[heroes] openSUSE Accounts system
Hi, So as you might be aware, on 18. May Micro Focus finally cuts us off from their infra, and that obviously also means new account system. SUSE is preparing something themselves, but from what has been relayed to us, it doesn't fulfill all of our requirements. So we need your help in some areas while we transition to our own solution. We have deployed: * FreeIPA, as a backend to all of the other systems internally * Ipsilon, to provide us with sso capabilities to FreeIPA accounts https://sso.opensuse.org * Noggin, as a self-service portal, so people can register and modify their FreeIPA accounts https://accounts.opensuse.org (behind VPN for now, just so we don't get any random people signing up) The solution already works, albeit without the previous accounts, which will be imported once we have recieved a cut-down dump of user data from SUSE. However to get there, we need your help with getting all of the usernames of the users that ever logged into any and all openSUSE services. This dump will be sent to SUSE and based on it we will recieve the final dump which we will import into this system. When all of the data is imported, we will send out password recovery emails to all of the email addresses provided in the dump. From the implementation perspective in the applications themselves, there is mod_auth_mellon and mod_auth_openidc for the applications that do not support SAML, OpenID or OpenID Connect themselves. We do recommend using those technologies over mod_auth methods, but we are also aware this is not always possible. For requesting the metadata required to setup those methods, please email admin@opensuse.org and we will get it to you as quickly as possible. Also email us in case of any other issues, we will try our best to help you out as quickly as possible. We do welcome creating accounts and testing with the deployment, but keep in mind all of the data there will be destroyed. Depending on how ready we will be over the next few weeks, we will switch when it will be convinient for all of us, but remember we are actually not able to continue using Micro Focus' system after 18. May. That's a hard, unmovable DEADline. We have a nice new shining setup of forums that already is using the system, and this will become the new forums, until we can figure out a sane migration path to Discourse. Forums will have to be transferred way earlier, and kept offline, since Provo migration is happening alongside SUSE's switch to their new system and forums on 4. May. This does mean depending on the speed at which we can implement solutions, Forums might be offline for 2 weeks, which is unfortunate. So, let us know what is most comfortable for you, and don't be afraid to ask for any help, and we hope to get this show on the road before it's too late. LCP [Stasiek] https://lcp.world -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
Hi Stasiek, On Dienstag, 28. April 2020, 06:44:08 CEST wrote Stasiek Michalski:
Hi,
So as you might be aware, on 18. May Micro Focus finally cuts us off from their infra, and that obviously also means new account system. SUSE is preparing something themselves, but from what has been relayed to us, it doesn't fulfill all of our requirements. So we need your help in some areas while we transition to our own solution.
yes, the SUSE engiering infra team is currently on implementing the succesor of that system...
We have deployed: * FreeIPA, as a backend to all of the other systems internally * Ipsilon, to provide us with sso capabilities to FreeIPA accounts https://sso.opensuse.org * Noggin, as a self-service portal, so people can register and modify their FreeIPA accounts https://accounts.opensuse.org (behind VPN for now, just so we don't get any random people signing up)
The solution already works, albeit without the previous accounts, which will be imported once we have recieved a cut-down dump of user data from SUSE.
Sorry, but we won't use these for OBS and bugzilla at least. This because I do not really invest in syncing accounts also with our other systems (including also our internal build service). We must guarantee full SUSE employee control for certifications there with listed names. So an external authentification system is out of questions there.
However to get there, we need your help with getting all of the usernames of the users that ever logged into any and all openSUSE services. This dump will be sent to SUSE and based on it we will recieve the final dump which we will import into this system.
It seems this is the same work as the eng-infra team (Daniel and Bernhard) is doing atm... sorry, it seems we do some duplicate work atm, we should have coordinated this better before sorry for that adrian -- Adrian Schroeter email: adrian@suse.de SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) Maxfeldstraße 5 90409 Nürnberg Germany -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
On Tue, Apr 28, 2020 at 1:48 AM Adrian Schröter <adrian@suse.de> wrote:
Hi Stasiek,
On Dienstag, 28. April 2020, 06:44:08 CEST wrote Stasiek Michalski:
Hi,
So as you might be aware, on 18. May Micro Focus finally cuts us off from their infra, and that obviously also means new account system. SUSE is preparing something themselves, but from what has been relayed to us, it doesn't fulfill all of our requirements. So we need your help in some areas while we transition to our own solution.
yes, the SUSE engiering infra team is currently on implementing the succesor of that system...
