[Yum-devel] Yumgate plugin and server

seth vidal skvidal at linux.duke.edu
Tue Nov 7 18:27:43 UTC 2006


On Mon, 2006-11-06 at 17:02 -0500, Robin Norwood wrote:
> Hi,
> 
> I've spent a few days working out a method for an authenticated yum
> repository, along with a client plugin to authenticate against it.  I
> have an initial version available at:
> 
> https://yumgate.108.redhat.com/
> 
> The idea is that I want to be able to prevent users from using a yum
> repository unless they provide a magic token.  When a yumgate-enabled
> repository is used, yumgate-client provides the registration token, and
> 'registers' the system against the server.  For subsequent requests, the
> plugin provides a unique identifier and gets back a session token.  That
> session token is inserted into the headers of the rest of the requests.
> 
> This may seem a little overcomplicated at first glance, but the idea is
> to make the 'registration' and 'create session' tokens over https -
> protecting the 'secret' tokens.  Normal yum requests can then go over
> http for speed.
> 
> I picked straight mod_python and pgsql for the server side - this app
> should be lightweight enough that one of the various frameworks would be
> overkill.
> 
> Still a bunch to do to get it useful.  It isn't in an easily installable
> or usable state right now, but it works once the server is set up and
> the client is given the registration token.  I wanted to get it out
> there for people to look over and give feedback regarding the idea and
> the direction I'm taking.  I'll be working on cleaning it up, providing
> an easy way to install it, and better error handling over the next few
> days.
> 
> One technical question: I initially was looking to subclass
> YumRepository, but I wasn't able to get it to work.  Is there a way to
> do this?  Unfortunately I don't remember exactly the error I was
> getting, but I was trying to look up a repository, and if it was a
> 'yumgate' repo, wrap it in my subclass and insert it back into the list
> of repositories.

if you can come up with the errors we should be able to help on this.

> 
> For now setting repo.http_headers does what I want, but I
> haven't worked out how error handling will work (for instance, if the
> session expires, the client should just try to generate a new session).
> 

Robin, 
 this looks pretty cool. Have you considered, in order to keep the
infrastructure needed to a minimum, setting up this server using
python's built in http server? Then a potential user setting up yum-gate
wouldn't necessarily need the mod_python+apache piece to have this
functioning.

does that make any sense?


-sv





More information about the Yum-devel mailing list