Looking for help on Pulp authentication: keycloak, webserver

xm1234567 · January 19, 2024, 4:15pm

Problem:
Has anyone use pulp with keycloak authentication or web server or certificate authentication?
I use pulp-all-in-one container. I followed the doc https://docs.pulpproject.org/pulpcore/authentication for test.

For keycloak, the doc say After setup is completed go to: http://<pulp-hostname>:<port>/login/keycloak and the login flow will be presented.
But how this could be used or connected with the pulp login ? http://ccosfip00353.in2p3.fr/auth/login/ ?

In webserver authentication, it mentions accept any username for each request and by default create a user in the database backend for them. Does anyone has a detail exemple to share?

I have to acknowledge that I don’t know much about these authentication solution.

I test different variables as described in the doc:
REST_FRAMEWORK
INSTALLED_APPS
AUTHENTICATION_BACKENDS
TEMPLATES
SOCIAL_AUTH_PIPELINE
SOCIAL_AUTH_KEYCLOAK_xxx

with http or https, not very clear, of course plenty of errors.

Any experience to share?

Thanks in advance

xm

lubosmj · January 30, 2024, 1:07pm

It appears no one was able to provide support for this problem. Have you been successful in this matter?

xm1234567 · February 7, 2024, 12:13pm

Hello @lubosmj , some updates:

I use dyconf to get the confs, then add the needed parts in settings.py as described in the doc
my container is listening both on 80 and 443, I add an additional parameter SOCIAL_AUTH_REDIRECT_IS_HTTPS = True
http://<pulp-hostname>:<port>/login/keycloak works,I mean it creates the user account in Pulp, after it redirecte me to http://<pulp-hostname>:<port>/accounts/profile which says The requested resource was not found on this server. , this is normal since this page doesn’t exist, it is not a big deal. Then I try https://<pulp-hostname>:<port>/pulp/api/v3/content/, it shows I am correctly logged in as this user existed in keycloak from the web interface.

This above can help me to create users(which already exist in keycloak) automatically in pulp.

then I create a group, add rpm.admin to this group, then add the created user to this group. From web interface, this user can do rpm related operation.

Now my question is: how to make this user also be able to run pulp-cli?
I tried pulp-cli , but the user password from keycloak side is not working , the message is:
Error: {"detail":"Invalid username/password."}

So what should I do ?