We have deployed: * FreeIPA, as a backend to all of the other systems internally * Ipsilon, to provide us with sso capabilities to FreeIPA accounts https://sso.opensuse.org * Noggin, as a self-service portal, so people can register and modify their FreeIPA accounts https://accounts.opensuse.org (behind VPN for now, just so we don't get any random people signing up)
The solution already works, albeit without the previous accounts, which will be imported once we have recieved a cut-down dump of user data from SUSE.
Sorry, but we won't use these for OBS and bugzilla at least. This because I do not really invest in syncing accounts also with our other systems (including also our internal build service).
We must guarantee full SUSE employee control for certifications there with listed names. So an external authentification system is out of questions there.
This doesn't make sense. Why does the _openSUSE Build Service_ need this? My understanding is that the SUSE _Internal Build Service_ requires this and that's why it authenticates with the SUSE internal system and why nobody outside can look at it. That is also the justification given for having _two_ Build Service instances and why SUSE Linux Enterprise (as in, the product!) cannot be built in the _openSUSE Build Service_. We are already working on a solution for Bugzilla, this was accounted for when we decided to do this.
However to get there, we need your help with getting all of the usernames of the users that ever logged into any and all openSUSE services. This dump will be sent to SUSE and based on it we will recieve the final dump which we will import into this system.
It seems this is the same work as the eng-infra team (Daniel and Bernhard) is doing atm...
sorry, it seems we do some duplicate work atm, we should have coordinated this better before
Unfortunately, a split was going to be required no matter what, especially if openSUSE was going to become its own legal entity (w.r.t. the Foundation). It would be insane to not be able to be responsible for our own accounts data. -- 真実はいつも一つ!/ Always, there's only one truth! -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
On Dienstag, 28. April 2020, 11:59:01 CEST wrote Neal Gompa:
On Tue, Apr 28, 2020 at 1:48 AM Adrian Schröter <adrian@suse.de> wrote:
Hi Stasiek,
On Dienstag, 28. April 2020, 06:44:08 CEST wrote Stasiek Michalski:
Hi,
So as you might be aware, on 18. May Micro Focus finally cuts us off from their infra, and that obviously also means new account system. SUSE is preparing something themselves, but from what has been relayed to us, it doesn't fulfill all of our requirements. So we need your help in some areas while we transition to our own solution.
yes, the SUSE engiering infra team is currently on implementing the succesor of that system...
We have deployed: * FreeIPA, as a backend to all of the other systems internally * Ipsilon, to provide us with sso capabilities to FreeIPA accounts https://sso.opensuse.org * Noggin, as a self-service portal, so people can register and modify their FreeIPA accounts https://accounts.opensuse.org (behind VPN for now, just so we don't get any random people signing up)
The solution already works, albeit without the previous accounts, which will be imported once we have recieved a cut-down dump of user data from SUSE.
Sorry, but we won't use these for OBS and bugzilla at least. This because I do not really invest in syncing accounts also with our other systems (including also our internal build service).
We must guarantee full SUSE employee control for certifications there with listed names. So an external authentification system is out of questions there.
This doesn't make sense. Why does the _openSUSE Build Service_ need this?
* openSUSE Build Service is also used to maintain secrets sources (read non-public security fixes). * sources are synced between instance and we need to apply same permission and trust rules on users. * And at least short term: we can only use the login proxies as authentification mechanism. So any openID or alike is not possible atm sorry, but we talk about a time frame of a few days atm. There is for sure not practical way to change this setup atm.
My understanding is that the SUSE _Internal Build Service_ requires this and that's why it authenticates with the SUSE internal system and why nobody outside can look at it. That is also the justification given for having _two_ Build Service instances and why SUSE Linux Enterprise (as in, the product!) cannot be built in the _openSUSE Build Service_.
We are already working on a solution for Bugzilla, this was accounted for when we decided to do this.
However to get there, we need your help with getting all of the usernames of the users that ever logged into any and all openSUSE services. This dump will be sent to SUSE and based on it we will recieve the final dump which we will import into this system.
