[katello-devel] Oauth issue for non-admin users

Partha Aji paji at redhat.com
Thu Jul 7 18:41:05 UTC 2011


On 07/06/2011 07:01 PM, Partha Aji wrote:
> Not sure if anyone else has looked at this or looking into this, but in Katello if you tried any candlepin or pulp interacting operation as a non "admin" user  (any user name anything else other than "admin") you will get a 400 with a message like
>
> org.fedoraproject.candlepin.exceptions.BadRequestException: user 'fooo' not found
>
> This is because the oauth header sent to those services need a "cp-user" or "pulp-user" and katello user.rb basically says
>
>    def cp_oauth_header
>      { 'cp-user' =>  self.username }
>    end
>
>    def pulp_oauth_header
>      { 'pulp-user' =>  self.username }
>    end
>
> So in essence for any interaction including creation of users in pulp/candlepin we need an existing user that will be available in all the 3 services. Right now that user happens to have the name "admin".
> Given this situation have a few questions..
>
>
> 1) Is this a security risk? And is there or should there be a way we can configure this user name at install time (when we are running the seed scripts).
>
> 2) Is it ok if we made all user creation interactions have cp-user =>  "admin", but interactions other than user create user, cp-user =>  self.username
>
> 3) What is our user strategy as far as these services are concerned. Are we going to be creating new users in pulp/candlepin and katello with the same username every time we create a new user?
>
> I was planning on just hard coding cp-user to "admin" but then thought asking katello-devel was a better idea :)
>
> Partha
>
> _______________________________________________
> katello-devel mailing list
> katello-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/katello-devel
After discussing with a few folks on #katello looks like option 2 is 
favoured, i.e. for user create we want to use cp-user=> admin and for 
all other operations we want to use cp-user=> self.username.

Also sounds like Lukas is working with the candlepin folks to sort out 
issue 3 . as in trying to answer the question on, whether we need to 
create a user in every service (in which case we have to create users) 
or does the service offer a way to accept phantom users* when 
interacting with katello  (users not in its own database :)) .

Partha




More information about the katello-devel mailing list