[Pulp-dev] RBAC Status Thread

Brian Bouterse bmbouter at redhat.com
Mon Jun 15 21:03:51 UTC 2020


I got the ldap reference implementation performing auth really nicely
against a test ldap with this guide:
https://www.nginx.com/blog/nginx-plus-authenticate-users/ Now there are
some new challenges though:

* Great that we can auth users, but we need nginx to extract-and-forward
the group information to Pulp itself. That way a middleware can create the
user AND group info in the backend.
* we have to figure this out all again in Apache...

Maybe we should be integrating Pulp directly against django-auth-ldap [0].
I am going to try that next. The work I've done isn't 100% reusable there,
but most of it is because the test server and configs I used can all be
reused directly with django-auth-ldap. The concern with this approach is
that we would be supporting LDAP (and transitively Active Directory) but
are there other directory services Pulp needs to support?

I also emailed Bin Li asking for info on how their user and group
management works.

On Tue, Jun 9, 2020 at 11:48 AM Adrian Likins <alikins at redhat.com> wrote:

>
>
> On Fri, Jun 5, 2020 at 8:23 PM Brian Bouterse <bmbouter at redhat.com> wrote:
>
>>
>> 1) django admin (the built in django UI) will be the mechanism
>> administrators use to assign permissions to users and groups. This means
>> the use of django admin with pulp is very likely (to me).
>>
>> Hopefully https://github.com/pulp/pulpcore/pull/705 will be useful here.
>
>
>> 2) externally defined users and groups will need to be "replicated" to
>> django's db at login time, probably using headers from the webserver This
>> is consistent w/ the approach recommended here:
>> https://www.adelton.com/django/external-authentication-for-django-projects
>>
>
> This is more or less what galaxy_ng ends up doing, at least for the
> scenarios where it runs hosted with external SSO.
>
> https://github.com/ansible/galaxy_ng/blob/master/galaxy_ng/app/auth/auth.py#L51 for
> example.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-dev/attachments/20200615/e7d9f116/attachment.htm>


More information about the Pulp-dev mailing list