Skip to content

Protect Content

Pulp provides a way to protect content from being accessed by unauthorized users. This is done by associating a ContentGuard with a distribution.

When a ContentGuard is associated with a distribution, Pulp will check that the user has the correct permissions to access the content. If the setting HIDE_GUARDED_DISTRIBUTIONS is set to True, then distributions guarded by a ContentGuard will not be shown in the directory listing in the content app.

Available Content Guards

Pulp offers several content guard types to protect your distributions:

RBAC Content Guard

The RBAC (Role-Based Access Control) content guard protects distributions using Pulp's built-in authentication and authorization system. Users must authenticate using their Pulp credentials and have appropriate permissions to access protected content.

To set up an RBAC content guard:

  1. Create the content guard:

    pulp content-guard rbac create --name rbac

  2. Assign permissions to users and/or groups:

    pulp content-guard rbac assign --name rbac --user alice --user bob --group file-buddies

  3. Associate the content guard with a distribution:

    pulp file distribution update --name foo --content-guard rbac

By default, users/groups need the core.download_rbaccontenguard permission to access protected content.

X509 Certificate Guard

The X509 certificate guard (from pulp-certguard) protects distributions using x509 client certificates. Users must present a valid certificate to access protected content. Follow the pulp-certguard quickstart guide to configure this guard.

RHSM Certificate Guard

The RHSM certificate guard (from pulp-certguard) validates certificates created using python-rhsm.

Warning

This guard is currently not recommended as python-rhsm has not been updated recently.

Header Content Guard

The header content guard checks for specific HTTP headers in incoming requests. This guard is primarily useful in custom setups where a reverse proxy adds authentication/authorization headers before forwarding requests to Pulp.

# Create a header content guard that only accepts requests with the X-Pulp-User header set to alice
pulp content-guard header create --name header --header-name X-Pulp-User --header-value alice

# Use a JQ filter to extract the value to check against from the header
pulp content-guard header create --name header --header-name X-Auth-Service --header-value true --jq-filter '.authenticated'

Composite Content Guard

The composite content guard combines multiple guards using OR logic - if any of the configured guards allows access, the request is permitted. This enables flexible authentication schemes, like allowing access via either certificates OR RBAC authentication.

# Use different types of content guards, e.g. RBAC and X509
pulp content-guard composite create --name composite --guard rbac --guard x509

Redirect Content Guard

The redirect content guard validates pre-signed URLs generated by Pulp. This guard is primarily used internally by certain plugins (like pulp-container) and is not intended for direct configuration by users.