A Github-based access backend for pypicloud.
Project description
pypicloud-access-github
This package provides a Github-based authentication backend for pypicloud.
The package binds the PyPICloud instance to a GitHub Organization, and uses GitHub users, teams, and permissions to provide authentication and access control.
Usage
Installation
You can install the package directly from pypi, alongside your pypicloud installation.
poetry add outcome-pypicloud-access-github
Or, if you want to use memcache for caching.
poetry add outcome-pypicloud-access-github[memcache]
Configuration
You need to configure PyPICloud to use the auth backend, in the server.ini:
pypi.auth = outcome.pypicloud_access_github.Poetry
auth.otc.github.organization = <INSERT YOUR ORGANIZATION NAME HERE>
auth.otc.github.token = <INSERT YOUR TOKEN HERE>
You can see a sample here.
Caching
Retrieving the authentication information from GitHub can be a relatively slow process, depending on the size of your organization. The plugin implements an internal TTL cache using dogpile.cache to avoid hitting GitHub on each request.
By default the cache backend is an in-memory cache, that is not shared across threads or processes. You can configure the cache to use a memcache instance that will be shared amongst threads/processes.
auth.otc.github.cache.backend = memory # Use the memory backend
auth.otc.github.cache.expiration = 300 # Expire the cache items after 300s
For memcache:
auth.otc.github.cache.backend = memcache # Use the memcache backend
auth.otc.github.cache.expiration = 300 # Expire the cache items after 300s
auth.otc.github.cache.memcache.url = 127.0.0.1:11211 # The server:port of your memcache instance
Options
The full list of configuration options:
| Option | Default | Description |
|---|---|---|
auth.otc.github.token |
None | The Github Token used to query Github for the auth information |
auth.otc.github.organization |
None | The Github Organization name to use as a directory |
auth.otc.github.repo_pattern |
.* |
A pattern that will be interpreted as a regular expression to filter repository names |
auth.otc.github.repo_include_list |
[] |
A list of repository names to include. Names not in the list will be excluded |
auth.otc.github.repo_exclude_list |
[] |
A list of repository names to exclude. Names in the list will be excluded |
auth.otc.github.cache.backend |
memory |
The cache backend to use, can be memory or memcache |
auth.otc.github.cache.expiration |
300 |
The TTL for each cache key |
auth.otc.github.cache.memcache.url |
127.0.0.1:11211 |
The url of the memcache server |
Github Token
You can create a Personal Access Token from your Developer Settings. The token must have repo, admin:org, and read:user permissions.
Publishing & Pulling Packages
You can use your standard tools to publish to the repository (see here for Poetry). The username will be the GitHub username of the user, and the token will be a Personal Access Token assigned to that user. The token only requires read:user scopes as it is only used to verify the identity of the user.
How GitHub concepts are mapped to PyPICloud
Authorization & Authentication
The GitHub ACL elements are mapped pretty intuitively onto PyPICloud ACL elements.
- Users login with their username and PAT (the backend ensures that the username matches the token)
- Permissions are defined by the GitHub roles applied either on the Team, Repository, or Organization levels
The permissions are mapped as follows:
| GitHub Role | PyPI Permissions |
|---|---|
admin |
read, write |
maintain |
read, write |
triage |
read |
read |
read |
write |
read, write |
Packages
The backend considers each repository to be a potential package (the backend isn't designed for monorepos). The backend will attempt to retrieve package information from the repository. Currently, the backend only supports Poetry packages, using pyproject.toml, but it is easy to support other file formats by creating a new subclass of the outcome.pypicloud_access_github.access.Access class (see poetry.py as an example.)
For example, the repository for this library contains a pyproject.toml with the following:
[tool.poetry]
name = "outcome-pypicloud-access-github"
version = "0.1.0"
description = "An Github-based access backend for pypicloud."
The backend will read this file and determine that the package is named outcome-pypicloud-access-github.
Development
Remember to run ./pre-commit.sh when you clone the repository.
Testing
The testing is mainly made up of integration tests, read the testing README for more details.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for outcome-pypicloud-access-github-1.2.9.tar.gz
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | ba41224c580b650e03a7ad4778cc9b680e8cfa3f0ea0444aa24c3b3840082e5c |
|
| MD5 | adca9a267c4723be4a3768594c2612e4 |
|
| BLAKE2b-256 | 620ce68ae4891d5cc9165e40dfddb08390bc24293f34839f132c0d5e76f607bd |
Hashes for outcome_pypicloud_access_github-1.2.9-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 024ac01e5aab5acd9b9477200453c71b662123716f21c6954734dffc87dbc77a |
|
| MD5 | d6ba5cf8f4bf0a2ad9bffc52b8e4fe1b |
|
| BLAKE2b-256 | 5a55add778c1f062bf77197fc4d6af2268c80b5fde441c912e009afc16535245 |
