[Pulp-list] pulpcore-client 3.2 ldap authentication

Dennis Kliban dkliban at redhat.com
Wed Apr 22 13:24:29 UTC 2020 

Could you please share your settings by running the following commands on
your Pulp server:

export DJANGO_SETTINGS_MODULE=pulpcore.app.settings
export PULP_SETTINGS=/etc/pulp/settings.py (or wherever your settings are)
dynaconf list

Don't forget to obfuscate any settings you don't want to share.

On Wed, Apr 22, 2020 at 9:15 AM Bin Li (BLOOMBERG/ 120 PARK) <
bli111 at bloomberg.net> wrote:

>
> Thank Dennis. This fixes the issue restarting pulp. With my LDAP
> credential, now I can
> http -a id:pwd GET localhost/pulp/api/v3/status/ but getting
> "Authentication credentials were not provided" for all other uri
> /remtes/rpm/rpm/. It looks like pulp is not using external authentication
> and still need its own authentication somehow.
>
>
> From: dkliban at redhat.com At: 04/22/20 06:52:35
> To: Bin Li (BLOOMBERG/ 120 PARK ) <bli111 at bloomberg.net>
> Cc: pulp-list at redhat.com
> Subject: Re: [Pulp-list] pulpcore-client 3.2 ldap authentication
>
> You need to replace
>
> REST_FRAMEWORK['DEFAULT_AUTHENTICATION_CLASSES'] =
>
> with
>
> REST_FRAMEWORK__DEFAULT_AUTHENTICATION_CLASSES =
>
> On Tue, Apr 21, 2020 at 10:09 PM Bin Li (BLOOMBERG/ 120 PARK) <
> bli111 at bloomberg.net> wrote:
>
>> This setting actually failed to restart pulp. See errors below.
>>
>> Apr 21 21:56:27 ip-1-76-158-49 gunicorn[24414]: NameError: name
>> 'REST_FRAMEWORK' is not defined
>> Apr 21 21:56:27 ip-1-76-158-49 gunicorn[24414]: [2020-04-21 21:56:27
>> -0400] [24417] [INFO] Worker exiting (pid: 24417)
>> Apr 21 21:56:27 ip-1-76-158-49 gunicorn[24414]: [2020-04-21 21:56:27
>> -0400] [24414] [INFO] Shutting down: Master
>> Apr 21 21:56:27 ip-1-76-158-49 gunicorn[24414]: [2020-04-21 21:56:27
>> -0400] [24414] [INFO] Reason: Worker failed to boot.
>> Apr 21 21:56:27 ip-1-76-158-49 systemd[1]: pulpcore-api.service: main
>> process exited, code=exited, status=3/NOTIMPLEMENTED
>> Apr 21 21:56:27 ip-1-76-158-49 systemd[1]: Unit pulpcore-api.service
>> entered failed state.
>> Apr 21 21:56:27 ip-1-76-158-49 systemd[1]: pulpcore-api.service failed.
>> Apr 21 21:56:27 ip-1-76-158-49 systemd[1]:
>> pulpcore-resource-manager.service holdoff time over, scheduling restart.
>>
>>
>> From: Bin Li (BLOOMBERG/ 120 PARK) At: 04/21/20 21:32:49
>> To: dkliban at redhat.com
>> Cc: pulp-list at redhat.com
>> Subject: Re: [Pulp-list] pulpcore-client 3.2 ldap authentication
>>
>> Yes, I did
>> # pip list |grep dynaconf
>> dynaconf 3.0.0rc1
>>
>>
>> From: dkliban at redhat.com At: 04/21/20 20:01:00
>> To: Bin Li (BLOOMBERG/ 120 PARK ) <bli111 at bloomberg.net>
>> Cc: pulp-list at redhat.com
>> Subject: Re: [Pulp-list] pulpcore-client 3.2 ldap authentication
>>
>> Did you update dynaconf to 3.0.0rc1? There was a bug that caused the
>> settings to get merged instead of overwritten.
>>
>> [0] https://pulp.plan.io/issues/6244
>> [1] https://pypi.org/project/dynaconf/3.0.0rc1/
>>
>> On Tue, Apr 21, 2020 at 5:59 PM Bin Li (BLOOMBERG/ 120 PARK) <
>> bli111 at bloomberg.net> wrote:
>>
>>> I have followed the setup
>>> https://www.nginx.com/blog/nginx-plus-authenticate-users/ to setup
>>> nginx LDAP authentication.
>>>
>>> This command works "http -a admin:password GET
>>> localhost/pulp/api/v3/repositories/rpm/rpm/ Cookie:nginxauth=XXXXXXX". The
>>> Cookie is the base64 encoded ldap username and password.
>>>
>>> I assume I should follow the below so I don't have to specify admin:pwd
>>>
>>> https://docs.pulpproject.org/installation/authentication.html#webserver-auth-with-reverse-proxy
>>>
>>> Adding the below to settings.py doesn't seem to work.
