Authentication

This guide covers basic authentication and authorization in the Pulp Platform.

Basic Authentication of Users

All pulp-admin commands accept username and password to capture authentication credentials.

$ pulp-admin --help
Usage: pulp-admin [options]

Options:
  -h, --help            show this help message and exit
  -u USERNAME, --username=USERNAME
                        username for the Pulp server; if used will bypass the
                        stored certificate and override a username specified
                        in ~/.pulp/admin.conf
  -p PASSWORD, --password=PASSWORD
                        password for the Pulp server; must be used with
                        --username. if used will bypass the stored certificate
                        and override a password specified in ~/.pulp/admin.conf
  --config=CONFIG       absolute path to the configuration file
  --map                 prints a map of the CLI sections and commands
  -v                    enables verbose output; use twice for increased
                        verbosity with debug information

Pulp Admin client allows the user to specify username and password credentials in the user’s local admin.conf ~/.pulp/admin.conf. Using the conf file avoids having to pass user credentials repeatedly using the command line. Also reading the password from a file that can only be read by certain users is more secure because it cannot be shown by listing the system processes.

# Add the following snippet to ``~/.pulp/admin.conf``

[auth]
username: admin
password: admin

# This enables the user to run pulp-admin commands without providing a username
# and password using the command line

$ pulp-admin repo list
+----------------------------------------------------------------------+
                              Repositories
+----------------------------------------------------------------------+
pulp-admin searches for a username and password to use in the following order:
  • credentials specified from the command line.

  • credentials set in the user’s ~/.pulp/admin.conf.

Pulp Server installation comes with one default user created with admin level privileges. Username and password for this user can be configured in /etc/pulp/server.conf at the time of installation.

Below is an example of basic authentication of users based on their username and password when running a pulp-admin command.

$ pulp-admin repo list
Enter password:
+----------------------------------------------------------------------+
                              Repositories
+----------------------------------------------------------------------+

Note that username and password are parameters to the pulp-admin command, not the sub-command, like repo list in this case. You can also pass the password parameter on the command line with --password argument, but this is not a recommended method. Users should use interactive password as a preferred method.

Rather than specifying the credentials on each call to pulp-admin, a user can log in to the Pulp server. Logging in stores a user credentials certificate at ~/.pulp/user-cert.pem.

$ pulp-admin login -u admin
Enter password:
Successfully logged in. Session certificate will expire at Dec  6 21:47:33 2012
GMT.

Subsequent commands to pulp-admin will no longer require the username-password arguments and will instead use the user certificate. The user can be logged out by using the pulp-admin logout command.

$ pulp-admin logout
Session certificate successfully removed.

Layout of Auth Section

The root level auth section contains sub-sections to create and manage Pulp users, roles and their permissions for various resources.

$ pulp-admin auth
Usage: pulp-admin auth [SUB_SECTION, ..] COMMAND
Description: user, role and permission commands

Available Sections:
permission - manage granting, revoking and listing permissions for resources
role       - manage user roles
user       - manage users

Users

Users can be created to perform various administrative tasks on the Pulp Server. You can configure them with either admin level access or limited access to a few resources on the server.

$ pulp-admin auth user --help
Usage: pulp-admin user [SUB_SECTION, ..] COMMAND
Description: manage users

Available Commands:
create - creates a user
delete - deletes a user
list   - lists summary of users registered to the Pulp server
search - search items while optionally specifying sort, limit, skip, and requested fields
update - changes metadata of an existing user

Here is an example of creating and updating a user:

$ pulp-admin auth user create --login test-user
Enter password for user [test-user] :
Re-enter password for user [test-user]:
User [test-user] successfully created

If you intend to update the password for a user, you can use -p flag as shown in the example below to be prompted for a new password.

$ pulp-admin auth user update --login test-user --name "Test User" -p
Enter new password for user [test-user] :
Re-enter new password for user [test-user]:
User [test-user] successfully updated

You can also pass it on the command line with --password argument, but this method is just to provide a simpler way for scripting and is not recommended. Users should use interactive password update as a preferred method.

