JSON Header Authentication¶
In a situation where it is not possible to use Basic Authentication
Pulp can rely on a third-party
service to authenticate a user.
Using JSONHeaderRemoteAuthentication
it’s possible to receive a payload and even use JQ
to filter
it and obtain the relevant data. The user is created in the database if one is not found.
You can set AUTHENTICATION_JSON_HEADER
and AUTHENTICATION_JSON_HEADER_JQ_FILTER
to obtain a user
given a header name and its value respectively:
AUTHENTICATION_JSON_HEADER = "HTTP_X_AUTHENTICATION_SERVICE"
AUTHENTICATION_JSON_HEADER_JQ_FILTER = ".identity.user.username"
will look for a x-authentication-service
header and its content. With the given filter, it will
extract the information from a payload like this:
{
identity: {
user: {
username: "user"
}
}
}
Enabling JSONHeaderRemoteAuthentication¶
The JSONHeaderRemoteAuthentication
can be enabled by:
1. Add the django.contrib.auth.backends.RemoteUserBackend
to
AUTHENTICATION_BACKENDS
, or some authentication backend that subclasses it.
2. You need to add the pulpcore.app.authentication.JSONHeaderRemoteAuthentication
to
REST_FRAMEWORK['DEFAULT_AUTHENTICATION_CLASSES']
setting.
3. Change the AUTHENTICATION_JSON_HEADER
to your value of choice. Remember that it
must start with HTTP_, so, if your header is x-authentication-service
, you need to set it to
HTTP_X_AUTHENTICATION_SERVICE
.
4. Set a JQ filter on AUTHENTICATION_JSON_HEADER_JQ_FILTER
. You can find the JQ query syntax and reference on its
official site here.
Remember that the content of the header must be Base64 encoded.
Enabling the ThirdParty Authentication Schema¶
In a case where Pulp is deployed behind an API Gateway, it may be necessary to indicate to the clients where and which authorization process to use. For this scenario, you may be able to provide an OpenAPI security schema to be used by clients or Pulp-CLI itself.
To enable that, you have to configure the AUTHENTICATION_JSON_HEADER_OPENAPI_SECURITY_SCHEME with a payload following the Security Scheme Object definition. Here is an example describing an OAuth2 authentication system:
AUTHENTICATION_JSON_HEADER_OPENAPI_SECURITY_SCHEME = {
"type": "oauth2",
"description": "External OAuth integration",
"flows": {
"clientCredentials": {
"tokenUrl": "https://your-identity-provider/token/issuer",
"scopes": {"api.console":"grant_access_to_pulp"}
}
}
}