Regarding #6 - My original thought on the auth proxy was to put Access Manager gateways in Nuremberg and put those sites behind it. It wouldn't provide any additional features over what we have today, but it would resolve the latency issue of keeping the auth proxy in Provo without any code changes on the sites. As I thought about it more, I now suggest we use the LDAP auth proxy for www.opensuse.org and other sites moving to Nuremberg. The LDAP proxy already serves openSUSE sites in NBG and should be able to support the additional sites with only minor code changes on the sites. As Lars pointed out, one issue is SSO with Bugzilla and other sites. I would like to see if the LDAP auth proxy can be extended to support either SAML or OpenID Connect, with Access Manager as the identity provider. This would enable SSO with both the new and existing Nuremberg sites. LDAP can be maintained as a fallback option in this case. Thanks! Matt ________________________________________ From: Lars Vogdt [Lars.Vogdt@suse.de] Sent: Saturday, April 08, 2017 10:03 AM To: heroes@opensuse.org Cc: Matthew Ehle Subject: Re: [heroes] Heroes meeting moved to 2017-04-09 Am Sun, 02 Apr 2017 21:23:20 +0200 schrieb Christian Boltz <opensuse@cboltz.de>:
The Heroes meeting will be on 2017-04-09 18:00 UTC (= 20:00 Nuremberg time). See https://progress.opensuse.org/issues/17528 for topics.
I'm not sure if it will work out for me, as my wife has her birthday ... But I hope nobody needs to wait until the monthly meeting to start some discussions or bring up some topics, right? So here are mine: 1) News article about status.opensuse.org ? To get some progress into the new "project" status.opensuse.org, I wrote a small news article on progress.o.o : https://progress.opensuse.org/news/34 My questions: * should I put that to news.opensuse.org to get some more attention? * is there anything missing in the article? * is there anything missing on the status.o.o page? Otherwise I would switch over from testing to production mode rather sooner than later (relase often, release early...). 2) Using news on progress vs. articles on news.opensuse.org While writing #1, I was thinking about the difference between the two "news systems". I would expect that we use the news on progress.o.o (which is linked on planet.o.o and therefor not invisible to our "customers") to inform ourselves about new admin stuff (like: "Hey, our Salt repo got a new formula for handling mysql servers" or "the new test system for service XX is online"), while we use news.o.o to inform our users about really cool new stuff (our big outages?), which go (affect) production. Is my assumption correct? 3) Status report: openSUSE Cloud in Provo Currently I'm waiting to get a routing setup done in Provo. After that, we can start with the first openSUSE service managed by the openSUSE heroes in Provo by providing a mirror server of download.o.o ! :-) After that is in place, we should be able to host more services in Provo - but this depends on the available bandwidth, network ranges, storage space and legal constraints. Other than that: the hardware is now in place and can be used, as the mirror server should prove. The setup is a bit different than originally planned: we run a virtualization cluster setup there now as we run in Nuremberg already. So it might not be possible for the Heroes to get "bare metal access", but instead get root access to virtual machines running there on top of some hypervisor nodes. Currently it's open if we need to build a private network there or connect the VMs via openVPN with the ones in Nuremberg. I would leave this open until we run the first VMs there in production and get an idea about the needs. 4) Status report: DNS of opensuse.org The technical part is ready from our current point of view. We are currently waiting for MF-IT to switch over to our hidden master. The DNS will be managed by the freeIPA installation that Darix setup a few weeks ago. So this system - even if not tested ultimately - is now becoming an important core component of the openSUSE infrastructure! 5) Status report: Monitoring and status page Thanks to the latest changes from cboltz, the status page should be nearly ready to go into production mode. (see note #1) https://monitor.opensuse.org/ is also setup and the authentication for the Icinga installation is already using the user credentials from our freeIPA host (where currently just darix, theo and myself have accounts - how should we handle this?). If I don't hear anything back, I would like to start migrating/adding openSUSE machines to this monitoring instance by the upcoming weeks. That might need some changes on currently running hosts (as the new instance uses a new IP address and new certificates) and some coordination with SUSE-IT (as I also like to move the machines out of the internal monitoring to avoid duplicate checks) - so please do not expect very quick updates here. 6) Status update for www.opensuse.org / auth-provider for openSUSE I had a very short discussion with Matthew in the last days, where we discussed the move of www.opensuse.org from Provo to Nuremberg. My explanation below is the try of a summary, but might contain some wrong parts (as I might had a beer or two too much at the time...;-) - so please take it with some grain of salt and do not hesitate to add your fixes where I'm wrong. The main concern about the move of www.opensuse.org at the moment is the fact, that the auth-proxy for all openSUSE related services is also somehow behind that URL. So - if we move the DNS entry (point it to another IP) - we need to adapt the configuration of the auth-proxy as well, which - in the last try - turned out not to be that easy. Matt now wants to investigate into the problem - and his current idea is to use that move not only to reconfigure the auth-proxy but to switch over to a completely new auth-proxy software, that has some more features... I'm not sure about the time frame for this new setup, but I would say it should be worth the delay of the move. Another option might be to switch to an LDAP proxy, which is in place already in Nuremberg, for the openSUSE services. But this does not cover at least Bugzilla or the Features page. So a single sign on is not possible with this alternative solution. It also required the adaption of all involved services. With kind regards, Lars -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org