It seems this is the same work as the eng-infra team (Daniel and Bernhard) is doing atm...
sorry, it seems we do some duplicate work atm, we should have coordinated this better before
Unfortunately, a split was going to be required no matter what, especially if openSUSE was going to become its own legal entity (w.r.t. the Foundation). It would be insane to not be able to be responsible for our own accounts data.
okay, but this is a very large and long term task. Nothing what can be done in next days. -- Adrian Schroeter email: adrian@suse.de SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) Maxfeldstraße 5 90409 Nürnberg Germany -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
On Tue, Apr 28, 2020 at 6:41 AM Adrian Schröter <adrian@suse.de> wrote:
On Dienstag, 28. April 2020, 11:59:01 CEST wrote Neal Gompa:
On Tue, Apr 28, 2020 at 1:48 AM Adrian Schröter <adrian@suse.de> wrote:
Hi Stasiek,
On Dienstag, 28. April 2020, 06:44:08 CEST wrote Stasiek Michalski:
Hi,
So as you might be aware, on 18. May Micro Focus finally cuts us off from their infra, and that obviously also means new account system. SUSE is preparing something themselves, but from what has been relayed to us, it doesn't fulfill all of our requirements. So we need your help in some areas while we transition to our own solution.
yes, the SUSE engiering infra team is currently on implementing the succesor of that system...
We have deployed: * FreeIPA, as a backend to all of the other systems internally * Ipsilon, to provide us with sso capabilities to FreeIPA accounts https://sso.opensuse.org * Noggin, as a self-service portal, so people can register and modify their FreeIPA accounts https://accounts.opensuse.org (behind VPN for now, just so we don't get any random people signing up)
The solution already works, albeit without the previous accounts, which will be imported once we have recieved a cut-down dump of user data from SUSE.
Sorry, but we won't use these for OBS and bugzilla at least. This because I do not really invest in syncing accounts also with our other systems (including also our internal build service).
We must guarantee full SUSE employee control for certifications there with listed names. So an external authentification system is out of questions there.
This doesn't make sense. Why does the _openSUSE Build Service_ need this?
* openSUSE Build Service is also used to maintain secrets sources (read non-public security fixes).
* sources are synced between instance and we need to apply same permission and trust rules on users.
* And at least short term: we can only use the login proxies as authentification mechanism. So any openID or alike is not possible atm
sorry, but we talk about a time frame of a few days atm. There is for sure not practical way to change this setup atm.
So, one way to deal with this would be to have a layer for just the OBS that merges the two identities into one for your purpose, keying off the email address. Since a proxy based auth is mandatory for OBS, a shim layer would be required for virtually any solution anybody moves to (since proxy auth isn't supported by most systems anyway), so we can put intelligence there to support auth from either system.
My understanding is that the SUSE _Internal Build Service_ requires this and that's why it authenticates with the SUSE internal system and why nobody outside can look at it. That is also the justification given for having _two_ Build Service instances and why SUSE Linux Enterprise (as in, the product!) cannot be built in the _openSUSE Build Service_.
We are already working on a solution for Bugzilla, this was accounted for when we decided to do this.
However to get there, we need your help with getting all of the usernames of the users that ever logged into any and all openSUSE services. This dump will be sent to SUSE and based on it we will recieve the final dump which we will import into this system.
It seems this is the same work as the eng-infra team (Daniel and Bernhard) is doing atm...
sorry, it seems we do some duplicate work atm, we should have coordinated this better before
Unfortunately, a split was going to be required no matter what, especially if openSUSE was going to become its own legal entity (w.r.t. the Foundation). It would be insane to not be able to be responsible for our own accounts data.
okay, but this is a very large and long term task. Nothing what can be done in next days.
Every long journey begins with a single step. The disaggregation of the accounts systems is the first one, and it's very easy to do. -- 真実はいつも一つ!/ Always, there's only one truth! -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
On Tue, Apr 28, 2020 at 12:41, Adrian Schröter <adrian@suse.de> wrote:
Unfortunately, a split was going to be required no matter what, especially if openSUSE was going to become its own legal entity (w.r.t. the Foundation). It would be insane to not be able to be responsible for our own accounts data.
okay, but this is a very large and long term task. Nothing what can be done in next days.
Well, we are doing it, how big of a slip do you foresee for OBS then. LCP [Stasiek] https://lcp.world -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
On Dienstag, 28. April 2020, 15:10:23 CEST wrote Stasiek Michalski:
On Tue, Apr 28, 2020 at 12:41, Adrian Schröter <adrian@suse.de> wrote:
Unfortunately, a split was going to be required no matter what, especially if openSUSE was going to become its own legal entity (w.r.t. the Foundation). It would be insane to not be able to be responsible for our own accounts data.
okay, but this is a very large and long term task. Nothing what can be done in next days.
Well, we are doing it, how big of a slip do you foresee for OBS then.
Frankly, I do not want even discuss it these days. We (or better the eng-infra team) are working on the successor of the MF login system which can be used as a plugin replacement. This has been clarified between various teams, the board and legal wise meanwhile. (keep in mind that user data belongs to someone and can not be copied easily between entities). Sorry, but I do not have time atm to even discuss any alternative approach. We can do so in a few weeks, but this stuff needs planing and can not get thrown over the fence. And I see it very confusing (read harmful) when we announce two independend identity management systems at the same time for systems which used the same before. -- Adrian Schroeter email: adrian@suse.de SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) Maxfeldstraße 5 90409 Nürnberg Germany -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
On Tue, Apr 28, 2020 at 15:19, Adrian Schröter <adrian@suse.de> wrote:
On Dienstag, 28. April 2020, 15:10:23 CEST wrote Stasiek Michalski:
On Tue, Apr 28, 2020 at 12:41, Adrian Schröter <adrian@suse.de> wrote:
Unfortunately, a split was going to be required no matter what, especially if openSUSE was going to become its own legal entity (w.r.t. the Foundation). It would be insane to not be able to be responsible for our own accounts data.
okay, but this is a very large and long term task. Nothing what can be done in next days.
Well, we are doing it, how big of a slip do you foresee for OBS then.
Frankly, I do not want even discuss it these days.
We (or better the eng-infra team) are working on the successor of the MF login system which can be used as a plugin replacement. This has been clarified between various teams, the board and legal wise meanwhile. (keep in mind that user data belongs to someone and can not be copied easily between entities).
Sorry, but I do not have time atm to even discuss any alternative approach. We can do so in a few weeks, but this stuff needs planing and can not get thrown over the fence.
And I see it very confusing (read harmful) when we announce two independend identity management systems at the same time for systems which used the same before.
Well, the work on our version started in February, and ~2 weeks after that we learned that in 6 weeks SUSE will be doing something, because MF is dropping them, without ever even telling heroes, even though we can check that some of them have to have known about our accounts system plans. This lack of communication (and the lack of answers to any of my questions about their system), is why we very much feel we sadly cannot rely on their solution for any of our future deployments, because this kind of communication kills the effectiveness of the heroes team. This means we barely had the time to implement our own solution, otherwise we would have contacted you way way earlier, because I know very well that switching over accounts system usually isn't that simple. LCP [Stasiek] https://lcp.world -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
On Dienstag, 28. April 2020, 15:37:51 CEST wrote Stasiek Michalski:
On Tue, Apr 28, 2020 at 15:19, Adrian Schröter <adrian@suse.de> wrote:
On Dienstag, 28. April 2020, 15:10:23 CEST wrote Stasiek Michalski:
On Tue, Apr 28, 2020 at 12:41, Adrian Schröter <adrian@suse.de> wrote:
Unfortunately, a split was going to be required no matter what, especially if openSUSE was going to become its own legal entity (w.r.t. the Foundation). It would be insane to not be able to be responsible for our own accounts data.
okay, but this is a very large and long term task. Nothing what can be done in next days.
Well, we are doing it, how big of a slip do you foresee for OBS then.
Frankly, I do not want even discuss it these days.
We (or better the eng-infra team) are working on the successor of the MF login system which can be used as a plugin replacement. This has been clarified between various teams, the board and legal wise meanwhile. (keep in mind that user data belongs to someone and can not be copied easily between entities).
Sorry, but I do not have time atm to even discuss any alternative approach. We can do so in a few weeks, but this stuff needs planing and can not get thrown over the fence.
