[Pulp-dev] JWT Use Case Revisions for Pulp3

Filip Dobrovolny fdobrovo at redhat.com
Tue Aug 1 13:29:29 UTC 2017 

I have finished the work on JWT tokens according to current MVP use cases
at https://pulp.plan.io/projects/pulp/wiki/Pulp_3_Minimum_Viable_Product.
Please check out my pull request at https://github.com/pulp/pulp/pull/3109.

I have also included docs on how to generate the tokens offline and how JWT
authentication work in pulp in general.

If you have any recommendations regarding the docs or anything else I would
love to hear them in the comments.

Also during the review of this PR, we have discovered that we can't any
longer install pulp via `python setup.py install/develop`  because thanks
to the name of the JWT package (djangorestframework-jwt) we are affected by
the setup-tools https://github.com/pypa/setuptools/issues/196 hyphen
issue.  So I made a PR https://github.com/pulp/pulp/pull/3111 for Travis to
begin using `pip install -e .` as we already use in vagrant's Ansible.

On Wed, May 31, 2017 at 2:26 PM Dennis Kliban <dkliban at redhat.com> wrote:

> We had a chance to discuss some of these use cases during our MVP call
> yesterday. Here is the updated list of uses cases:
>
>
> As an administrator, I can disable JWT token expiration.  This
> configuration is in the settings file and is system-wide.
> As an administrator, I can configure the JWT tokens to expire after a
> configurable amount of time. This configuration is in the settings file
> and is system-wide.
> The JWT shall have a username identifier
> As an API user, I can authenticate any API call (except to request a JWT)
> with a JWT.
> As an API user, I can invalidate all existing JWT tokens for a given user.
> As an authenticated user, when deleting a user 'foo', all of user 'foo's
> existing JWTs are invalidated.
> As an autheticated user, I can invalidate a user's JWTs in the same
> operation as updating the password.
> As an un-authenticated user, I can obtain a JWT token by using a username
> and password.
>
> Let's polish them up on this email thread and then update the MVP wiki
> page.
>
> -Dennis
>
> On Mon, May 29, 2017 at 1:57 PM, Brian Bouterse <bbouters at redhat.com>
> wrote:
>
>> We had a use case call which produced these use cases [0]. Then @fdobrovo
>> investigated using the django-rest-framework-jwt [1] to fulfil those use
>> cases and there are some small, but to fulfil the use cases written he had
>> to write a good amount of code and maybe only used 50 or 100 lines of code
>> actually from django-rest-framework-jwt.
>>
>> Through a lot of back and forth on the issue [2], we did a gap analysis
>> and considered different ways the use cases could be aligned with the
>> functionality provided by the django-rest-framework. We came up with the
>> following revised use cases related to JWT that are effectively the same
>> and would allow the plugin code to be used mostly as-is:
>>
>> * As an administrator, I can disable JWT token expiration.  This
>> configuration is in the settings file and is system-wide.
>> * As an administrator, I can configure the JWT tokens to expire after a
>> configurable amount of time. This configuration is in the settings file and
>> is system-wide.
>> * The JWT shall have a username identifier
>> * As an API user, I can authenticate any API call (except to request a
>> JWT) with a JWT.
>> * As an API user, I can invalidate all JWT tokens for a given user
>> * As an authenticated user, when deleting a user 'foo', all of user
>> 'foo's JWTs are invalidated.
>> * As an un-authenticated user, I can obtain a JWT token, by passing a
>> username and password via POST
>>
>> Comments and questions are welcome here. I also hope to append this topic
>> onto one of the upcoming, Tuesday use case calls. The next call May 30th is
>> on the Status API and Alternate Content Sources so hopefully there will be
>> enough time to revisit the JWT use cases then too or on a following call.
>>
>> [0]:
>> https://pulp.plan.io/projects/pulp/wiki/Pulp_3_Minimum_Viable_Product#Authentication
>> [1]: http://getblimp.github.io/django-rest-framework-jwt/
>> [2]: https://pulp.plan.io/issues/2359
>>
>> -Brian
>>
>> _______________________________________________
>> Pulp-dev mailing list
>> Pulp-dev at redhat.com
>> https://www.redhat.com/mailman/listinfo/pulp-dev
>>
>>
> _______________________________________________
> Pulp-dev mailing list
> Pulp-dev at redhat.com
> https://www.redhat.com/mailman/listinfo/pulp-dev
>
-- 
Kind Regards,

Filip Dobrovolny.

Filip Dobrovolný

Intern, Pulp

Red Hat Czech s.r.o

fdobrovo at redhat.com     M: +420-608-321-501     IM: fdobrovo

redhat.com | TRIED. TESTED. TRUSTED. | redhat.com/trusted
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-dev/attachments/20170801/7f1ed9c9/attachment.htm>

More information about the Pulp-dev mailing list