search

theforeman / puppet-pulpcore

Puppet module for setting up Pulp 3 as part of Katello installation
GNU General Public License v3.0
2 stars 28 forks source link

Fixes #37308 - set REMOTE_USER properly for pulpcore registry #337

Closed ianballou closed 5 months ago

ianballou commented 5 months ago

Changes the /pulpcore_registry/v2/ reverse proxy's REMOTE_USER designation so that it always matches the Pulp admin user. Since we use Pulp's remote authentication, the REMOTE_USER must always return 'admin' since that is the only user Katello ever interacts with in Pulp.

The goal is to have the location definition look like:

  <Location "/pulpcore_registry/v2/">
    RequestHeader unset REMOTE_USER
    RequestHeader set REMOTE_USER "admin" "expr=%{SSL_CLIENT_S_DN_CN} == 'centos8-katello-devel.example.com'"
    ProxyPass unix:///run/pulpcore-api.sock|http://pulpcore-api/v2/
    ProxyPassReverse unix:///run/pulpcore-api.sock|http://pulpcore-api/v2/
  </Location>

As currently defined, the REMOTE_USER does not get set and Pulp cannot authenticate requests to push container content to the registry.

To test, you could patch in my changes to a Katello production install and re-run the installer.