And I see it very confusing (read harmful) when we announce two independend identity management systems at the same time for systems which used the same before.
Well, the work on our version started in February, and ~2 weeks after that we learned that in 6 weeks SUSE will be doing something, because MF is dropping them, without ever even telling heroes, even though we can check that some of them have to have known about our accounts system plans. This lack of communication (and the lack of answers to any of my questions about their system), is why we very much feel we sadly cannot rely on their solution for any of our future deployments, because this kind of communication kills the effectiveness of the heroes team.
Who is "their" here? Bernhard and Daniel are part of eng-infra team creating the new solution.
This means we barely had the time to implement our own solution, otherwise we would have contacted you way way earlier, because I know very well that switching over accounts system usually isn't that simple.
I understand that this topic is frustrating (and believe me, it is for me as well since ~ 1,5 years) but we should IMHO not have multiple own and independend solutions atm. It will be very confusing for every user and will increase complexity on many levels for ourself. IMHO (but I have not discussed this with anyone yet) we should actually aim for the opposite, supporting external identity providers instead directly. This won't be possible for SUSE employees, but external new users could get attracted by avoiding the hurdle to create yetanother account. But just being able to use their Google/Bavarian/... account directly... sorry, I do not want to destroy your work, but I think I should be clear that I do not see that we would switch right away. Instead of wasting even more time... -- Adrian Schroeter email: adrian@suse.de SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) Maxfeldstraße 5 90409 Nürnberg Germany -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
On Tue, Apr 28, 2020 at 17:03, Adrian Schröter <adrian@suse.de> wrote:
On Dienstag, 28. April 2020, 15:37:51 CEST wrote Stasiek Michalski:
Well, the work on our version started in February, and ~2 weeks after that we learned that in 6 weeks SUSE will be doing something, because MF is dropping them, without ever even telling heroes, even though we can check that some of them have to have known about our accounts system plans. This lack of communication (and the lack of answers to any of my questions about their system), is why we very much feel we sadly cannot rely on their solution for any of our future deployments, because this kind of communication kills the effectiveness of the heroes team.
Who is "their" here?
Bernhard and Daniel are part of eng-infra team creating the new solution.
I know
IMHO (but I have not discussed this with anyone yet) we should actually aim for the opposite, supporting external identity providers instead directly. This won't be possible for SUSE employees, but external new users could get attracted by avoiding the hurdle to create yetanother account. But just being able to use their Google/Bavarian/... account directly...
We discussed this already, and the conclusion was a resounding no LCP [Stasiek] https://lcp.world -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
On Tue, Apr 28, 2020 at 07:48, Adrian Schröter <adrian@suse.de> wrote:
Hi Stasiek,
On Dienstag, 28. April 2020, 06:44:08 CEST wrote Stasiek Michalski:
We have deployed: * FreeIPA, as a backend to all of the other systems internally * Ipsilon, to provide us with sso capabilities to FreeIPA accounts https://sso.opensuse.org * Noggin, as a self-service portal, so people can register and modify their FreeIPA accounts https://accounts.opensuse.org (behind VPN for now, just so we don't get any random people signing up)
The solution already works, albeit without the previous accounts, which will be imported once we have recieved a cut-down dump of user data from SUSE.
Sorry, but we won't use these for OBS and bugzilla at least. This because I do not really invest in syncing accounts also with our other systems (including also our internal build service).
