Content Authentication Mechanisms

Pulp allows administrators to require users to authenticate in order to receive content. Typically this is done by checking an SSL client certificate.

Content authentication is primarly done in conjunction with a Katello instance and is outside the scope of this document. However, users may want to add their own authentication methods. This is done by writing a method that returns either True or False depending on if the user is allowed access and then telling Pulp about this method via Python entry points.

Note that all authenticators must return True in order to let the request through. Authentication is typically based on the contents of the environ parameter. This is a dictionary containing various environment variables from Apache. When authoring plugins, it may be helpful to log the contents of environ to see what is being passed in.

For example, if you wanted to create a simple method that let everyone through but logged a message, you could do something like this:

::
def authenticate(environ):

print “No checking here, just let the user through!” return True

Then, tell Pulp about this via an entry point in setup.py. In this example, our authenticate() method lives in example_auth.example.

entry_points={
    'pulp_content_authenticators': [
        'example_auth=example_auth.example:authenticate'
    ]
}

You should be all set at this point. Simply make a request and check /var/log/httpd/error_log to see if the message printed. Your request will need to pass all auth checks to see the log message; once one check fails then the rest are not executed. If the authenticate method raises an exception for any reason then mod_wsgi will write a message to ssl_error_log and deny the request.

If you would like to disable a specific plugin, simply set disabled_authenticators in /etc/pulp/repo_auth.conf to the name of the authenticator in the entry point. In the example above, we would set it to example_auth. Multiple entries can be given via comma-seperated values.