<html><head><title></title></head><body><!-- rte-version 0.2 9947551637294008b77bce25eb683dac --><div class="rte-style-maintainer rte-pre-wrap" data-color="global-default" bbg-color="default" data-bb-font-size="medium"bbg-font-size="medium" style="white-space: pre-wrap; font-size: small; font-family: "Courier New", Courier, "BB.FixedWidth";"style="white-space: pre-wrap; font-size: small; font-family: "Courier New", Courier, "BB.FixedWidth"; color: rgb(0, 0, 0);"><div><br></div>Thank Dennis. This fixes the issue restarting pulp. With my LDAP credential, now I can<div>http -a id:pwd GET localhost/pulp/api/v3/status/ but getting "Authentication credentials were not provided" for all other uri /remtes/rpm/rpm/. It looks like pulp is not using external authentication and still need its own authentication somehow.</div><div><br><br><div class="rte-style-maintainer" data-color="global-default"bbg-color="default" data-bb-font-size="medium" bbg-font-size="medium" style="font-size: small; font-family: "Courier New", Courier, "BB.FixedWidth";"style="font-size: small; font-family: "Courier New", Courier, "BB.FixedWidth"; color: rgb(0, 0, 0);"><div><div class="bbg-rte-fold-content" data-header="From: dkliban@redhat.com At: 04/22/20 06:52:35" data-digest="From: dkliban@redhat.com At: 04/22/20 06:52:35" style=""><div class="bbg-rte-fold-summary">From: dkliban@redhat.com At: 04/22/20 06:52:35</div>To: <a spellcheck="false" bbg-destination="mailto:bli111@bloomberg.net" href="mailto:bli111@bloomberg.net"> Bin Li (BLOOMBERG/ 120 PARK ) </a><br>Cc: <a spellcheck="false"bbg-destination="mailto:pulp-list@redhat.com" href="mailto:pulp-list@redhat.com"> pulp-list@redhat.com</a><br>Subject: Re: [Pulp-list] pulpcore-client 3.2 ldap authentication</div><br></div><div class="rte-internet-block-wrapper" style="background: white; color: black; font-family: Arial, "BB.Proportional"; font-size: small; white-space: normal;"><div class="rte-internet-block"><blockquote><div dir="ltr"><div>You need to replace<br></div><div><br></div><div>REST_FRAMEWORK['DEFAULT_AUTHENTICATION_CLASSES'] =</div><div><br></div><div>with <br></div><div><br></div><div>REST_FRAMEWORK__DEFAULT_AUTHENTICATION_CLASSES = </div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Apr 21, 2020 at 10:09 PM Bin Li (BLOOMBERG/ 120 PARK) <<a spellcheck="false"bbg-destination="mailto:rte:bind" class="" href="mailto:bli111@bloomberg.net" data-destination="mailto:rte:bind">bli111@bloomberg.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="font-size: small; font-family: "Courier New", Courier, "BB.FixedWidth"; white-space: pre-wrap;"><div>This setting actually failed to restart pulp. See errors below.</div><div><br></div>Apr 21 21:56:27 ip-1-76-158-49 gunicorn[24414]: NameError: name 'REST_FRAMEWORK' is not defined<div>Apr 21 21:56:27 ip-1-76-158-49 gunicorn[24414]: [2020-04-21 21:56:27 -0400] [24417] [INFO] Worker exiting (pid: 24417)</div><div>Apr 21 21:56:27 ip-1-76-158-49 gunicorn[24414]: [2020-04-21 21:56:27 -0400] [24414] [INFO] Shutting down: Master</div><div>Apr 21 21:56:27 ip-1-76-158-49 gunicorn[24414]: [2020-04-21 21:56:27 -0400] [24414] [INFO] Reason: Worker failed to boot.</div><div>Apr 21 21:56:27 ip-1-76-158-49 systemd[1]: pulpcore-api.service: main process exited, code=exited, status=3/NOTIMPLEMENTED</div><div>Apr 21 21:56:27 ip-1-76-158-49 systemd[1]: Unit pulpcore-api.service entered failed state.</div><div>Apr 21 21:56:27 ip-1-76-158-49 systemd[1]: pulpcore-api.service failed.</div><div>Apr 21 21:56:27 ip-1-76-158-49 systemd[1]: pulpcore-resource-manager.service holdoff time over, scheduling restart.