[Pulp-dev] Moving Content Guard Authorization to Webserver and out of pulp-content
Justin Sherrill
jsherril at redhat.com
Wed Mar 11 18:34:22 UTC 2020
We had discussed base64 encoding the cert in the webserver on the way in
and then letting cert guard decode it. While that's not ideal I think
it has some advantages over moving the full auth into the webserver.
What was your motivation for going with that approach over the base64
encoding approach?
On 3/11/20 2:11 PM, Brian Bouterse wrote:
> tl;dr: What we have today cannot work with rhsm certificates which
> Katello uses. To resolve, we need to have content guard checking moved
> to the webserver configs for apache and nginx and not done in
> pulp-content as it is today. https://pulp.plan.io/issues/6323
>
> We need to bring the auth to where TLS is terminated because we can't
> being the client certs to pulp-content due to invalid header
> characters. As is, pulp-certguard cannot work with Katello's cert
> types (rhsm certs) so that is driving my changes.
>
> If anyone has major concerns or other ideas please let me know. In the
> meantime I'm proceeding moving the authorization to the webserver and
> then updating pulp-certguard to work with that. This will make
> pulp-certguard's GA tied to pulpcore 3.3.0. Feedback is welcome.
>
> [0]: https://pulp.plan.io/issues/6323
>
> Thanks,
> Brian
>
>
> _______________________________________________
> Pulp-dev mailing list
> Pulp-dev at redhat.com
> https://www.redhat.com/mailman/listinfo/pulp-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-dev/attachments/20200311/a94ca42d/attachment.htm>
More information about the Pulp-dev
mailing list