pulp
As an ansible-galaxy CLI user, I can configure a token and auth_url and have pulp_ansible protect my content
Author: @bmbouter (bmbouter)
Redmine Issue: 7118, https://pulp.plan.io/issues/7118
Background
The authentication capabilities of the ansible-galaxy CLI are described here: https://docs.ansible.com/ansible/latest/user_guide/collections_using.html#configuring-the-ansible-galaxy-client
There are two credentials:
- auth_url: The url to fetch the session token from
- token: The long-lived credential that will give a user a session-token
Requirements
- pulp_ansible needs to have some way to hand out a session-token.
- An AnsibleContentGuard that will protect a Distribution, requiring the user to use a session-token when fetching content.
From: alikins (alikins) Date: 2021-02-16T17:24:32Z
What would be doing the auth checks in this scenario?
Would satellite be issuing and authenticating the tokens (and passing requests onto pulp_ansible / galaxy_ng)?
AnsibleContentGuard implies pulp_ansible (content app?) would be enforcing authentication when fetching content. Would API use be different? Is the goal to require authentication for galaxy_ng / pulp_ansible API? And/or fetching content?
Are the auth tokens described here intended to be used across Satellite / galaxy_ng_pulp_ansible / tower API? ie, will the same auth token instance be used for all the API's (and content access)?
I like the idea of a AnsibleContentGuard that is tied to the session auth used by galaxy_ng/pulp_ansible.
From: alikins (alikins) Date: 2021-03-02T16:55:27Z
Note: "I can configure a token and auth_url" pretty much requires that auth_url points to a keycloak server
Or I guess, something that implements the same API...
From: alikins (alikins) Date: 2021-03-02T17:00:35Z
I'd also mention that auth_url is pretty much just a special case for handling RH SSO for cloud.redhat.com.
I don't think it needs to be or should be implemented for other cases (short of deployment scenarios that have keycloak servers with similar setup as sso.redhat.com).