[Pulp-list] Repo Auth Requirements and Design

[Jay Dobies]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

https://fedorahosted.org/pulp/wiki/RepoAuth

I updated the doc given today's discussions.

In short, there will be two granularities of repo auth.
- - Individual, which is what the original design covered, that allows
credentials to be specified on a per-repo basis. "Repo X is protected
but Repo Y isn't."
- - Global, which secures *all* repos under a single set of credentials
defined at the Pulp level instead of the repo level. "I have 30 repos
and I want to secure access to everything, and it'd be cumbersome to add
the credentials to each repo individually."

The global case meets both RHUI as well as other Red Hat project
requirements.

The other complication that came into consideration is that if a repo is
protected, it needs to be protected if it's exposed on a CDS as well
(applies both to the individual and global cases). We will leverage the
existing communication from server to CDS to send that information. The
repo auth code has already been written in a way that will let it be its
own RPM which will then be installed on both Pulp server and CDS so they
can both apply the logic.

I'm also dropping out of tomorrow's deep dive. These changes added a lot
of stuff that won't be in place, and I'd rather review a more finished
product.

- -- 
Jay Dobies
RHCE# 805008743336126
Freenode: jdob
http://pulpproject.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJNilfZAAoJEOMmcTqOSQHC6/UH/RuNfsu8LskEjKfB4zVPkrxt
lwbo7zEoYD7YYtFYf+HnXOd51q4fdvaf9ITFHKqCBImaw6i/4TOnKDJaW1QpcH4F
yKBWt9+fd7/vHNpOltagxH/I7g8K5GckG1fTKHj8/Oa7RnDHYDGmA6iF0fMYugAQ
6WoPn61VYY7E+8Iz20DlRRp6n5ZCZo2b7Naqgqe/3KjlTVHAswMxeTioBRwHHC9I
WOuzE739HiWCC6qlKNRX95fLfy8AytIPqrTBm3ZSpY/30Vdsx4E77UWFzAJb+CCI
/loJQ8mxOGNcMpRKbV/o/0T+xYuKw4tad/Ple4lsjKi+ndKVNe/cYWaqcC97OtI=
=IAkJ
-----END PGP SIGNATURE-----