Overview

By default, Pulp supports Basic and Session authentication. The Basic Authentication checks the username and password against the internal users database.

Note

This authentication is only for the REST API. Clients fetching binary data have their identity verified and authorization checked using a ContentGuard.

Which URLs Require Authentication?

All URLs in the REST API require authentication except the Status API, /pulp/api/v3/status/.

Concepts

Authentication in Pulp is provided by Django Rest Framework and Django together.

Django provides the AUTHENTICATION_BACKENDS which defines a set of behaviors to check usernames and passwords against. By default it is set to:

AUTHENTICATION_BACKENDS = [
    'django.contrib.auth.backends.ModelBackend',  # Django's users, groups, and permissions
    'pulpcore.backends.ObjectRolePermissionBackend'  # Pulp's RBAC object and model permissions
]

Django Rest Framework defines the source usernames and passwords come from with the DEFAULT_AUTHENTICATION_CLASSES setting. By default it is set to:

REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': [
        'rest_framework.authentication.SessionAuthentication',  # Session Auth
        'rest_framework.authentication.BasicAuthentication'  # Basic Auth
    ]
}

Extend

Pulp is a Django app and Django Rest Framework (DRF) application, so additional authentication can be added as long as it's correctly configured for both Django and Django Rest Frameowork.

See the Django docs on configuring custom authentication and the Django Rest Framework docs on configuring custom authentication.