[Pulp-list] Repo Auth Requirements and Design

Todd B Sanders tsanders at redhat.com
Fri Mar 25 12:41:49 UTC 2011

On 03/25/2011 08:27 AM, Bryan Kearney wrote:
> On 03/23/2011 04:28 PM, Jay Dobies wrote:
>> Hash: SHA1
>> https://fedorahosted.org/pulp/wiki/RepoAuth
>> I updated the doc given today's discussions.
>> In short, there will be two granularities of repo auth.
>> - - Individual, which is what the original design covered, that allows
>> credentials to be specified on a per-repo basis. "Repo X is protected
>> but Repo Y isn't."
>> - - Global, which secures *all* repos under a single set of credentials
>> defined at the Pulp level instead of the repo level. "I have 30 repos
>> and I want to secure access to everything, and it'd be cumbersome to add
>> the credentials to each repo individually."
> Do I need to add requirements to candlepin to support the global case? 
> We only support the individual case right now. (Unless you create a 
> product which is "everything". That is how IT does it today, they have 
> a special cert which has a content set which is "/".
> -- bk
> _______________________________________________
> Pulp-list mailing list
> Pulp-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pulp-list

This shouldn't effect Candlepin.  The global setting is just short-hand 
for securing the publishing of repos from the Pulp server; allows us to 
use the same certificate-bundle for auth for all repos on the Pulp 
server (think CDN).  This is actually in support of Kalpana; as all 
repos will require a Candlepin generated entitlement certificate (even 
custom products).  Doesn't Candlepin assume a single cert bundle for all 
entitlement certificates that it issues?


More information about the Pulp-list mailing list