On Tue, Apr 28, 2020 at 6:41 AM Adrian Schröter <adrian@suse.de> wrote:
On Dienstag, 28. April 2020, 11:59:01 CEST wrote Neal Gompa:
On Tue, Apr 28, 2020 at 1:48 AM Adrian Schröter <adrian@suse.de> wrote:
Hi Stasiek,
On Dienstag, 28. April 2020, 06:44:08 CEST wrote Stasiek Michalski:
Hi,
So as you might be aware, on 18. May Micro Focus finally cuts us off from their infra, and that obviously also means new account system. SUSE is preparing something themselves, but from what has been relayed to us, it doesn't fulfill all of our requirements. So we need your help in some areas while we transition to our own solution.
yes, the SUSE engiering infra team is currently on implementing the succesor of that system...
We have deployed: * FreeIPA, as a backend to all of the other systems internally * Ipsilon, to provide us with sso capabilities to FreeIPA accounts https://sso.opensuse.org * Noggin, as a self-service portal, so people can register and modify their FreeIPA accounts https://accounts.opensuse.org (behind VPN for now, just so we don't get any random people signing up)
The solution already works, albeit without the previous accounts, which will be imported once we have recieved a cut-down dump of user data from SUSE.
Sorry, but we won't use these for OBS and bugzilla at least. This because I do not really invest in syncing accounts also with our other systems (including also our internal build service).
We must guarantee full SUSE employee control for certifications there with listed names. So an external authentification system is out of questions there.
This doesn't make sense. Why does the _openSUSE Build Service_ need this?
* openSUSE Build Service is also used to maintain secrets sources (read non-public security fixes).
* sources are synced between instance and we need to apply same permission and trust rules on users.
* And at least short term: we can only use the login proxies as authentification mechanism. So any openID or alike is not possible atm
sorry, but we talk about a time frame of a few days atm. There is for sure not practical way to change this setup atm.
So, one way to deal with this would be to have a layer for just the OBS that merges the two identities into one for your purpose, keying off the email address. Since a proxy based auth is mandatory for OBS, a shim layer would be required for virtually any solution anybody moves to (since proxy auth isn't supported by most systems anyway), so we can put intelligence there to support auth from either system.
My understanding is that the SUSE _Internal Build Service_ requires this and that's why it authenticates with the SUSE internal system and why nobody outside can look at it. That is also the justification given for having _two_ Build Service instances and why SUSE Linux Enterprise (as in, the product!) cannot be built in the _openSUSE Build Service_.
We are already working on a solution for Bugzilla, this was accounted for when we decided to do this.
However to get there, we need your help with getting all of the usernames of the users that ever logged into any and all openSUSE services. This dump will be sent to SUSE and based on it we will recieve the final dump which we will import into this system.
It seems this is the same work as the eng-infra team (Daniel and Bernhard) is doing atm...
sorry, it seems we do some duplicate work atm, we should have coordinated this better before
Unfortunately, a split was going to be required no matter what, especially if openSUSE was going to become its own legal entity (w.r.t. the Foundation). It would be insane to not be able to be responsible for our own accounts data.
okay, but this is a very large and long term task. Nothing what can be done in next days.
Every long journey begins with a single step. The disaggregation of the accounts systems is the first one, and it's very easy to do. -- 真実はいつも一つ!/ Always, there's only one truth! -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org