Re: [Pulp-list] Feedback needed: new user/auth system in 3.0
Thank you everyone for your feedback. A working proposal for authentication is available on the development email list, so please feel free to join the discussion there. https://www.redhat.com/archives/pulp-dev/2016-September/msg00049.html Michael On Mon, Aug 29, 2016 at 9:20 AM, Russell E. Glaue wrote: > We use the current two authentication methods. > > 1. We use cert-based auth for connections from our continuous integration > environment, managed by Jenkins. > 2. We also use the basic auth for connections to the REST API. > > We'd love to have something more REST friendly, like JSON Web Tokens > (JWT), that we can use in place of Basic Auth. > https://jwt.io/ > > Though we do like and want to keep Basic Auth too, for some one-off tasks. > > > Is the community considering to use the Django REST framework? > http://www.django-rest-framework.org/ > It supports Oauth but it would be great to have the JWT support! > https://github.com/GetBlimp/django-rest-framework-jwt > > > -RG > > > - Original Message - > From: "Aurélien DESBRIÈRES" > To: "Konstantin M. Khankin" , "Michael > Hrivnak" > Cc: "pulp-list" > Sent: Sunday, August 28, 2016 6:53:51 AM > Subject: Re: [Pulp-list] Feedback needed: new user/auth system in 3.0 > > > > > Hum ... Hope I will have not to rebuild all once again. > > > On Sun, Aug 28, 2016, 12:41 PM Konstantin M. Khankin < > khankin.konstan...@gmail.com > wrote: > > > > I use PAM auth, which is in turn authenticates login requests through > FreeIPA. I don't create any roles other than admin though > > > > 2016-07-15 22:29 GMT+03:00 Michael Hrivnak < mhriv...@redhat.com > : > > > > As many of you know, we are switching from mongodb to postgres in Pulp > 3.0. This will come with quite a few changes. For one in particular, we > need your input about how you use Pulp's user and permission system. > Anything you can tell us about how you use the current user/perm system > would be very helpful. We are considering the use of Django's built-in > user/auth system [0] as a replacement for what Pulp currently has. > > > If we hear silence, we might be more likely to change things, so let us > know what is important to you. > > > > > Have you integrated Pulp with a separate authentication source? Which one? > > > Do you assign permissions to specific users? How granular do you need that > to be? > > > Have you created "roles" in Pulp? > > > Anything else you want us to know or to think about? > > > If you would like to provide input confidentially, you are welcome to > contact me directly. > > > [0] https://docs.djangoproject.com/en/1.8/topics/auth/ > > > Thank you! > Michael > ___ > Pulp-list mailing list > Pulp-list@redhat.com > https://www.redhat.com/mailman/listinfo/pulp-list > > > > > > -- > > Ханкин Константин > ___ > Pulp-list mailing list > Pulp-list@redhat.com > https://www.redhat.com/mailman/listinfo/pulp-list > ___ > Pulp-list mailing list > Pulp-list@redhat.com > https://www.redhat.com/mailman/listinfo/pulp-list > ___ Pulp-list mailing list Pulp-list@redhat.com https://www.redhat.com/mailman/listinfo/pulp-list
Re: [Pulp-list] Feedback needed: new user/auth system in 3.0
We use the current two authentication methods. 1. We use cert-based auth for connections from our continuous integration environment, managed by Jenkins. 2. We also use the basic auth for connections to the REST API. We'd love to have something more REST friendly, like JSON Web Tokens (JWT), that we can use in place of Basic Auth. https://jwt.io/ Though we do like and want to keep Basic Auth too, for some one-off tasks. Is the community considering to use the Django REST framework? http://www.django-rest-framework.org/ It supports Oauth but it would be great to have the JWT support! https://github.com/GetBlimp/django-rest-framework-jwt -RG - Original Message - From: "Aurélien DESBRIÈRES" To: "Konstantin M. Khankin" , "Michael Hrivnak" Cc: "pulp-list" Sent: Sunday, August 28, 2016 6:53:51 AM Subject: Re: [Pulp-list] Feedback needed: new user/auth system in 3.0 Hum ... Hope I will have not to rebuild all once again. On Sun, Aug 28, 2016, 12:41 PM Konstantin M. Khankin < khankin.konstan...@gmail.com > wrote: I use PAM auth, which is in turn authenticates login requests through FreeIPA. I don't create any roles other than admin though 2016-07-15 22:29 GMT+03:00 Michael Hrivnak < mhriv...@redhat.com > : As many of you know, we are switching from mongodb to postgres in Pulp 3.0. This will come with quite a few changes. For one in particular, we need your input about how you use Pulp's user and permission system. Anything you can tell us about how you use the current user/perm system would be very helpful. We are considering the use of Django's built-in user/auth system [0] as a replacement for what Pulp currently has. If we hear silence, we might be more likely to change things, so let us know what is important to you. Have you integrated Pulp with a separate authentication source? Which one? Do you assign permissions to specific users? How granular do you need that to be? Have you created "roles" in Pulp? Anything else you want us to know or to think about? If you would like to provide input confidentially, you are welcome to contact me directly. [0] https://docs.djangoproject.com/en/1.8/topics/auth/ Thank you! Michael ___ Pulp-list mailing list Pulp-list@redhat.com https://www.redhat.com/mailman/listinfo/pulp-list -- Ханкин Константин ___ Pulp-list mailing list Pulp-list@redhat.com https://www.redhat.com/mailman/listinfo/pulp-list ___ Pulp-list mailing list Pulp-list@redhat.com https://www.redhat.com/mailman/listinfo/pulp-list ___ Pulp-list mailing list Pulp-list@redhat.com https://www.redhat.com/mailman/listinfo/pulp-list
