[Yum-devel] Yumgate plugin and server
seth vidal
skvidal at linux.duke.edu
Tue Nov 7 18:27:43 UTC 2006
On Mon, 2006-11-06 at 17:02 -0500, Robin Norwood wrote:
> Hi,
>
> I've spent a few days working out a method for an authenticated yum
> repository, along with a client plugin to authenticate against it. I
> have an initial version available at:
>
> https://yumgate.108.redhat.com/
>
> The idea is that I want to be able to prevent users from using a yum
> repository unless they provide a magic token. When a yumgate-enabled
> repository is used, yumgate-client provides the registration token, and
> 'registers' the system against the server. For subsequent requests, the
> plugin provides a unique identifier and gets back a session token. That
> session token is inserted into the headers of the rest of the requests.
>
> This may seem a little overcomplicated at first glance, but the idea is
> to make the 'registration' and 'create session' tokens over https -
> protecting the 'secret' tokens. Normal yum requests can then go over
> http for speed.
>
> I picked straight mod_python and pgsql for the server side - this app
> should be lightweight enough that one of the various frameworks would be
> overkill.
>
> Still a bunch to do to get it useful. It isn't in an easily installable
> or usable state right now, but it works once the server is set up and
> the client is given the registration token. I wanted to get it out
> there for people to look over and give feedback regarding the idea and
> the direction I'm taking. I'll be working on cleaning it up, providing
> an easy way to install it, and better error handling over the next few
> days.
>
> One technical question: I initially was looking to subclass
> YumRepository, but I wasn't able to get it to work. Is there a way to
> do this? Unfortunately I don't remember exactly the error I was
> getting, but I was trying to look up a repository, and if it was a
> 'yumgate' repo, wrap it in my subclass and insert it back into the list
> of repositories.
if you can come up with the errors we should be able to help on this.
>
> For now setting repo.http_headers does what I want, but I
> haven't worked out how error handling will work (for instance, if the
> session expires, the client should just try to generate a new session).
>
Robin,
this looks pretty cool. Have you considered, in order to keep the
infrastructure needed to a minimum, setting up this server using
python's built in http server? Then a potential user setting up yum-gate
wouldn't necessarily need the mod_python+apache piece to have this
functioning.
does that make any sense?
-sv
More information about the Yum-devel
mailing list