Overview¶
By default, Pulp supports Basic and Session authentication. The Basic Authentication checks the username and password against the internal users database.
Note
This authentication is only for the REST API. Clients fetching binary data have their identity
verified and authorization checked using a ContentGuard
.
Which URLs Require Authentication?¶
All URLs in the REST API require authentication except the Status API, /pulp/api/v3/status/
.
Concepts¶
Authentication in Pulp is provided by Django Rest Framework and Django together.
Django provides the AUTHENTICATION_BACKENDS which defines a set of behaviors to check usernames and passwords against. By default it is set to:
AUTHENTICATION_BACKENDS = [
'django.contrib.auth.backends.ModelBackend', # Django's users, groups, and permissions
'pulpcore.backends.ObjectRolePermissionBackend' # Pulp's RBAC object and model permissions
]
Django Rest Framework defines the source usernames and passwords come from with the DEFAULT_AUTHENTICATION_CLASSES setting. By default it is set to:
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': [
'rest_framework.authentication.SessionAuthentication', # Session Auth
'rest_framework.authentication.BasicAuthentication' # Basic Auth
]
}
Extend¶
Pulp is a Django app and Django Rest Framework (DRF) application, so additional authentication can be added as long as it's correctly configured for both Django and Django Rest Frameowork.
See the Django docs on configuring custom authentication and the Django Rest Framework docs on configuring custom authentication.