Protect File repo with Basic / Token auth

Corentin_BAUDET · December 13, 2024, 10:18am

Current situation:
I want to distribute some static files and choose which user has access to them.

What I have achieved until now :

create a File repository, upload content and set up a distribution
protect that distribution using a x509 content-guard (following the documentation)

That works but I find it cumbersome to use certificates especially when the goal is to host Maven private dependencies like jar files.

Desired outcome:
I would like to know if it possible to protect a File distribution using Basic or Token authentication.

Pulpcore version:
3.68.1

Pulp plugins installed and their versions:
container : 2.22.0
maven : 0.8.1
certguard : 3.68.1
file : 3.68.1
[…]

Other relevant data:

Other things I have tried:

set up on the File distribution the same redirect content-guard that is (I guess automatically) configured for Container private distributions
→ returns 403 even when I provide admin credentials the same way I would do with default endpoints (/pulp/api/v3/distributions for ex.)
update the access-policy of the viewset “content/file/files” to add a condition to the [“list”,“retrieve”] actions seeing that there are none
→ doesn’t restrict access

gerrod · December 13, 2024, 4:11pm

We need to get on writing better documentation for our content guards. Ok off the top of my head we have 6 content-guards available in Pulp, lets go through each one and when you would use it.

X509 Certguard

This content-guard protects distributions using x509 certificates. It comes from the plugin pulp-certguard which by default is included with pulpcore. The quickstart guide is helpful for setting this up.

RHSM Certguard

This is the second content-guard included with pulp-certguard and it also protects distributions using x509 certificates, but these certificates need to be made using python-rhsm. python-rhsm hasn’t been updated in a couple years so maybe you shouldn’t use this one right now.

RBAC Contentguard

This contentguard protects distributions using the same authentication/authorization as the normal Pulp API. When a user goes to download content from a protected distribution with this guard, they are first authenticated using the same authentication classes the API uses. Then their permissions are checked against that RBAC Contenguard, default is to check to see if they have the core.download_rbaccontenguard permission. Our RBAC system is a bit complicated so I would recommend reading the pulp-file guide on RBAC, but here is the simple steps for setting up a RBAC Contentguard:

Creation
pulp content-guard rbac create --name rbac
Add permissions to users/groups
pulp content-guard rbac assign --name rbac --user alice --user bob --group file-buddies
Assign guard to distribution
pulp file distribution update --name foo --content-guard rbac

Header Contentguard

This contentguard protects distributions by specifying a specific header and value that must be present on the incoming request in order for it to be permitted. Now since by default we use reverse-proxies to route requests to the content app, this guard is only useful if you have a custom setup/r-proxy that does some preprocessing on the request and adds a specific header before it is passed to the content app.

Redirect Contentguard

This contentguard protects distributions through pre-signed urls, i.e. it checks that the request has the appropriate query parameters to give it access to the content. Now for the most part this contentguard is kind of useless in most scenarios because the only thing that can generate the pre-signed urls is Pulp and it only does so when the plugins support it. As far as I know only pulp-container has support for redirect contentguards, but my knowledge might be a bit outdated on that.

Composite Contentguard

This contentguard protects distributions, like the name implies, through a composite list of different contentguards. The behavior for this guard is to permit if any ANY of its guards allows access (OR permissions check). So if you wanted to use certs or rbac to protect your distribution this would be the guard to use.

Corentin_BAUDET · December 17, 2024, 12:59pm

That’s wonderful ! I was able to implement a RBAC Contentguard using a group allowed to download a File distribution.
Indeed by default the core.download_rbaccontenguard permission is set up for that group, and no further configuration was needed in my case.

Your explanations were perfect, that’s what I was missing.
Maybe a link to your answer in the documentation would be nice in the meantime ?

x9c4 · December 23, 2024, 11:12pm

Well, in fact, this type of content guard is not meant for user consumption (I think, you can not even create one via the api.). It is used by some plugins (to my knowledge container and ansible) to allow accessing content in the content app from a special api that lives in the api-worker.