Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a fully working example configuration for token authentication for pulp pod #1784

Open
simenon opened this issue Sep 30, 2024 · 1 comment
Open

Add a fully working example configuration for token authentication for pulp pod #1784

simenon opened this issue Sep 30, 2024 · 1 comment
Labels
Task Triage-Needed

Comments

@simenon
Copy link

simenon commented Sep 30, 2024
edited
Loading

The instructions at https://pulpproject.org/pulp_container/docs/admin/learn/authentication/ are not fully clear with regards that you can set up a fully working token authentication with the default pulp pod.

Suggest to improve the documentation (https://pulpproject.org/pulp_container/docs/admin/learn/authentication/#token-authentication) to add the complete instructions to set up with the internal authentication server provided by Django framework.

In essence it comes down to change (or to add to) the settings the following

TOKEN_SERVER='http://localhost:8080/token/'
TOKEN_SIGNATURE_ALGORITHM = 'ES256'
PUBLIC_KEY_PATH = '/etc/pulp/certs/token_public_key.pem'
PRIVATE_KEY_PATH = '/etc/pulp/certs/token_private_key.pem'

Above will redirect token request to the pulp internal token authentication, and uses also the out of the box already configured certificates at their internal path.

Also to note, and perhaps to improve. When using an external token authentication and you want to supply the keys also externally, then the keys need to be mounted and the internal mount path of the pod should be declared.

The below example silently assumes that /tmp is accessible, but that is not the default case, when running pulp in a pod

TOKEN_SERVER = "https://puffy.example.com/token/"
TOKEN_SIGNATURE_ALGORITHM = 'ES256'
PUBLIC_KEY_PATH = '/tmp/public_key.pem'
PRIVATE_KEY_PATH = '/tmp/private_key.pem'

Further down, there is also the command
http --auth-type=jwt --auth=<TOKEN> https://puffy.example.com/v2/

to get this working you must have executed first pip install httpie-jwt-auth. I can assume this is beyond the scope of the example, but it saves an online search for the package by the user
@lubosmj
Copy link
Member

lubosmj commented Sep 30, 2024

When using an external token authentication and you want to supply the keys also externally, then the keys need to be mounted and the internal mount path of the pod should be declared.

The external token server will need to be fully compatible with the Pulp's RBAC and will have to be able to access the Pulp's database. Currently, I am not aware of such a server. I consider this part to be superfluous.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Task Triage-Needed
Projects
Pulp Container Roadmap
Status: Not Started
Milestone
No milestone
Development

No branches or pull requests
2 participants
@simenon @lubosmj