[katello-devel] Oauth issue for non-admin users
Partha Aji
paji at redhat.com
Wed Jul 6 23:01:12 UTC 2011
Not sure if anyone else has looked at this or looking into this, but in Katello if you tried any candlepin or pulp interacting operation as a non "admin" user (any user name anything else other than "admin") you will get a 400 with a message like
org.fedoraproject.candlepin.exceptions.BadRequestException: user 'fooo' not found
This is because the oauth header sent to those services need a "cp-user" or "pulp-user" and katello user.rb basically says
def cp_oauth_header
{ 'cp-user' => self.username }
end
def pulp_oauth_header
{ 'pulp-user' => self.username }
end
So in essence for any interaction including creation of users in pulp/candlepin we need an existing user that will be available in all the 3 services. Right now that user happens to have the name "admin".
Given this situation have a few questions..
1) Is this a security risk? And is there or should there be a way we can configure this user name at install time (when we are running the seed scripts).
2) Is it ok if we made all user creation interactions have cp-user => "admin", but interactions other than user create user, cp-user => self.username
3) What is our user strategy as far as these services are concerned. Are we going to be creating new users in pulp/candlepin and katello with the same username every time we create a new user?
I was planning on just hard coding cp-user to "admin" but then thought asking katello-devel was a better idea :)
Partha
More information about the katello-devel
mailing list