Hi, First of all let me say sorry for the bad communication on this topic. The project is running with people from several teams inside SUSE and the schedule was moved repeatedly. So this led to this situation where things got lost, forgotten, delayed ... I hope that this does not hinder us to work on a solution that we are all fine with and that suits all our needs, requirements and wishes. On Wednesday, April 29, 2020 11:26:18 AM CEST Adrian Schröter wrote:
For the board, we do discuss the successor of the existing identity management system used for SUSE and openSUSE services. The system hosted by MF-IT will be shut down next month and SUSE will move their data to a system currently build up by eng-infra team. Indepdend of that Stasiek has built up an alternative solution inside the openSUSE-heroes network.
Let me step back and describe what we are working on right now. Until now Microfocus provides us with an authentication system for the 'socalled' Bugzilla-Logins. As they are used for way more than just Bugzilla I like to refer to these accounts as "Community-Accounts". Part of this community are developers (external as well as SUSE employees), non-developer employees and SUSE business partners. All of them get access and permissions to certain resources of the services we provide. As SUSE will now become fully independent of Microfocus, we will replace this authentication system. Legally this is just a change of 'where' our data is processed. MF just processed it under a contract so far. With the upcoming migration, we will keep this data in our Nuremberg datacenter. The service will even be certified under Common Criteria. So with this change, the dependency to MF is removed. The only entity that this login then depends on is SUSE. So this is the same dependency as for Bugzilla, OBS and some tools that business partners have access to. Personally I see this a positive step to reduce the dependencies. Soon SUSE will be in full control and the only go-to entity for change requests from the openSUSE community. The migration will start soon for employees. For external users it will be around May 11th. The communications for this is currently being written (I am just reviewing the first drafts right now). That being said I want to stress that I do not want to prohibit any discussion concerning a separation. This is an interesting topic but it needs to involve way more people (openSUSE board, SUSE Legal, Common Criteria, Build Service Admins, Bugzilla Admins, Partner Managers, ...) than we have on the current list. Such a separation will affect many places, services and workflows. Maybe even new setups or infrastructure changes. Given the current timeline that we have to become independent of Microfocus I am asking all of you to postpone this discussion to at least after May 18th - maybe even to June. Currently we just don't have the time or resources for such a discussion not even for any technical changes. On the other hand - nothing we are doing right now should prevent a separation in the future. I don't see any 'technical' reason why this should not be possible (if all other parties, see above, are ok with this). On Dienstag, 28. April 2020, 06:44:08 CEST wrote Stasiek Michalski:
So as you might be aware, on 18. May Micro Focus finally cuts us off from their infra, and that obviously also means new account system. SUSE is preparing something themselves, but from what has been relayed to us, it doesn't fulfill all of our requirements.
What requirements are missing from your point of view? Some more background to this: The setup we are deploying right now consists of a fleet of servers running the Univention Corporate Server. This is an entirely open source solution running on Debian (right now). Univention signaled interest to work with us on also running their product on SLES (maybe even Leap or Tumbleweed). So we will work with them to run it on our own products. If you want to help with this process you can start right now because all their code is open source and public and you can run a UCS server free of charge for yourself. https://github.com/univention Coming back to the missing requirements: If you see any requirement that is missing I bet with you a beer that Univention will be happily accepting pull requests or any kind of collaboration with the community to add features. Univention even implemented features for us into the core product that we needed for the deployement. These features are now available to all UCS users. So with this SUSE made use of its own business model when investing in this development. I heard rumors that the missing feature might be "openid" and UCS only provides "openid connect". Yes thats true. In our original schedule we would have had more time to address such issues. Right now I asked Bernhard Wiedemann (CCed) to look into this topic. He is planning to provide openid with UCS in the backend. I think he will even accept helping hands. This solution might just be a quick workaround for some time, yes. But I hope that we can find volunteer that will look into packaging a solid solution that can be installed via the UCS app store natively. Then we will happily switch to this solution. Let me quickly recap: 1. I am not against any future separation. I will happily take part in such discussions and even help from the technical side. 2. The current schedule just does not allow any separation work or discussion right now. The deadline with Microfocus is fixed and we have very little time left. 3. Please postpone related discussions to June - then we will have more time for this. 4. Help is welcome to offer the missing features - if you can name them.
Furthermore it is my private opinion that we should not confuse openSUSE users by the launch of two independ account systems at the same time.
Just bear in mind what it will look like for a customer from mid May on: - Customer will have an Okta account to manage his subscriptions. - If he want to also contribute to Bugzilla or OBS he needs a UCS account. - If we do the separation in the future and this user wants to also contribute to openSUSE forums, he also needs an openSUSE account. Ciao, Daniel -- J. Daniel Schmidt <jdsn@suse.com> | Engineering Infrastructure SUSE Linux GmbH, Maxfeldstr. 5, D-90409 Nürnberg GF: Felix Imendörffer, Mary Higgins, Sri Rasiah, HRB 21284 (AG Nürnberg) -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org