Discussions on OBS's support of any other technologies should happen in https://github.com/openSUSE/open-build-service/issues/9122, we reported this as soon as we started with a realization that OBS will be the only problematic piece of software, since only it doesn't support what is required. This might require further explanation though: * OSEM is built on OmniAuth, so switching login provider is not a big deal [1] * openQA uses openSUSE OpenID provider [2] * Wikis, based on Mediawiki, which has an OIDC plugin for login [3] * TSP and other devise based apps can use OmniAuth [4] so by extension [1] * Redmine has an OpenID Connect plugin [5] * Jenkins uses OpenID already * CAS bound applications may use mod_auth_* plugins, since they set response headers in a similar fashion, so that should be mostly compatible As a sidenote to the existing OpenID support, we would like to deprecate the existing endpoint in a year or two, since the fact that is has slashes in resulting ids causes some issues with the existing applications, especially ones using php openid library (that includes paste.opensuse.org). This means the new endpoint will be on sso.opensuse.org and not www.opensuse.org/openid/user anymore. This means a change in internal OpenIDs would be from www.opensuse.org/openid/user/$username to $username.sso.opensuse.org LCP [Stasiek] https://lcp.world [1] https://github.com/m0n9oose/omniauth_openid_connect [2] https://github.com/os-autoinst/openQA/blob/master/docs/Installing.asciidoc#o... [3] https://www.mediawiki.org/wiki/Extension:OpenID_Connect [4] https://github.com/heartcombo/devise/wiki/OmniAuth:-Overview [5] https://github.com/devopskube/redmine_openid_connect -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
On Tue, Apr 28, 2020 at 18:56, Stasiek Michalski <hellcp@opensuse.org> wrote:
On Tue, Apr 28, 2020 at 07:48, Adrian Schröter <adrian@suse.de> wrote:
Sorry, but we won't use these for OBS and bugzilla at least. This because I do not really invest in syncing accounts also with our other systems (including also our internal build service).
Discussions on OBS's support of any other technologies should happen in https://github.com/openSUSE/open-build-service/issues/9122, we reported this as soon as we started with a realization that OBS will be the only problematic piece of software, since only it doesn't support what is required.
Here, as a sidenote, we could also use mod_auth_gssapi [1] with form intercept [2], but I don't think we should treat that as a long term solution, since that makes OBS ignore the SSO functionality entirely.
This might require further explanation though: * OSEM is built on OmniAuth, so switching login provider is not a big deal [1] * openQA uses openSUSE OpenID provider [2] * Wikis, based on Mediawiki, which has an OIDC plugin for login [3] * TSP and other devise based apps can use OmniAuth [4] so by extension [1] * Redmine has an OpenID Connect plugin [5] * Jenkins uses OpenID already * CAS bound applications may use mod_auth_* plugins, since they set response headers in a similar fashion, so that should be mostly compatible
I also forgot to mention Weblate, which already uses OpenID. LCP [Stasiek] https://lcp.world [1] https://github.com/gssapi/mod_auth_gssapi [2] https://github.com/adelton/mod_intercept_form_submit -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
Good Morning, I am CC'ing the board, since we have a disagreement here and the possible consequences for the entire project. For the board, we do discuss the successor of the existing identity management system used for SUSE and openSUSE services. The system hosted by MF-IT will be shut down next month and SUSE will move their data to a system currently build up by eng-infra team. Indepdend of that Stasiek has built up an alternative solution inside the openSUSE-heroes network. On Mittwoch, 29. April 2020, 05:06:18 CEST wrote Stasiek Michalski:
On Tue, Apr 28, 2020 at 18:56, Stasiek Michalski <hellcp@opensuse.org> wrote:
On Tue, Apr 28, 2020 at 07:48, Adrian Schröter <adrian@suse.de> wrote:
Sorry, but we won't use these for OBS and bugzilla at least. This because I do not really invest in syncing accounts also with our other systems (including also our internal build service).
(I wrote some more reasons here, repeating below)
Discussions on OBS's support of any other technologies should happen in https://github.com/openSUSE/open-build-service/issues/9122, we reported
You can discuss here if something should be implemented, but this is independ of the questions what we will use on our production instance.
this as soon as we started with a realization that OBS will be the only problematic piece of software, since only it doesn't support what is required.
Here, as a sidenote, we could also use mod_auth_gssapi [1] with form intercept [2], but I don't think we should treat that as a long term solution, since that makes OBS ignore the SSO functionality entirely.
