[Yum-devel] Yumgate plugin and server

Robin Norwood rnorwood at redhat.com
Mon Nov 6 22:02:50 UTC 2006 

Hi,

I've spent a few days working out a method for an authenticated yum
repository, along with a client plugin to authenticate against it.  I
have an initial version available at:

https://yumgate.108.redhat.com/

The idea is that I want to be able to prevent users from using a yum
repository unless they provide a magic token.  When a yumgate-enabled
repository is used, yumgate-client provides the registration token, and
'registers' the system against the server.  For subsequent requests, the
plugin provides a unique identifier and gets back a session token.  That
session token is inserted into the headers of the rest of the requests.

This may seem a little overcomplicated at first glance, but the idea is
to make the 'registration' and 'create session' tokens over https -
protecting the 'secret' tokens.  Normal yum requests can then go over
http for speed.

I picked straight mod_python and pgsql for the server side - this app
should be lightweight enough that one of the various frameworks would be
overkill.

Still a bunch to do to get it useful.  It isn't in an easily installable
or usable state right now, but it works once the server is set up and
the client is given the registration token.  I wanted to get it out
there for people to look over and give feedback regarding the idea and
the direction I'm taking.  I'll be working on cleaning it up, providing
an easy way to install it, and better error handling over the next few
days.

One technical question: I initially was looking to subclass
YumRepository, but I wasn't able to get it to work.  Is there a way to
do this?  Unfortunately I don't remember exactly the error I was
getting, but I was trying to look up a repository, and if it was a
'yumgate' repo, wrap it in my subclass and insert it back into the list
of repositories.

For now setting repo.http_headers does what I want, but I
haven't worked out how error handling will work (for instance, if the
session expires, the client should just try to generate a new session).

Thanks,

-RN

-- 
Robin Norwood
Red Hat, Inc.

"The Sage does nothing, yet nothing remains undone."
-Lao Tzu, Te Tao Ching

More information about the Yum-devel mailing list