On 09/07/12 00:39, Steve Christensen wrote:
I have done a bit of searching in this group archive, but find very
little information on this subject. There are apparently four ways that
an end user might access an IPS package server - command line, web page,
the package manager app, or just downloading a file. We are wondering
what methods there are to create an IPS server that can handle all of
these but requiring a login before anything happens? We also want to be
able to count the files downloaded and kept track of what each user is
getting. I see that Oracle does seem to have some methods to require a
support contract for some IPS repository use. Is this or any other
method documented anywhere? Any suggestions?
Realistically, the only way to do this is the same way pkg.oracle.com is
setup. That is, by configuring an instance of application/pkg/server
(or pkg.depotd(1M) if you will) on a non-standard port, and then setting
up Apache in a reverse proxy configuration to serve requests from the
repository.
Since pkg(1) doesn't support HTTP(S) servers that require login-based
authentication, the only practical option is the use of client SSL
Certificates and Keys. Apache can be configured to restrict access to
clients with a specific SSL Cert/Key pair. These Cert/Key files can be
combined into a pkcs12 file for import into a web browser as well to
provide authenticated access there.
An example of how to configure Apache for reverse proxy access to a
pkg.depotd server can be found here:
http://src.opensolaris.org/source/xref/pkg/gate/src/util/apache2/
Longer term, we plan on having Apache directly serve repository
contents. Although the BUI and search functionality will likely be
provided via mod_wsgi.
As for tracking which files have been downloaded, that's not very useful
since files are shared between packages if they have identical content.
What you really want to know is what packages have been retrieved,
installed, updated, etc.
If you want to audit those things, you can use Apache access logging to
log the Cert/Key information plus the headers that each pkg(1) client
sends and then analyse the results using a tool like Splunk or your own
to get the metrics you're after. (I suggest looking at the headers that
a client sends when installing, updating, or uninstalling packages to
get an idea of the metrics you can gather.) This is all assuming (of
course) that you have generated unique Cert/Key pairs per-the entity
that you need to identify.
-Shawn
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
