Skip to content

Workload Identity#7850

Open
BaptisteCentreon wants to merge 8 commits into
pulp:mainfrom
BaptisteCentreon:oidc-authentication-core
Open

Workload Identity#7850
BaptisteCentreon wants to merge 8 commits into
pulp:mainfrom
BaptisteCentreon:oidc-authentication-core

Conversation

@BaptisteCentreon

Copy link
Copy Markdown

This MR, adds an optional way for a CI job to authenticate with a short lived OIDC token from a provider like GitHub Actions, instead of a stored password.

The token maps to roles and scopes for that request only, based on the WORKLOAD_IDENTITY setting. It is not active out of the box, existing deployments stay the same until the auth class is configured.

I have opened an issue that go in details into the changes in this MR : #7845

@BaptisteCentreon BaptisteCentreon changed the title OIDC authentication core Workload Identity Jul 8, 2026
@BaptisteCentreon BaptisteCentreon force-pushed the oidc-authentication-core branch from 0703cd2 to 88ecdfd Compare July 8, 2026 12:19
@ggainey

ggainey commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

ruff format needs to run clean before CI executes - could you do a quick format-pass and resubmit?

Comment thread docs/admin/guides/auth/workload_identity.md Outdated
Comment thread pulpcore/app/workload_identity/authentication.py Outdated

@mdellweg mdellweg left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm still not fully grasping this (well, it is a lot).
But I'm wondering why it does not tie into the Django authentication backend framework, specifically for functions like "permissions_for".

@BaptisteCentreon

BaptisteCentreon commented Jul 13, 2026

Copy link
Copy Markdown
Author

Hey @mdellweg,

First thanks for the review :)

To answer your question: two reasons.

The permissions come from the token and change every request, they aren't tied to a stored user. A Django backend only sees the user object, never the token, so it would just read them back off the object we already built. No real gain.

On top of that, this "user" isn't a real database user (it has no id). The default Django backend expects a real one and blows up when it tries to look things up for a user with no id. By answering the permission checks on the object itself, we sidestep that entirely.

I'm happy to wrap it in a backend if you'd rather keep it consistent with the rest, but it would really just call the same code and still lean on this object, so it wouldn't change much under the hood.

Comment thread pulpcore/app/workload_identity/principal.py Outdated
Comment thread pulpcore/app/access_policy.py Outdated
@BaptisteCentreon BaptisteCentreon force-pushed the oidc-authentication-core branch from 89386b9 to 35e29b2 Compare July 13, 2026 11:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants