lpmauthrepo — Restricted access LPMtool package repository
This is a basic implementation of a restricted access lpm package repository. Restricted package repositories are LPMtool package repositories that require a valid authorization key, issued by the repository's maintainer. An authorization key is required to download packages from the repository. Restricted repositories are described in greater detail in LPMtool's manual, Chapter 10, Creating restricted-access repositories.
lpmauthrepo is a Perl script
that works together with the Apache
HTTP server.
lpmauthrepo requires version 2 of
Apache with the ext_filter_module
plugin, and a reasonably modern version of Perl
with a Digest::SHA1
module.
lpmauthrepo is not meant to be used with large repositories with thousands of valid authorization keys. It works best for small to medium-sized repositories. Large repositories with thousands of keys are better served with a dedicated database that holds all the authorization keys, and a custom package repository server.
lpmauthrepo is only an example of a simple, basic implementation of a restricted package repository.
The following configuration settings must be added to
Apache's httpd.conf
configuration file:
ExtFilterDefine lpm-auth-timestamp cmd="/usr/share/lpmtool/lpmauthrepo -timestamp" RewriteEngine on RewriteMap lpm-auth-validate prg:/usr/share/lpmtool/lpmauthrepo <Directory /var/www/html/repositories> AllowOverride FileInfo </Directory>
This example runs /usr/share/lpmtool/lpmauthrepo
,
which is the default location of this script.
A non-standard version of LPMtool may use a different installation directory,
and both references to this script, in this example, must be adjusted
accordingly.
Also, this example assumes that restricted access repositories will be created
in /var/www/html/repositories
.
Again, this is an adjustable location.
Add additional <Directory>
blocks, as necessary,
if repositories are going to be scattered across multiple places.
Most Apache configurations also offer a separate
configuration directory, /etc/httpd/conf.d
.
As an alternative, save the above example as a separate file,
/etc/httpd/conf.d/lpmauthrepo.conf
.
Some versions of Apache include the
ext_filter_module
plugin, but for some reason it does
not get loaded by Apache's configuration file.
This appears to be an accidental oversight in Fedora
Linux.
The following configuration setting must also be added in this case.
The following setting needs to appear before the
“ExtFilterDefine” line:
LoadModule ext_filter_module modules/mod_ext_filter.so
/etc/lpmauthrepo
configuration filelpmauthrepo can handle multiple package repositories. All package repositories may use either the same set of authorization keys, or a separate set of authorization keys may exist for each individual repository.
Each individual package repository is associated with a single “realm”. A realm just a list of valid authorization keys. A package repository can have only one defined “realm”. All individual package repositories may use the same realm, or each repository may have its own, separate realm. The same authorization key can be individually added to more than one realm, though.
lpmauthrepo
reads the /etc/lpmauthrepo
configuration file.
This is the default location of this configuration file.
A custom version of LPMtool may use a different location.
lpmauthrepo
is a simple Perl script, and
the configuration file's name is set at the beginning of the script, readily
available just for asking.
This configuration file contains one or more of the following lines:
authrealm
filename
“realm” is the name of an authorization realm, and
filename
is the file that lists all valid
authorization keys for this reaslm.
Example:
auth default /etc/lpmauthrepo.default
Each filename
is a simple text file, with each
line containing a single authorization key.
Example:
user100:kjafhJHGSgnbxc8e8er9wq03147ks user101:mHJSjHkHSD87887hifdJDS87hjfdk
lpmauthrepo gets started, automatically, by Apache. lpmauthrepo reads all authorization keys at startup. Periodically, lpmauthrepo checks whether any configuration file's timestamp has changed. If so, lpmauthrepo rereads the configuration file, and updates its list of valid authorization keys accordingly. It can take up to two minutes for any changes to take effect.
The configuration files should not be edited in place. The new version of a configuration file should be saved separately, then renamed in place of the existing file. If the configuration file is rewritten from the beginning at the same time lpmauthrepo happens to check for updates, its possible that lpmauthrepo may lose all authorization keys for up to two minutes.
Once lpmauthrepo is set up, use the setauthrepo(8) command to assign authorization realms to individual repositories.