>>> REMOTE_USER_ENVIRON_NAME = 'HTTP_REMOTE_USER'
>>> AUTHENTICATION_BACKENDS =
>>> ['pulpcore.app.authentication.PulpNoCreateRemoteUserBackend']
>>> REST_FRAMEWORK['DEFAULT_AUTHENTICATION_CLASSES'] = (
>>> 'rest_framework.authentication.SessionAuthentication',
>>> 'pulpcore.app.authentication.PulpRemoteUserAuthentication'
>>>
>>> I am a little confused what need to be added for this setup.
>>> nginx <---http---> gunicorn <----WSGI----> pulpcore.app.wsgi application
>>>
>>> Please advise
>>> Thanks
>>>
>>>
>>> From: dkliban at redhat.com At: 04/17/20 10:45:31
>>> To: Bin Li (BLOOMBERG/ 120 PARK ) <bli111 at bloomberg.net>
>>> Cc: pulp-list at redhat.com
>>> Subject: Re: [Pulp-list] pulpcore-client 3.2 ldap authentication
>>>
>>> Theoretically you should be able to use pulpcore-client even with LDAP
>>> authentication in the web server. However, I have not tested this. I've
>>> only helped users that use certificate authentication in the webserver.
>>> What error are you seeing on the client side? Do you see any errors in pulp
>>> logs?
>>>
>>> On Fri, Apr 17, 2020 at 10:20 AM Bin Li (BLOOMBERG/ 120 PARK) <
>>> bli111 at bloomberg.net> wrote:
>>>
>>>> Thanks Dennis.
>>>>
>>>> We use pulpcore python client to interact with api. Once we enable ldap
>>>> on nginx, the below code that pulpcore-client authenticate will not work
>>>> any more. I am wonder if we are still be able to use pulpcore-client? or we
>>>> have to rewrite the client code. This sounds too much work for us for now.
>>>> configuration = pulpcore.Configuration()
>>>> configuration.host = 'http://localhost'
>>>> configuration.username = 'admin'
>>>> configuration.password = 'pwd'
>>>> rpm_client = pulp_rpm.ApiClient(configuration)
>>>>
>>>> From: dkliban at redhat.com At: 04/16/20 08:38:38
>>>> To: Bin Li (BLOOMBERG/ 120 PARK ) <bli111 at bloomberg.net>
>>>> Cc: pulp-list at redhat.com
>>>> Subject: Re: [Pulp-list] pulpcore-client 3.2 ldap authentication
>>>>
>>>> Please be aware that there is a bug in dynaconf 2.2 with how settings
>>>> are merged[0]. I recommend upgrading it to dynaconf 3.0.0rc1 for best
>>>> results when configuring authentication backends in pulp.
>>>>
>>>> [0] https://pulp.plan.io/issues/6244
>>>> [1] https://pypi.org/project/dynaconf/3.0.0rc1/
>>>>
>>>>
>>>> On Wed, Apr 15, 2020 at 7:02 PM Dennis Kliban <dkliban at redhat.com>
>>>> wrote:
>>>>
>>>>> Pulp 3 does not currently support multiple users. We are planning to
>>>>> add support for RBAC in the near future. However, I don't have a concrete
>>>>> timeline for that. With all that said, you still can configure the web
>>>>> server to perform authentication[0]. In this case Pulp will stop performing
>>>>> authentication and will simply look for a WSGI environment variable that
>>>>> contains the username.
>>>>>
>>>>> [0]
>>>>> https://docs.pulpproject.org/installation/authentication.html#webserver-auth
>>>>> [1]
>>>>> https://docs.pulpproject.org/settings.html?highlight=remote_user#remote-user-environ-name
>>>>>
>>>>> On Wed, Apr 15, 2020 at 3:19 PM Bin Li (BLOOMBERG/ 120 PARK) <
>>>>> bli111 at bloomberg.net> wrote:
>>>>>
>>>>>>
>>>>>> I am thinking to configure nginx with ldap authentication, but I
>>>>>> couldn't find a way to interact with the api. Does pulpcore-client work
>>>>>> with ldap authentication? Has anyone made httpie work with ldap?
>>>>>>
>>>>>> Thanks
>>>>>> _______________________________________________
>>>>>> Pulp-list mailing list
>>>>>> Pulp-list at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/pulp-list
>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20200422/cacfd241/attachment.htm>

More information about the Pulp-list mailing list