[Pulp-dev] RBAC Status Thread

Brian Bouterse bmbouter at redhat.com
Wed Jun 17 20:57:30 UTC 2020 

I got a lot further on this today. I have the test ldap setup with several
test users and groups. I have django-auth-ldap configured mostly
authenticating username/password against ldap instead of the internal
database first. Once that is fully working the users will auto-populate
into django and the groups should follow easily.

Once that's done I'll be unblocked to finish the RBAC PoC. The rest of the
parts are straightforward given the testing I've already done. More updates
to come.

On Mon, Jun 15, 2020 at 5:03 PM Brian Bouterse <bmbouter at redhat.com> wrote:

> I got the ldap reference implementation performing auth really nicely
> against a test ldap with this guide:
> https://www.nginx.com/blog/nginx-plus-authenticate-users/ Now there are
> some new challenges though:
>
> * Great that we can auth users, but we need nginx to extract-and-forward
> the group information to Pulp itself. That way a middleware can create the
> user AND group info in the backend.
> * we have to figure this out all again in Apache...
>
> Maybe we should be integrating Pulp directly against django-auth-ldap [0].
> I am going to try that next. The work I've done isn't 100% reusable there,
> but most of it is because the test server and configs I used can all be
> reused directly with django-auth-ldap. The concern with this approach is
> that we would be supporting LDAP (and transitively Active Directory) but
> are there other directory services Pulp needs to support?
>
> I also emailed Bin Li asking for info on how their user and group
> management works.
>
> On Tue, Jun 9, 2020 at 11:48 AM Adrian Likins <alikins at redhat.com> wrote:
>
>>
>>
>> On Fri, Jun 5, 2020 at 8:23 PM Brian Bouterse <bmbouter at redhat.com>
>> wrote:
>>
>>>
>>> 1) django admin (the built in django UI) will be the mechanism
>>> administrators use to assign permissions to users and groups. This means
>>> the use of django admin with pulp is very likely (to me).
>>>
>>> Hopefully https://github.com/pulp/pulpcore/pull/705 will be useful here.
>>
>>
>>> 2) externally defined users and groups will need to be "replicated" to
>>> django's db at login time, probably using headers from the webserver This
>>> is consistent w/ the approach recommended here:
>>> https://www.adelton.com/django/external-authentication-for-django-projects
>>>
>>
>> This is more or less what galaxy_ng ends up doing, at least for the
>> scenarios where it runs hosted with external SSO.
>>
>> https://github.com/ansible/galaxy_ng/blob/master/galaxy_ng/app/auth/auth.py#L51 for
>> example.
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-dev/attachments/20200617/a81a71e7/attachment.htm>

More information about the Pulp-dev mailing list