Overview

By default, Pulp supports Basic and Session authentication. The Basic Authentication checks the username and password against the internal users database.

Note

This authentication is only for the REST API. Clients fetching binary data have their identity verified and authorization checked using a ContentGuard.

Which URLs Require Authentication?

All URLs in the REST API require authentication except the Status API, /pulp/api/v3/status/.

Concepts

Authentication in Pulp is provided by Django Rest Framework and Django together.

Django provides the AUTHENTICATION_BACKENDS which defines a set of behaviors to check usernames and passwords against. By default it is set to:

AUTHENTICATION_BACKENDS = [
    'django.contrib.auth.backends.ModelBackend',  # Django's users, groups, and permissions
    'pulpcore.backends.ObjectRolePermissionBackend'  # Pulp's RBAC object and model permissions
]

Django Rest Framework defines the source usernames and passwords come from with the DEFAULT_AUTHENTICATION_CLASSES setting. By default it is set to:

REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': [
        'rest_framework.authentication.SessionAuthentication',  # Session Auth
        'rest_framework.authentication.BasicAuthentication'  # Basic Auth
    ]
}