As a user I have path checking features for to the X.509 certguard #138
Comments
|
From: @bmbouter (bmbouter) revising with details about how users can configure that path checking is required |
|
From: @bmbouter (bmbouter) We should add this to the sprint. |
|
From: @bmbouter (bmbouter) These weren't added to Sprint 54, but they were OK'd at sprint planning. |
|
From: @RCMariko (rchan) Not moving forward to next Sprint to make room for highest priority Katello blockers. |
|
From: dustball (dustball) I'm interested in this feature as well, we're serving a large amount of customers with all different kinds of systems. We want to offer our customers staging for licensed products via a central pulpserver as well and individually allow or deny access to those repositories. |
Author: @bmbouter (bmbouter)
Redmine Issue: 4666, https://pulp.plan.io/issues/4666
Motivation
It would be very useful for paths to be put into the x.509 extended attributes to see if this client is authorized to access this specific distribution's content. This way whoever is generating the certs (and their expiration dates) determines the access.
Solution
The existing X.509 certguard could automatically be updated to check this correctly. We also need docs with how the openssl tooling can easily make these kind of certs.
How will we ensure path checking is required?
A boolean will be added to the X.509 certguard called
path_check_requiredwhich will default to False. If True, the certificate check must contain a matching path for the content requested.The text was updated successfully, but these errors were encountered: