Hello, in the pulp.conf configuration file there is the following line: RequestHeader append Authorization "Basic" early It's a workaround for Pulp when Authorization is missing for yum, as I have been told. Unfortunately this breaks other applications (e.g. Katello) which are deployed on the same httpd server. For our CLI and RHSM we also use HTTP AUTH BASIC, so this configuration changes our data to this: Authorization: Basic Qmxvb21iZXJnOnRjbG1lU1JT, Basic (more about it in https://bugzilla.redhat.com/show_bug.cgi?id=766906) The Rails3 stack is not able to parse this because of the ", Basic" suffix for some username/password lengths thank to the Base64 padding. It simply does not authenticate for some combinations. It looks like this is against RFC HTTP specification as not all headers can be concatenated with comma, but I did not find particular paragraph. The purpose of this BZ is to change this configuration to be effective only in the Pulp context, and not the others. According to the mod_headers documentation (http://httpd.apache.org/docs/2.0/mod/mod_headers.html) either <Location> or <Directory> could be used for that. If this is not possible we need to solve this differently. If this does break RFC, Rails3 won't change the parser for us and we need to implement a workaround for the Katello Rails3 code, but this could possibly change behavior of any app deployed on the same httpd that makes use of HTTP AUTH BASIC. And it's difficult to track. This is a blocker bug for Katello since our users are not able to use some username/password combination with RHSM and katello CLI.
Looks like we might not need the RequestHeader line at all anymore. Still need to test on RHEL 5 tomorrow before committing.
This has been fixed by switching to WSGIAccessScript instead of WSGIAuthUserScript. This required a patch to mod_wsgi which we are now carrying to reorder the mod_ssl apache hook that exports the variable for the client certificate before a WSGIAccessScript runs. pulp commit: e33759822373cc48d974383710cea44b45c23cd2 new mod_wsgi build will be mod_wsgi-3.3-3.pulp
QA: verify repo auth is working as expected. I would test an unprotected repo, and a protected repo. When testing a protected repo, test with a correct certificate, incorrect certificate, and no certificate and verify the desired result.
I also put together a wiki page that has more detail about this issue: https://fedorahosted.org/pulp/wiki/ModWsgiRepoAuth
build: 0.264
Hey, pulp-0.0.264-1.fc16.noarch is not authorizing my consumer anymore. Not sure if this is anyhow related. Fedora 15.
Oh this is not related. Okay.
Updating to 0.264 is causing problems accessing Pulp repo using Cp entitlements certificates for me as well. I'm getting 401. It even returns 401 when enabled is false in repo_auth.conf
For some reason, updating from 263 didn't update my /etc/httpd/conf.d/pulp.conf, I've used fresh intallation, after that I'm able to access files with disable authorization, but with enabled, I'm getting 403 now with entitlement cert.
It looks like environ["mod_ssl.var_lookup"]("SSL_CLIENT_CERT") not containing the provided client certificate
So the problem is in package dependencies: updating to pulp-0.0.264 doesn't update mod_wsgi, updating package requirements to mod_wsgi-3.3-3.pulp should fix this problem.
I updated the requirement in pulp.spec committed to pulp: 488016ad0808f10177f753c394f6fdfdbe5f2744
build: 0.265
verified [root@preethi chain_example]# rpm -q pulp pulp-0.0.267-1.fc15.noarch [root@preethi-el6-pulp ~]# yum repolist Loaded plugins: product-id, pulp-profile-update, security, subscription-manager Updating certificate-based repositories. pulp_f15_x86_64 | 2.9 kB 00:00 pulp_f15_x86_64/primary_db | 11 kB 00:00 rhel6 | 4.0 kB 00:00 rhel6/primary_db | 3.1 MB 00:02 rhel6_2 | 3.7 kB 00:00 rhel6_2/primary_db | 11 MB 00:03 repo id repo name status epel Extra Packages for Enterprise Linux 6 - x86_64 6,991 pulp-v1-testing Pulp v1 Testing 20 pulp_f15_x86_64 pulp_f15_x86_64 20 rhel6 Red Hat Enterprise Linux 6Server - x86_64 - RHEL6 3,529 rhel6_2 rhel6_2 6,862 repolist: 17,422 [root@preethi-el6-pulp ~]# cat /etc/yum.repos.d/ epel.repo pulp.repo rhel-pulp.repo rhel-source.repo epel-testing.repo redhat.repo rhel-pulp.repo.1 [root@preethi-el6-pulp ~]# cat /etc/yum.repos.d/pulp.repo # # Pulp Repositories # Managed by Pulp client # [rhel6_2] name = rhel6_2 enabled = 1 sslverify = 0 gpgcheck = 0 baseurl = https://preethi.usersys.redhat.com/pulp/repos/content/dist/rhel/rhui/server/6/6Server/x86_64/os [pulp_f15_x86_64] name = pulp_f15_x86_64 enabled = 1 sslverify = 1 gpgcheck = 0 sslcacert = /etc/pki/pulp/client/repo/pulp_f15_x86_64/ca.crt sslclientcert = /etc/pki/pulp/client/repo/pulp_f15_x86_64/client.crt baseurl = https://preethi.usersys.redhat.com/pulp/repos/repos/pulp/pulp/v1/testing/fedora-15/x86_64[root@preethi-el6-pulp ~]#
Pulp v1.0 is released Closed Current Release.