</div><div><br><div style="font-size: small; font-family: "Courier New", Courier, "BB.FixedWidth";"><br><div><div>From: Bin Li (BLOOMBERG/ 120 PARK) At: 04/21/20 21:32:49</div>To: <a spellcheck="false" bbg-destination="mailto:dkliban@redhat.com" class="" href="mailto:dkliban@redhat.com" data-destination="mailto:dkliban@redhat.com"> dkliban@redhat.com</a><br>Cc: <a spellcheck="false"bbg-destination="mailto:pulp-list@redhat.com" class="" href="mailto:pulp-list@redhat.com" data-destination="mailto:pulp-list@redhat.com"> pulp-list@redhat.com</a><br>Subject: Re: [Pulp-list] pulpcore-client 3.2 ldap authentication</div><br><div style="white-space: pre-wrap; font-size: small; font-family: "Courier New", Courier, "BB.FixedWidth";">Yes, I did<div># pip list |grep dynaconf</div><div>dynaconf                        3.0.0rc1    </div><div><br><br><div style="font-size: small; font-family: "Courier New", Courier, "BB.FixedWidth";"><div><div><div>From: <a spellcheck="false" bbg-destination="mailto:rte:bind"class="" href="mailto:dkliban@redhat.com" data-destination="mailto:rte:bind">dkliban@redhat.com</a> At: 04/21/20 20:01:00</div>To: <a spellcheck="false" bbg-destination="mailto:bli111@bloomberg.net" class="" href="mailto:bli111@bloomberg.net" data-destination="mailto:bli111@bloomberg.net"> Bin Li (BLOOMBERG/ 120 PARK ) </a><br>Cc: <a spellcheck="false"bbg-destination="mailto:pulp-list@redhat.com" class="" href="mailto:pulp-list@redhat.com" data-destination="mailto:pulp-list@redhat.com"> pulp-list@redhat.com</a><br>Subject: Re: [Pulp-list] pulpcore-client 3.2 ldap authentication</div><br></div><div style="background: none 0% 0% repeat scroll white; color: black; font-family: Arial, "BB.Proportional"; font-size: small; white-space: normal;"><div><blockquote><div dir="ltr"><div dir="ltr">Did you update dynaconf to 3.0.0rc1? There was a bug that caused the settings to get merged instead of overwritten.<br></div><div><br><div>[0] <a spellcheck="false" bbg-destination="rte:bind" class=""href="https://pulp.plan.io/issues/6244" data-destination="rte:bind">https://pulp.plan.io/issues/6244</a></div><div>[1] <a spellcheck="false" bbg-destination="rte:bind" class=""href="https://pypi.org/project/dynaconf/3.0.0rc1/"data-destination="rte:bind">https://pypi.org/project/dynaconf/3.0.0rc1/</a></div><div><br></div></div><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Apr 21, 2020 at 5:59 PM Bin Li (BLOOMBERG/ 120 PARK) <<a spellcheck="false"bbg-destination="mailto:rte:bind" class="" href="mailto:bli111@bloomberg.net" data-destination="mailto:rte:bind">bli111@bloomberg.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="font-size: small; font-family: "Courier New", Courier, "BB.FixedWidth"; white-space: pre-wrap;"><div>I have followed the setup <a spellcheck="false"bbg-destination="rte:bind" class="" href="https://www.nginx.com/blog/nginx-plus-authenticate-users/"data-destination="rte:bind">https://www.nginx.com/blog/nginx-plus-authenticate-users/</a>  to setup nginx LDAP authentication. </div><div><br></div><div>This command works "http -a admin:password GET localhost/pulp/api/v3/repositories/rpm/rpm/ Cookie:nginxauth=XXXXXXX". The Cookie is the base64 encoded ldap username and password.</div><div><br></div><div>I assume I should follow the below so I don't have to specify admin:pwd</div><a spellcheck="false" bbg-destination="rte:bind" class="" href="https://docs.pulpproject.org/installation/authentication.html#webserver-auth-with-reverse-proxy"data-destination="rte:bind">https://docs.pulpproject.org/installation/authentication.html#webserver-auth-with-reverse-proxy</a><div style="color:rgb(83,178,245)"><br style="color:rgb(83,178,245)"></div><div>Adding the below to settings.py doesn't seem to work.