The user list command lists a summary of all users. It also accepts arguments to list all the details or specific fields for users.

$ pulp-admin auth user list --details
+----------------------------------------------------------------------+
                                 Users
+----------------------------------------------------------------------+

Login:  admin
Name:   admin
Roles:  super-users


Login:  test-user
Name:   test-user
Roles:
$ pulp-admin auth user list --fields roles
+----------------------------------------------------------------------+
                                 Users
+----------------------------------------------------------------------+

Login:  admin
Roles:  super-users


Login:  test-user
Roles:

Users can be removed from the Pulp server using the user delete command.

$ pulp-admin auth user delete --login test-user
User [test-user] successfully deleted

Users belonging to the super-users role can be deleted as well, as long as there is at least one such user remaining in the system.

$ pulp-admin auth user delete --login admin
The server indicated one or more values were incorrect. The server provided the
following error message:

The last superuser [admin] cannot be deleted

Permissions

Permissions to various resources can be accessed or manipulated using pulp-admin auth permission commands. There are 5 types of permissions - CREATE, READ, UPDATE, DELETE and EXECUTE. Permissions are granted and revoked from a resource which is essentially a REST API path with the /pulp/api prefix removed.

Here are a few examples of accessing and manipulation permissions:

$ pulp-admin auth permission list --resource /
+----------------------------------------------------------------------+
                               Permissions for /
+----------------------------------------------------------------------+

Admin:  CREATE, READ, UPDATE, DELETE, EXECUTE

The following command will give permissions to create, read and update repositories to test-user.

$ pulp-admin auth permission grant --resource /v2/repositories/ --login test-user -o create -o update -o read
Permissions [/v2/repositories/ : ['CREATE', 'UPDATE', 'READ']] successfully granted
to user [test-user]
$ pulp-admin auth permission list --resource /v2/repositories/
+----------------------------------------------------------------------+
                 Permissions for /repositories
+----------------------------------------------------------------------+

Test-user:  CREATE, UPDATE, READ

The following command will revoke permissions to create and update repositories from test-user.

$ pulp-admin auth permission revoke --resource /v2/repositories/ --login test-user -o create -o update
Permissions [/v2/repositories/ : ['CREATE', 'UPDATE']] successfully revoked from
user [test-user]

Note

The /v2 prefix and the trailing / are always present in a resource name for permission commands.

Roles

In order to efficiently administer permissions, Pulp uses the notion of roles to enable an administrator to grant and revoke permission on a resource to a group of users instead of individually. The pulp-admin auth role command provides the ability to list the currently defined roles, create/delete roles, and manage user membership in a role. Pulp installation comes with a default super-users role with admin level privileges, and the default admin user belongs to this role.

The role list command is used to list the current roles.

$ pulp-admin auth role list
+----------------------------------------------------------------------+
                                Roles
+----------------------------------------------------------------------+

Id:     super-users
Users:  admin

A role can be created and deleted by specifying a role id.

$ pulp-admin auth role create --role-id consumer-admin
Role [consumer-admin] successfully created

$ pulp-admin auth role delete --role-id consumer-admin
Role [consumer-admin] successfully deleted

A user can be added and removed from a role using role user add and role user remove commands respectively. Note that both the user and the role should exist on the pulp server.

$ pulp-admin auth role user add --role-id super-users --login test-user
User [test-user] successfully added to role [super-users]

$ pulp-admin auth role user remove --role-id super-users --login test-user
User [test-user] successfully removed from role [super-users]

Permissions can be granted and revoked from roles just like users. In this case all the users belonging to the given role will inherit these permissions.

$ pulp-admin auth permission grant --resource /v2/repositories/ --role-id test-role -o read
Permissions [/v2/repositories/ : ['READ']] successfully granted to role [test-role]

$ pulp-admin auth permission revoke --resource /v2/repositories/ --role-id test-role -o read
Permissions [/v2/repositories/ : ['READ']] successfully revoked from role [test-role]