Re: [Pulp-list] Feedback needed: new user/auth system in 3.0
Hum ... Hope I will have not to rebuild all once again. On Sun, Aug 28, 2016, 12:41 PM Konstantin M. Khankin < khankin.konstan...@gmail.com> wrote: > I use PAM auth, which is in turn authenticates login requests through > FreeIPA. I don't create any roles other than admin though > > 2016-07-15 22:29 GMT+03:00 Michael Hrivnak : > >> As many of you know, we are switching from mongodb to postgres in Pulp >> 3.0. This will come with quite a few changes. For one in particular, we >> need your input about how you use Pulp's user and permission system. >> Anything you can tell us about how you use the current user/perm system >> would be very helpful. We are considering the use of Django's built-in >> user/auth system [0] as a replacement for what Pulp currently has. >> >> If we hear silence, we might be more likely to change things, so let us >> know what is important to you. >> >> Have you integrated Pulp with a separate authentication source? Which one? >> >> Do you assign permissions to specific users? How granular do you need >> that to be? >> >> Have you created "roles" in Pulp? >> >> Anything else you want us to know or to think about? >> >> If you would like to provide input confidentially, you are welcome to >> contact me directly. >> >> [0] https://docs.djangoproject.com/en/1.8/topics/auth/ >> >> Thank you! >> Michael >> >> ___ >> Pulp-list mailing list >> Pulp-list@redhat.com >> https://www.redhat.com/mailman/listinfo/pulp-list >> > > > > -- > Ханкин Константин > ___ > Pulp-list mailing list > Pulp-list@redhat.com > https://www.redhat.com/mailman/listinfo/pulp-list ___ Pulp-list mailing list Pulp-list@redhat.com https://www.redhat.com/mailman/listinfo/pulp-list
Re: [Pulp-list] Feedback needed: new user/auth system in 3.0
I use PAM auth, which is in turn authenticates login requests through FreeIPA. I don't create any roles other than admin though 2016-07-15 22:29 GMT+03:00 Michael Hrivnak : > As many of you know, we are switching from mongodb to postgres in Pulp > 3.0. This will come with quite a few changes. For one in particular, we > need your input about how you use Pulp's user and permission system. > Anything you can tell us about how you use the current user/perm system > would be very helpful. We are considering the use of Django's built-in > user/auth system [0] as a replacement for what Pulp currently has. > > If we hear silence, we might be more likely to change things, so let us > know what is important to you. > > Have you integrated Pulp with a separate authentication source? Which one? > > Do you assign permissions to specific users? How granular do you need that > to be? > > Have you created "roles" in Pulp? > > Anything else you want us to know or to think about? > > If you would like to provide input confidentially, you are welcome to > contact me directly. > > [0] https://docs.djangoproject.com/en/1.8/topics/auth/ > > Thank you! > Michael > > ___ > Pulp-list mailing list > Pulp-list@redhat.com > https://www.redhat.com/mailman/listinfo/pulp-list > -- Ханкин Константин ___ Pulp-list mailing list Pulp-list@redhat.com https://www.redhat.com/mailman/listinfo/pulp-list
Re: [Pulp-list] Feedback needed: new user/auth system in 3.0
1. We use the api to script creation of Pulp users and roles 2. We use the api to script assignment of permissions on repos to Pulp roles and users. 3. Users authenticate against our directory using Kerberos (mod_auth_kerb). Subsequent auths can be done using the certificate granted by Pulp until the cert expires and then kerberos must be used to once again get a new cert. This took a while to get right, but it works for us now. On Fri, Jul 15, 2016 at 8:29 PM, Michael Hrivnak wrote: > As many of you know, we are switching from mongodb to postgres in Pulp 3.0. > This will come with quite a few changes. For one in particular, we need your > input about how you use Pulp's user and permission system. Anything you can > tell us about how you use the current user/perm system would be very > helpful. We are considering the use of Django's built-in user/auth system > [0] as a replacement for what Pulp currently has. > > If we hear silence, we might be more likely to change things, so let us know > what is important to you. > > Have you integrated Pulp with a separate authentication source? Which one? > > Do you assign permissions to specific users? How granular do you need that > to be? > > Have you created "roles" in Pulp? > > Anything else you want us to know or to think about? > > If you would like to provide input confidentially, you are welcome to > contact me directly. > > [0] https://docs.djangoproject.com/en/1.8/topics/auth/ > > Thank you! > Michael > > ___ > Pulp-list mailing list > Pulp-list@redhat.com > https://www.redhat.com/mailman/listinfo/pulp-list ___ Pulp-list mailing list Pulp-list@redhat.com https://www.redhat.com/mailman/listinfo/pulp-list
