Uploaded image for project: 'Automation Hub'
  1. Automation Hub
  2. AAH-923

Create content guard

XMLWordPrintable

    • Icon: Task Task
    • Resolution: Done
    • Icon: Normal Normal
    • 2.1
    • None
    • None
    • AAH Sprint 14, AAH Sprint 15, 4.5.0a Sprint 1, 4.5.0a Sprint 2

      To force authentication on the pulp content app we will have to do the following:

      1. Create a new content guard type
      2. Write a migration to create an instance of the new content guard and assign it to all existing ansible repositories
      3. Ensure that the new content guard gets added to any new ansible repositories that get created

       
      1. New Content guard

      Create a new content guard in galaxy_ng that does the following that pulls the user's information from the request and runs it through the CollectionAccessPolicy (https://github.com/ansible/galaxy_ng/blob/master/galaxy_ng/app/access_control/access_policy.py#L68) to verify that the user can download the specified collection.

      Here's an example of how to write a content guard: https://github.com/pulp/pulpcore/blob/master/pulpcore/app/models/publication.py#L337

      This content guard functions very similarly to how our content guard should work. Namely it:

      Our content guard should function very similar to this, with the exception that it will be instantiating an instance of CollectionArtifactDownloadView instead of RBACContentguardViewset. (I'm hoping this will work, but I'm not 100% it will. You might need to figure out how to load the collection artifact from the database and use settattr to override get_object on the view like the RBACContentGuard does).

       

      2. Instantiate the Content Guard

      For content guards to work, you need to create an instance of one in the database and then attach it to any distribution that you want to protect. We'll need a migration that

      1. Creates the new content guard
      2. Adds it to all existing ansible distributions

       

      3. Ensure content guards on all new repositories

      This can be done via a post create hook on the AnsibleDistribution model. An example of how to add a hook for this can be found here. The hook should pull the first instance of the new content guard from the database that it finds and apply it to the newly created distribution.

              cspealma@redhat.com Clara Spealman (Inactive)
              dnewswan David Newswanger
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: