[Pulp-dev] Moving Content Guard Authorization to Webserver and out of pulp-content

Justin Sherrill jsherril at redhat.com
Wed Mar 11 18:34:22 UTC 2020

We had discussed base64 encoding the cert in the webserver on the way in 
and then letting cert guard decode it.  While that's not ideal I think 
it has some advantages over moving the full auth into the webserver.  
What was your motivation for going with that approach over the base64 
encoding approach?

On 3/11/20 2:11 PM, Brian Bouterse wrote:
> tl;dr: What we have today cannot work with rhsm certificates which 
> Katello uses. To resolve, we need to have content guard checking moved 
> to the webserver configs for apache and nginx and not done in 
> pulp-content as it is today. https://pulp.plan.io/issues/6323
> We need to bring the auth to where TLS is terminated because we can't 
> being the client certs to pulp-content due to invalid header 
> characters. As is, pulp-certguard cannot work with Katello's cert 
> types (rhsm certs) so that is driving my changes.
> If anyone has major concerns or other ideas please let me know. In the 
> meantime I'm proceeding moving the authorization to the webserver and 
> then updating pulp-certguard to work with that. This will make 
> pulp-certguard's GA tied to pulpcore 3.3.0. Feedback is welcome.
> [0]: https://pulp.plan.io/issues/6323
> Thanks,
> Brian
> _______________________________________________
> Pulp-dev mailing list
> Pulp-dev at redhat.com
> https://www.redhat.com/mailman/listinfo/pulp-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-dev/attachments/20200311/a94ca42d/attachment.htm>

More information about the Pulp-dev mailing list