Re: [Pulp-list] Feedback needed: new user/auth system in 3.0
Additional thoughts from working on some non-IT team roles today: It would be super nice if repository paths could be nested in the API path. Meaning I could grant permission to /v3/repositories/some_team/, then the folks in the role with permission would be able to manage their own repository creation, package upload, deletions etc without each repository having to be enumerated individually in the role/permission map. I can cope with the tedium of managing individual repo permissions at the outset with for-loops, but the continual maintenance of these permissions by a pulp super-user rather than delegating to the team that needs the repos, that's a substantial bottleneck I'd love to see eased in Pulp 3. On Fri, Jul 15, 2016 at 9:32 PM, Kodiak Firesmith wrote: > Hi Michael, Pulp Devs, > > I'm currently running Pulp independent from Katello/Foreman/Satellite 6 > within a medium sized RHEL infrastructure that uses both Active Directory > and RADIUS + hardware OTP for authentication in as many services as > possible. > > We serve a mix of Red Hat CDN, third-party, and internal YUM repositories > to RHEL 5, 6, and 7 clients via emplacement of simple .repo files via > Puppet. We don't use Pulp agents on clients now, but I plan to take a hard > look at what you come up with on that front for Pulp 3. We would love to > get package state information of clients via Puppet. > > As for pulp-admin access and auth, we allow for scripted processes running > as root to use /root/.pulp/admin.conf's [auth] section to interact with > Pulp without having to have an active 'user-cert.pem' file. I would much > rather be able to use the host's Kerberos host principal though, as we try > to do with most rootly interactions needing authentication. > > For user auth, we have set up mod_auth_gssapi and make use of the Apache > REMOTE_USER variable (https://pulp.plan.io/issues/1728). Doing this > works insomuch as a user can type 'pulp-admin login -u > kodiak@AD.SOME_COLLEGE.EDU', enter their AD password, and obtain a client > certificate from pulp to grant their continued access for some period of > time. There are a number of drawbacks that I'd love to see addressed in > Pulp 3: > > - Setting up mod_auth_gssapi to authenticate /pulp/api/v2/actions/login > breaks the ability to use local (non-AD) accounts *at all*, unless they use > the ~/.pulp/admin.conf[auth], which is inherently insecure as user/passwd > combos are stored on-disk unencrypted. (If Pulp at least prompted for > user/password with each command, we have a way to programmatically pull > that from an encrypted file via a script but that's getting into the > weeds...) >TL;DR - going with mod_auth_gssapi is an all-or-nothing proposition and > that is not optimal. > - Ideally, you should be able to feed mod_auth_gssapi a Kerberos service > principal or a TGT; neither of which currently work in Pulp due to the Pulp > 2.x python code using a library that can't grok it. (sorry can't find the > abandoned un-merged pull that tries to fix this partially...) > - Pulp obviously has no path to 2FA and I can't imagine making it work > with RADIUS currently and don't know where to start. But for us users who > are bound by compliance to use 2FA, we can kind of meet that requirement as > long as we are obtaining a TGT via 2FA (workstation login for example), so > if at least we can pass a ticket to Pulp, that solves it for us. If anyone > on the Foreman team is snooping this thread, please note we really need 2FA > / SSO (that doesn't require FreeIPA!) for Satellite 6, hint hint... > > Now onto repository roles, I don't have all my thoughts on those composed > quite yet because I only have a few restricted users on my pulp server so > far, but I'm getting ready to add a slew soon, so I'll probably have input > on that in a couple weeks. Right now I can at least say that it needs MOAR > DOCs, and it would be super swell if it came with some useful > pre-configured roles already in the database on new installations, if for > no other reason to at least give practical examples on what paths are > necessary for which actions. I recall having to watch the logs in real > time with a test account that wasn't a super-user. Looking at my roles > right now, I see I've created a couple generic roles I can share without > spending too much time sanitizing: > > Id:content-publisher > Display Name: content-publisher > Description: Allows content such as RPMs, ISOs, Kickstarts, and other > files to >be uploaded, assuming the user has additional privileges on > the >repository they are to be uploaded into > Users: jim_...@college.edu > Permissions: > /v2/content/repositories/: READ > /v2/content/uploads/: READ, CREATE, UPDATE, DELETE > > > Id:repository-viewer > Display Name: repository-viewer > Description: Allows user to view all repositories > Users: jim_...@college.edu > Permissio
