Currently, the REST API expects to handle both user authentication and authorisation checks at the application level.
It would be convenient to be able to tell Pulp to trust the request.vars.REMOTE_USER attribute for REST API access, making it possible to handle authentication at the web server level (e.g. by setting up mod_auth_kerb in Apache).
(Note: for my purposes, letting the web service handle authentication checks would actually be a superior alternative to implementing direct support for authentication against LDAP groups as described in BZ#828072)
I've done some initial investigation into patching the version I'm currently using (since rebasing to a more recent version isn't an option right now), and it *looks* like the changes needed would be localised to:
And, of course, a customised version of /etc/httpd/conf.d/pulp.conf that disables WSGIPassAuthorization and configures mod_auth_kerb (and probably mod_authnz_ldap) appropriately instead.
(these are the old paths - adjust appropriately for the new tree layout)
I'm currently thinking an API like the following would make sense:
Add the following function to pulp.server.webservices.http:
"""Checks for a user that has been preauthenticated by the web server"""
auth = request_info('HTTP_REMOTE_USER')
if auth is not None:
# Strip any Kerberos realm information
# This won't be needed if KrbLocalUserMapping can handle it
auth, __, __ = auth.partition("@")
Modify pulp.server.webservices.controllers.decorators.auth_required to include an additional step before failing:
# check_preauthenticated is a new authentication checker
if user is None:
username = http.preauthenticated_username()
if username is not None:
user = check_preauthenticated(username)
pulp.server.auth.authentication.check_preauthenticated would work as follows:
- new optional [preauthenticated] section in pulp.conf
- default-role setting in this section determines role assigned to previously unknown pre-authenticated users (as with the [ldap] section)
The behaviour of pulp.server.auth.authentication.check_preauthenticated would be:
- if there is no "[preauthenticated]" section defined, fail immediately
- if the user already exists locally, return their entry
- if the user does not exist, and "default-role" is not set, fail
- otherwise create them with the specified default role
Created attachment 595626 [details]
Patch to allow web server level preauthentication
Attached patch adds preauthentication support by always checking for REMOTE_USER before checking HTTP_AUTHORIZATION (or the SSL client cert).
To create the user correctly, the existing "password=None" idiom is extended down into the LDAP lookup mechanism - if the user is preauthenticated, and exists in LDAP, then they will be added automatically with the default role configured in the LDAP settings.
If LDAP is not configured, then the user will be accepted only if they already exist in the database.
The patch is against the old tree layout - hopefully git will be able to follow the file moves and add the extra "platform/" directory in the appropriate places when importing the patch.
As an example of how this can be used in practice, a separate WSGIScriptAlias can be defined that refers to the Pulp API web service, but is configured for Apache level authentication checks:
WSGIScriptAlias /pulp/krb /srv/pulp/webservices.wsgi
AuthName "Pulp API: Kerberos Login"
If a custom client is set up to connect to /pulp/krb instead of /pulp/api, then it can access all the usual Pulp REST API services, while using Kerberos (or any other Apache level authentication mechanism) for authentication checks.
Also of potential interest is the custom client I use to connect via Kerberos: http://git.fedorahosted.org/git/?p=pulpdist.git;a=blob;f=src/pulpdist/core/pulpapi.py;h=07dd04f40f474c6e8ab0fc99d8b0211020ab316f;hb=HEAD#l292
(there is also one in that file for connecting via OAuth)
Submitted pull request as part of authentication refactor and improvement.
Merge: 020e58a 60ee634
Author: skarmark <skarmark>
Date: Fri Oct 5 15:30:48 2012 -0700
Merge pull request #99 from pulp/sayli-authentication
831937 - Added support for webs server level authentication and major refactoring of authentication and auth decorator area.
Pulp v2.0 released