[katello-devel] Oauth issue for non-admin users

Dmitri Dolguikh dmitri at redhat.com
Fri Jul 8 12:08:13 UTC 2011 

On 11-07-06 8:01 PM, Partha Aji wrote:
> Not sure if anyone else has looked at this or looking into this, but in Katello if you tried any candlepin or pulp interacting operation as a non "admin" user  (any user name anything else other than "admin") you will get a 400 with a message like
>
> org.fedoraproject.candlepin.exceptions.BadRequestException: user 'fooo' not found
>
> This is because the oauth header sent to those services need a "cp-user" or "pulp-user" and katello user.rb basically says
>
>    def cp_oauth_header
>      { 'cp-user' =>  self.username }
>    end
>
>    def pulp_oauth_header
>      { 'pulp-user' =>  self.username }
>    end
>
> So in essence for any interaction including creation of users in pulp/candlepin we need an existing user that will be available in all the 3 services. Right now that user happens to have the name "admin".
> Given this situation have a few questions..
>
>
> 1) Is this a security risk? And is there or should there be a way we can configure this user name at install time (when we are running the seed scripts).
>
> 2) Is it ok if we made all user creation interactions have cp-user =>  "admin", but interactions other than user create user, cp-user =>  self.username
>
> 3) What is our user strategy as far as these services are concerned. Are we going to be creating new users in pulp/candlepin and katello with the same username every time we create a new user?
>
> I was planning on just hard coding cp-user to "admin" but then thought asking katello-devel was a better idea :)
>
> Partha
>
> _______________________________________________
> katello-devel mailing list
> katello-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/katello-devel
The final goal is:
  - if oauth is used, candlepin doesn't perform any authentication or 
access control, but rather relies on katello to do both
  - user identity (username for now) is passed in cp-user/cp-consumer 
oauth header

Devan, do you know where cp folks are in regard to #1?

Cheers,
-d
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/katello-devel/attachments/20110708/a93917df/attachment.htm>

More information about the katello-devel mailing list