</div><div>REMOTE_USER_ENVIRON_NAME = 'HTTP_REMOTE_USER'</div><div>AUTHENTICATION_BACKENDS = ['pulpcore.app.authentication.PulpNoCreateRemoteUserBackend']</div><div>REST_FRAMEWORK['DEFAULT_AUTHENTICATION_CLASSES'] = (</div><div>    'rest_framework.authentication.SessionAuthentication',</div><div>    'pulpcore.app.authentication.PulpRemoteUserAuthentication'</div><div><br>I am a little confused what need to be added for this setup. </div><div style="color:rgb(128,128,128)">nginx <span style="color:rgb(190,190,190)"><---</span>http<span style="color:rgb(190,190,190)">---></span> gunicorn <span style="color:rgb(190,190,190)"><----</span>WSGI<span style="color:rgb(190,190,190)">----></span> pulpcore<span style="color:rgb(190,190,190)">.</span>app<span style="color:rgb(190,190,190)">.</span>wsgi application</div><div><div style="color:rgb(128,128,128)"><br style="color:rgb(190,190,190)"></div><div style="color:rgb(128,128,128)">Please advise</div><div style="color:rgb(128,128,128)">Thanks</div><div style="color:rgb(128,128,128)"><br style="color:rgb(190,190,190)"></div><div style="color:rgb(128,128,128)"><br style="color:rgb(190,190,190)"></div><div style="font-size: small; font-family: "Courier New", Courier, "BB.FixedWidth";"><div><div><div>From: <a spellcheck="false" bbg-destination="mailto:rte:bind"class="" href="mailto:dkliban@redhat.com" data-destination="mailto:rte:bind">dkliban@redhat.com</a> At: 04/17/20 10:45:31</div>To: <a spellcheck="false" bbg-destination="mailto:bli111@bloomberg.net" class="" href="mailto:bli111@bloomberg.net" data-destination="mailto:bli111@bloomberg.net"> Bin Li (BLOOMBERG/ 120 PARK ) </a><br>Cc: <a spellcheck="false"bbg-destination="mailto:pulp-list@redhat.com" class="" href="mailto:pulp-list@redhat.com" data-destination="mailto:pulp-list@redhat.com"> pulp-list@redhat.com</a><br>Subject: Re: [Pulp-list] pulpcore-client 3.2 ldap authentication</div><br></div><div style="background: none 0% 0% repeat scroll white; color: black; font-family: Arial, "BB.Proportional"; font-size: small; white-space: normal;"><div><blockquote><div dir="ltr">Theoretically you should be able to use pulpcore-client even with LDAP authentication in the web server. However, I have not tested this. I've only helped users that use certificate authentication in the webserver. What error are you seeing on the client side? Do you see any errors in pulp logs?<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Apr 17, 2020 at 10:20 AM Bin Li (BLOOMBERG/ 120 PARK) <<a spellcheck="false"bbg-destination="mailto:rte:bind" class="" href="mailto:bli111@bloomberg.net" data-destination="mailto:rte:bind">bli111@bloomberg.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="font-size: small; font-family: "Courier New", Courier, "BB.FixedWidth"; white-space: pre-wrap;">Thanks Dennis. <div><br></div><div>We use pulpcore python client to interact with api. Once we enable ldap on nginx, the below code that pulpcore-client authenticate will not work any more. I am wonder if we are still be able to use pulpcore-client? or we have to rewrite the client code. This sounds too much work for us for now.</div><div>configuration = pulpcore.Configuration()</div><div>configuration.host = '<a spellcheck="false" bbg-destination="rte:bind" class="" href="http://localhost" data-destination="rte:bind">http://localhost</a>'</div><div>configuration.username = 'admin'</div><div>configuration.password = 'pwd'</div><div>rpm_client = pulp_rpm.ApiClient(configuration)<br><div><br><div style="font-size: small; font-family: "Courier New", Courier, "BB.FixedWidth";"><div><div><div>From: <a spellcheck="false" bbg-destination="mailto:rte:bind"class="" href="mailto:dkliban@redhat.com" data-destination="mailto:rte:bind">dkliban@redhat.com</a> At: 04/16/20 08:38:38</div>To: <a spellcheck="false" bbg-destination="mailto:bli111@bloomberg.net" class="" href="mailto:bli111@bloomberg.net" data-destination="mailto:bli111@bloomberg.net"> Bin