Re: [Pulp-list] Feedback needed: new user/auth system in 3.0
Hi Michael, Pulp Devs, I'm currently running Pulp independent from Katello/Foreman/Satellite 6 within a medium sized RHEL infrastructure that uses both Active Directory and RADIUS + hardware OTP for authentication in as many services as possible. We serve a mix of Red Hat CDN, third-party, and internal YUM repositories to RHEL 5, 6, and 7 clients via emplacement of simple .repo files via Puppet. We don't use Pulp agents on clients now, but I plan to take a hard look at what you come up with on that front for Pulp 3. We would love to get package state information of clients via Puppet. As for pulp-admin access and auth, we allow for scripted processes running as root to use /root/.pulp/admin.conf's [auth] section to interact with Pulp without having to have an active 'user-cert.pem' file. I would much rather be able to use the host's Kerberos host principal though, as we try to do with most rootly interactions needing authentication. For user auth, we have set up mod_auth_gssapi and make use of the Apache REMOTE_USER variable (https://pulp.plan.io/issues/1728). Doing this works insomuch as a user can type 'pulp-admin login -u kodiak@AD.SOME_COLLEGE.EDU', enter their AD password, and obtain a client certificate from pulp to grant their continued access for some period of time. There are a number of drawbacks that I'd love to see addressed in Pulp 3: - Setting up mod_auth_gssapi to authenticate /pulp/api/v2/actions/login breaks the ability to use local (non-AD) accounts *at all*, unless they use the ~/.pulp/admin.conf[auth], which is inherently insecure as user/passwd combos are stored on-disk unencrypted. (If Pulp at least prompted for user/password with each command, we have a way to programmatically pull that from an encrypted file via a script but that's getting into the weeds...) TL;DR - going with mod_auth_gssapi is an all-or-nothing proposition and that is not optimal. - Ideally, you should be able to feed mod_auth_gssapi a Kerberos service principal or a TGT; neither of which currently work in Pulp due to the Pulp 2.x python code using a library that can't grok it. (sorry can't find the abandoned un-merged pull that tries to fix this partially...) - Pulp obviously has no path to 2FA and I can't imagine making it work with RADIUS currently and don't know where to start. But for us users who are bound by compliance to use 2FA, we can kind of meet that requirement as long as we are obtaining a TGT via 2FA (workstation login for example), so if at least we can pass a ticket to Pulp, that solves it for us. If anyone on the Foreman team is snooping this thread, please note we really need 2FA / SSO (that doesn't require FreeIPA!) for Satellite 6, hint hint... Now onto repository roles, I don't have all my thoughts on those composed quite yet because I only have a few restricted users on my pulp server so far, but I'm getting ready to add a slew soon, so I'll probably have input on that in a couple weeks. Right now I can at least say that it needs MOAR DOCs, and it would be super swell if it came with some useful pre-configured roles already in the database on new installations, if for no other reason to at least give practical examples on what paths are necessary for which actions. I recall having to watch the logs in real time with a test account that wasn't a super-user. Looking at my roles right now, I see I've created a couple generic roles I can share without spending too much time sanitizing: Id:content-publisher Display Name: content-publisher Description: Allows content such as RPMs, ISOs, Kickstarts, and other files to be uploaded, assuming the user has additional privileges on the repository they are to be uploaded into Users: jim_...@college.edu Permissions: /v2/content/repositories/: READ /v2/content/uploads/: READ, CREATE, UPDATE, DELETE Id:repository-viewer Display Name: repository-viewer Description: Allows user to view all repositories Users: jim_...@college.edu Permissions: /v2/repositories/: READ I can say from experience this was probably one of the more annoying aspects to cope with as a new user. Anyhow, please let me know if anything needs more explaining - it's kind of a brain dump. - Kodiak Firesmith On Fri, Jul 15, 2016 at 3:29 PM, Michael Hrivnak wrote: > As many of you know, we are switching from mongodb to postgres in Pulp > 3.0. This will come with quite a few changes. For one in particular, we > need your input about how you use Pulp's user and permission system. > Anything you can tell us about how you use the current user/perm system > would be very helpful. We are considering the use of Django's built-in > user/auth system [0] as a replacement for what Pulp currently has. > > If we hear silence, we might be more likely to change things, so let us > know what is important to you. > > Have you integrated Pulp with a separate authentication source? Which one