[Pulp-list] Repo Auth Requirements and Design
Bryan Kearney
bkearney at redhat.com
Fri Mar 25 12:54:36 UTC 2011
On 03/25/2011 08:41 AM, Todd B Sanders wrote:
> On 03/25/2011 08:27 AM, Bryan Kearney wrote:
>> On 03/23/2011 04:28 PM, Jay Dobies wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> https://fedorahosted.org/pulp/wiki/RepoAuth
>>>
>>> I updated the doc given today's discussions.
>>>
>>> In short, there will be two granularities of repo auth.
>>> - - Individual, which is what the original design covered, that allows
>>> credentials to be specified on a per-repo basis. "Repo X is protected
>>> but Repo Y isn't."
>>> - - Global, which secures *all* repos under a single set of credentials
>>> defined at the Pulp level instead of the repo level. "I have 30 repos
>>> and I want to secure access to everything, and it'd be cumbersome to add
>>> the credentials to each repo individually."
>>>
>>
>> Do I need to add requirements to candlepin to support the global case?
>> We only support the individual case right now. (Unless you create a
>> product which is "everything". That is how IT does it today, they have
>> a special cert which has a content set which is "/".
>>
>> -- bk
>>
>> _______________________________________________
>> Pulp-list mailing list
>> Pulp-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/pulp-list
>
> This shouldn't effect Candlepin. The global setting is just short-hand
> for securing the publishing of repos from the Pulp server; allows us to
> use the same certificate-bundle for auth for all repos on the Pulp
> server (think CDN). This is actually in support of Kalpana; as all repos
> will require a Candlepin generated entitlement certificate (even custom
> products). Doesn't Candlepin assume a single cert bundle for all
> entitlement certificates that it issues?
>
> -Todd
A single CA, yes.
-- bk
More information about the Pulp-list
mailing list