Li (BLOOMBERG/ 120 PARK ) </a><br>Cc: <a spellcheck="false"bbg-destination="mailto:pulp-list@redhat.com" class="" href="mailto:pulp-list@redhat.com" data-destination="mailto:pulp-list@redhat.com"> pulp-list@redhat.com</a><br>Subject: Re: [Pulp-list] pulpcore-client 3.2 ldap authentication</div><br></div><div style="background: none 0% 0% repeat scroll white; color: black; font-family: Arial, "BB.Proportional"; font-size: small; white-space: normal;"><div><blockquote><div dir="ltr"><div>Please be aware that there is a bug in dynaconf 2.2 with how settings are merged[0]. I recommend upgrading it to dynaconf 3.0.0rc1 for best results when configuring authentication backends in pulp.</div><div><br></div><div>[0] <a spellcheck="false" bbg-destination="rte:bind" class=""href="https://pulp.plan.io/issues/6244" data-destination="rte:bind">https://pulp.plan.io/issues/6244</a></div><div>[1] <a spellcheck="false" bbg-destination="rte:bind" class=""href="https://pypi.org/project/dynaconf/3.0.0rc1/"data-destination="rte:bind">https://pypi.org/project/dynaconf/3.0.0rc1/</a></div><div><br> </div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Apr 15, 2020 at 7:02 PM Dennis Kliban <<a spellcheck="false"bbg-destination="mailto:rte:bind" class="" href="mailto:dkliban@redhat.com" data-destination="mailto:rte:bind">dkliban@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Pulp 3 does not currently support multiple users. We are planning to add support for RBAC in the near future. However, I don't have a concrete timeline for that. With all that said, you still can configure the web server to perform authentication[0]. In this case Pulp will stop performing authentication and will simply look for a WSGI environment variable that contains the username.<br></div><div><br></div><div>[0] <a spellcheck="false" bbg-destination="rte:bind" class=""href="https://docs.pulpproject.org/installation/authentication.html#webserver-auth"data-destination="rte:bind">https://docs.pulpproject.org/installation/authentication.html#webserver-auth</a></div><div>[1] <a spellcheck="false" bbg-destination="rte:bind" class=""href="https://docs.pulpproject.org/settings.html?highlight=remote_user#remote-user-environ-name"data-destination="rte:bind">https://docs.pulpproject.org/settings.html?highlight=remote_user#remote-user-environ-name</a></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Apr 15, 2020 at 3:19 PM Bin Li (BLOOMBERG/ 120 PARK) <<a spellcheck="false"bbg-destination="mailto:rte:bind" class="" href="mailto:bli111@bloomberg.net" data-destination="mailto:rte:bind">bli111@bloomberg.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="font-size: small; font-family: "Courier New", Courier, "BB.FixedWidth"; white-space: pre-wrap;"><div><br></div><div>I am thinking to configure nginx with ldap authentication, but I couldn't find a way to interact with the api. Does pulpcore-client work with ldap authentication? Has anyone made httpie work with ldap?</div><div><br></div><div>Thanks</div></div>_______________________________________________<br>Pulp-list mailing list<br><a spellcheck="false"bbg-destination="mailto:rte:bind" class="" href="mailto:Pulp-list@redhat.com" data-destination="mailto:rte:bind">Pulp-list@redhat.com</a><br><a spellcheck="false"bbg-destination="rte:bind" class="" href="https://www.redhat.com/mailman/listinfo/pulp-list"data-destination="rte:bind">https://www.redhat.com/mailman/listinfo/pulp-list</a></blockquote></div></blockquote></div></blockquote><br></div></div></div></div></div></div></blockquote></div></blockquote><br></div></div></div></div></div></blockquote></div></div></blockquote><br></div></div></div></div></div></div></div></div></blockquote></div></blockquote><br></div></div></div></div></div></body></html>