[Pulp-list] Repo Auth Design

[Jay Dobies]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

https://fedorahosted.org/pulp/wiki/RepoAuth

That has both the requirements and design proposal.

The majority of the design consists of things we know how to solve:
accepting certs through the API, storing them on the Pulp server, and
the auth handler framework.

The biggest question is how do we know if auth should be applied to a
repo. In RHUI, it's simple: all repos are authenticated. In Pulp, we
need to check on a per repo basis not only if they are authenticated,
but what the scheme[1] and credentials are. That's covered by the last
section "Detection" and the big issue there is not crushing our
performance in the process. So please make sure you give that section
some thought and let me know if you have better ideas.

[1] For now, our needs are to mimic CDN's OID validation. I don't see
normal Pulp users wanting to have to deal with using Red Hat's OID
schema, so ultimately I think we'll want to have some flexibility in
letting the admin decide what sort of validation scheme is used on a per
repo basis. The auth handler framework should largely support this now,
so otherwise I'm just taking the approach of "we'll get to this when we
have time."

- -- 
Jay Dobies
RHCE# 805008743336126
Freenode: jdob
http://pulpproject.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJNgmyHAAoJEOMmcTqOSQHCIn8H/io2nSUxIMsiVDU1XfdI3LH9
iJRW8N+mSF9HexygQYVXE+EBmV8EhkBM3YRgkBekooXuPz8LWgLo6a+C7W4zp2up
NjpGFXaiLRY+eajRwbOF3PBDz6foU8Sr0xboZDoet+7Ctze8XyaF1qdH6v7zaa1Q
ma72I/PmsIabMYXriJGJBQJxLCZfc2XtO36EJU4sR9NVlFw3ayN2bOFhM7DwYRVD
XlDHTV5f1reVy2ioHHMQGFy50LfVOwxTiPQxFAkU8bz+wUbZA5ECJOPovL9pxPZe
dwBOFaSC+7vM2wjZvWMHKPVtWq5KSimhLj9Q9iLyZDP89AA2qAJyZ8kiBiF1Hx8=
=pzRK
-----END PGP SIGNATURE-----