Content Authentication Mechanisms¶
Pulp allows administrators to require users to authenticate in order to receive content. Typically this is done by checking an SSL client certificate.
Content authentication is primarly done in conjunction with a Katello instance and is outside the scope of this document. However, users may want to add their own authentication methods. This is done by writing a method that returns either True or False depending on if the user is allowed access and then telling Pulp about this method via Python entry points.
Note that all authenticators must return True in order to let the request
through. Authentication is typically based on the contents of the environ
parameter. This is a dictionary containing various environment variables from
Apache. When authoring plugins, it may be helpful to log the contents of
environ
to see what is being passed in.
For example, if you wanted to create a simple method that let everyone through but logged a message, you could do something like this:
- ::
- def authenticate(environ):
- print “No checking here, just let the user through!” return True
Then, tell Pulp about this via an entry point in setup.py
. In this example,
our authenticate()
method lives in example_auth.example
.
entry_points={
'pulp_content_authenticators': [
'example_auth=example_auth.example:authenticate'
]
}
You should be all set at this point. Simply make a request and check
/var/log/httpd/error_log
to see if the message printed. Your request will
need to pass all auth checks to see the log message; once one check fails then
the rest are not executed. If the authenticate
method raises an exception
for any reason then mod_wsgi will write a message to ssl_error_log
and deny
the request.
If you would like to disable a specific plugin, simply set
disabled_authenticators
in /etc/pulp/repo_auth.conf
to the name of the
authenticator in the entry point. In the example above, we would set it to
example_auth
. Multiple entries can be given via comma-seperated values.