the docs provided to users are adequate. Attempt to configure auth by setting credentials in ~/.pulp/admin.conf per the docs here [0].

[0]: http://pulp.readthedocs.org/en/latest/user-guide/admin-client/authentication.html?highlight=username#basic-authentication-of-users

Comment 15 Preethi Thomas 2015-02-03 16:17:02 UTC
[root@ibm-x3550m3-07 ~]# rpm -qa pulp-server
[root@ibm-x3550m3-07 ~]# 

[root@ibm-x3550m3-07 ~]#  pulp-admin repo list
Traceback (most recent call last):
  File "/usr/bin/pulp-admin", line 9, in <module>
    load_entry_point('pulp-client-admin==2.6.0', 'console_scripts', 'pulp-admin')()
  File "/usr/lib/python2.6/site-packages/pulp/client/admin/__init__.py", line 22, in main
    exit_code = launcher.main(read_config(), exception_handler_class=AdminExceptionHandler)
  File "/usr/lib/python2.6/site-packages/pulp/client/admin/config.py", line 96, in read_config
  File "/usr/lib/python2.6/site-packages/pulp/client/admin/config.py", line 124, in validate_overrides
    "It should be one of %(valid_private_perms)s.") % runtime_dict)
RuntimeError: File /root/.pulp/admin.conf contains a password and has incorrect permissions: 500, It should be one of [400, 600, 700].
[root@ibm-x3550m3-07 ~]# chmod 600 ~/.pulp/admin.conf
[root@ibm-x3550m3-07 ~]#  pulp-admin repo list

Id:                  pulp-el6
Display Name:        pulp-el6
Description:         None
Content Unit Counts: 
  Package Group: 7
  Rpm:           71

Id:                  zoo
Display Name:        zoo
Description:         None
Content Unit Counts: 
  Erratum:          4
  Package Category: 1
  Package Group:    2
  Rpm:              32

Id:                  puppet-builds
Display Name:        puppet-builds
Description:         None
Content Unit Counts: 

[root@ibm-x3550m3-07 ~]# pulp-admin -u test-user -p redhat repo list

The specified user does not have permission to execute the given command

[root@ibm-x3550m3-07 ~]# 
[root@ibm-x3550m3-07 ~]# 
[root@ibm-x3550m3-07 ~]# pulp-admin auth permission grant --resource /v2/repositories/ --login test-user -o create -o update -o read
Permissions [/v2/repositories/ : ['CREATE', 'UPDATE', 'READ']] successfully
granted to user [test-user]

[root@ibm-x3550m3-07 ~]# pulp-admin -u test-user -p redhat repo list+----------------------------------------------------------------------+

Id:                  pulp-el6
Display Name:        pulp-el6
Description:         None
Content Unit Counts: 
  Package Group: 7
  Rpm:           71

Id:                  zoo
Display Name:        zoo
Description:         None
Content Unit Counts: 
  Erratum:          4
  Package Category: 1
  Package Group:    2
  Rpm:              32

Id:                  puppet-builds
Display Name:        puppet-builds
Description:         None
Content Unit Counts: 

[root@ibm-x3550m3-07 ~]# 
[root@ibm-x3550m3-07 ~]#

Comment 16 Brian Bouterse 2015-02-19 01:20:10 UTC
Moved to https://pulp.plan.io/issues/266

Note You need to log in before you can comment on or make changes to this bug.