[Pulp-list] external authentication/authorization
Konstantin M. Khankin
khankin.konstantin at gmail.com
Fri Sep 2 07:53:07 UTC 2016
You may try to use PAM to hook up authentication to any external source.
This is how I connected it to FreeIPA:
<Location /pulp/api/v2/actions/login>
AuthType Basic
AuthBasicProvider PAM
AuthPAMService pulp
AuthName "Pulp"
Require valid-user
</Location>
# cat /etc/pam.d/pulp
auth required pam_sss.so
account required pam_sss.so
2016-09-02 0:50 GMT+03:00 Jay Medrano <jay.medrano at neulion.com>:
> I have the exact same issue... my cookbook/runbook instructions for
> setting up a pulp server require setting up users with passwords that are
> never actually used. The users are created that way so that they can be
> added to the admin group. If the LDAP feature is deprecated, there should
> be a better way to manage users via Apache auth groups, but at this point
> it doesn't seem that way.
>
>
>
> On a similar topic... Here is a code snippet related to some changes I
> made to the Apache auth section to allow LDAP auth when using the
> pulp-admin client. Notice that I'm using the User-Agent header to determine
> if LDAP auth is required, and I'm also defaulting apache auth when the
> login page is requested. This allows LDAP auth to work when requesting a
> cert from the pulp-admin client and also for the REST api. This also works
> when wget/curl calls submit data to pulp.
>
>
>
> <Files webservices.wsgi>
>
> # pass everything that isn't a Basic auth request through to Pulp
>
> SetEnvIf Request_URI "^/pulp/api/v2/actions/login/" USE_APACHE_AUTH=1
>
> SetEnvIfNoCase ^User-Agent$ .+ USE_APACHE_AUTH=1
>
> Order allow,deny
>
> Allow from env=!USE_APACHE_AUTH
>
> Satisfy Any
>
>
>
>
>
> *From:* pulp-list-bounces at redhat.com [mailto:pulp-list-bounces at redhat.com]
> *On Behalf Of *Kodiak Firesmith
> *Sent:* Thursday, September 01, 2016 2:46 PM
> *To:* Vladimir Vasilev <vvasilev at redhat.com>
> *Cc:* pulp-list <pulp-list at redhat.com>
> *Subject:* Re: [Pulp-list] external authentication/authorization
>
>
>
> I'm pretty sure the answer in Pulp's current form is: no.
>
> But your request might be a great suggestion to make in an earlier (June?
> July?) thread requesting feedback on Pulp 3.x auth - it'll be completely
> different so it's a blank slate to work with. Please check out the
> archives and reply to that thread with your auth needs and wants.
>
>
>
> As an Active Directory user (mod_auth_gssapi), I agree that being able to
> tie in AD names and groups in authorization would be a great improvement.
>
>
>
> - Kodiak
>
>
>
> On Thu, Sep 1, 2016 at 3:47 PM, Vladimir Vasilev <vvasilev at redhat.com>
> wrote:
>
> Hi all,
>
> I'm trying to setup Pulp with external authentication and authorization
> against LDAP server.
> According to the docs direct LDAP access from pulp is deprecated so I
> followed "Apache Preauthentication" [1]
> Authentication works fine, pulp is trusting apache httpd with
> REMOTE_USER variable set.
> Problem is that the same LDAP user needs to exist in the internal pulp
> database as well.
>
> Is there a way to move both authentication and authorization to external
> provider like LDAP?
> At the end of the day I want to grant admin access to all LDAP accounts
> which are member of particular group (memberOf attribute) without making
> local pulp accounts.
>
> Thanks,
> Vova
>
> [1] https://docs.pulpproject.org/user-guide/authentication.html
>
>
>
> _______________________________________________
> Pulp-list mailing list
> Pulp-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pulp-list
>
>
>
> _______________________________________________
> Pulp-list mailing list
> Pulp-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pulp-list
>
--
Ханкин Константин
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20160902/837d2dc9/attachment.htm>
More information about the Pulp-list
mailing list