[Pulp-list] Repo Auth Requirements and Design
Todd B Sanders
tsanders at redhat.com
Fri Mar 25 12:41:49 UTC 2011
On 03/25/2011 08:27 AM, Bryan Kearney wrote:
> On 03/23/2011 04:28 PM, Jay Dobies wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> https://fedorahosted.org/pulp/wiki/RepoAuth
>>
>> I updated the doc given today's discussions.
>>
>> In short, there will be two granularities of repo auth.
>> - - Individual, which is what the original design covered, that allows
>> credentials to be specified on a per-repo basis. "Repo X is protected
>> but Repo Y isn't."
>> - - Global, which secures *all* repos under a single set of credentials
>> defined at the Pulp level instead of the repo level. "I have 30 repos
>> and I want to secure access to everything, and it'd be cumbersome to add
>> the credentials to each repo individually."
>>
>
> Do I need to add requirements to candlepin to support the global case?
> We only support the individual case right now. (Unless you create a
> product which is "everything". That is how IT does it today, they have
> a special cert which has a content set which is "/".
>
> -- bk
>
> _______________________________________________
> Pulp-list mailing list
> Pulp-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pulp-list
This shouldn't effect Candlepin. The global setting is just short-hand
for securing the publishing of repos from the Pulp server; allows us to
use the same certificate-bundle for auth for all repos on the Pulp
server (think CDN). This is actually in support of Kalpana; as all
repos will require a Candlepin generated entitlement certificate (even
custom products). Doesn't Candlepin assume a single cert bundle for all
entitlement certificates that it issues?
-Todd
More information about the Pulp-list
mailing list