As an ansible-galaxy CLI user, I can configure a token and auth_url and have pulp_ansible protect my content - Githubissues

pulp / pulp_ansible

A Pulp plugin that manages Ansible content, i.e. roles, collections

https://docs.pulpproject.org/pulp_ansible/

GNU General Public License v2.0

60 stars 54 forks source link

As an ansible-galaxy CLI user, I can configure a token and auth_url and have pulp_ansible protect my content #711

Open pulpbot opened 2 years ago

pulpbot commented 2 years ago

Author: @bmbouter (bmbouter)

Redmine Issue: 7118, https://pulp.plan.io/issues/7118

Background

The authentication capabilities of the ansible-galaxy CLI are described here: https://docs.ansible.com/ansible/latest/user_guide/collections_using.html#configuring-the-ansible-galaxy-client

There are two credentials:

auth_url: The url to fetch the session token from
token: The long-lived credential that will give a user a session-token

Requirements

pulp_ansible needs to have some way to hand out a session-token.
An AnsibleContentGuard that will protect a Distribution, requiring the user to use a session-token when fetching content.

pulpbot commented 2 years ago

From: alikins (alikins) Date: 2021-02-16T17:24:32Z

What would be doing the auth checks in this scenario?

Would satellite be issuing and authenticating the tokens (and passing requests onto pulp_ansible / galaxy_ng)?

AnsibleContentGuard implies pulp_ansible (content app?) would be enforcing authentication when fetching content. Would API use be different? Is the goal to require authentication for galaxy_ng / pulp_ansible API? And/or fetching content?

Are the auth tokens described here intended to be used across Satellite / galaxy_ng_pulp_ansible / tower API? ie, will the same auth token instance be used for all the API's (and content access)?

I like the idea of a AnsibleContentGuard that is tied to the session auth used by galaxy_ng/pulp_ansible.

pulpbot commented 2 years ago

From: alikins (alikins) Date: 2021-03-02T16:55:27Z

Note: "I can configure a token and auth_url" pretty much requires that auth_url points to a keycloak server

Or I guess, something that implements the same API...

pulpbot commented 2 years ago

From: alikins (alikins) Date: 2021-03-02T17:00:35Z

I'd also mention that auth_url is pretty much just a special case for handling RH SSO for cloud.redhat.com.

I don't think it needs to be or should be implemented for other cases (short of deployment scenarios that have keycloak servers with similar setup as sso.redhat.com).