We do *NOT* speak about technical implementation details here atm. The big topic are the legal, trust and policy changes here. You basically ask for root access on every user installation which uses any repository from OBS. And you ask for access to content SUSE gets only under hard NDA's. Also legal would need to clarify if openSUSE would still be the same legal entity for this data as before and if a duplication is acceptable (because this is personal data which is under DSGVO regulations). In short this most likely violates a number of contracts, certifications and law's. The consequences of this are that we most likely need to revoke GPG keys, setup another instance of OBS and bugzilla, move content over, inform users public and individually and ask for permission to import their data into your new system. But these are just the problems on first glance, I am sure there is more. Therefore I do not want to discuss this atm on short notice, but postone it to a later point. Instead sticking to the solution from eng-infra to avoid that we need to shutown OBS, bugzilla and possibly also further openSUSE infrastructure in next weeks. We can later on discuss it without the time pressure. And include also the goals for the entire project and all stakeholders into this. Furthermore it is my private opinion that we should not confuse openSUSE users by the launch of two independ account systems at the same time. Instead we should aim for the opposite, allowing the usage of external accounts (like Google and friends) optionally to avoid the hurdle of creating an account. Daniel can give you some insight about their system and how it can be used also inside of the heroes network. bye adrian -- Adrian Schroeter email: adrian@suse.de SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) Maxfeldstraße 5 90409 Nürnberg Germany -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
Hi, First of all let me say sorry for the bad communication on this topic. The project is running with people from several teams inside SUSE and the schedule was moved repeatedly. So this led to this situation where things got lost, forgotten, delayed ... I hope that this does not hinder us to work on a solution that we are all fine with and that suits all our needs, requirements and wishes. On Wednesday, April 29, 2020 11:26:18 AM CEST Adrian Schröter wrote:
For the board, we do discuss the successor of the existing identity management system used for SUSE and openSUSE services. The system hosted by MF-IT will be shut down next month and SUSE will move their data to a system currently build up by eng-infra team. Indepdend of that Stasiek has built up an alternative solution inside the openSUSE-heroes network.
Let me step back and describe what we are working on right now. Until now Microfocus provides us with an authentication system for the 'socalled' Bugzilla-Logins. As they are used for way more than just Bugzilla I like to refer to these accounts as "Community-Accounts". Part of this community are developers (external as well as SUSE employees), non-developer employees and SUSE business partners. All of them get access and permissions to certain resources of the services we provide. As SUSE will now become fully independent of Microfocus, we will replace this authentication system. Legally this is just a change of 'where' our data is processed. MF just processed it under a contract so far. With the upcoming migration, we will keep this data in our Nuremberg datacenter. The service will even be certified under Common Criteria. So with this change, the dependency to MF is removed. The only entity that this login then depends on is SUSE. So this is the same dependency as for Bugzilla, OBS and some tools that business partners have access to. Personally I see this a positive step to reduce the dependencies. Soon SUSE will be in full control and the only go-to entity for change requests from the openSUSE community. The migration will start soon for employees. For external users it will be around May 11th. The communications for this is currently being written (I am just reviewing the first drafts right now). That being said I want to stress that I do not want to prohibit any discussion concerning a separation. This is an interesting topic but it needs to involve way more people (openSUSE board, SUSE Legal, Common Criteria, Build Service Admins, Bugzilla Admins, Partner Managers, ...) than we have on the current list. Such a separation will affect many places, services and workflows. Maybe even new setups or infrastructure changes. Given the current timeline that we have to become independent of Microfocus I am asking all of you to postpone this discussion to at least after May 18th - maybe even to June. Currently we just don't have the time or resources for such a discussion not even for any technical changes. On the other hand - nothing we are doing right now should prevent a separation in the future. I don't see any 'technical' reason why this should not be possible (if all other parties, see above, are ok with this). On Dienstag, 28. April 2020, 06:44:08 CEST wrote Stasiek Michalski:
So as you might be aware, on 18. May Micro Focus finally cuts us off from their infra, and that obviously also means new account system. SUSE is preparing something themselves, but from what has been relayed to us, it doesn't fulfill all of our requirements.
What requirements are missing from your point of view? Some more background to this: The setup we are deploying right now consists of a fleet of servers running the Univention Corporate Server. This is an entirely open source solution running on Debian (right now). Univention signaled interest to work with us on also running their product on SLES (maybe even Leap or Tumbleweed). So we will work with them to run it on our own products. If you want to help with this process you can start right now because all their code is open source and public and you can run a UCS server free of charge for yourself. https://github.com/univention Coming back to the missing requirements: If you see any requirement that is missing I bet with you a beer that Univention will be happily accepting pull requests or any kind of collaboration with the community to add features. Univention even implemented features for us into the core product that we needed for the deployement. These features are now available to all UCS users. So with this SUSE made use of its own business model when investing in this development. I heard rumors that the missing feature might be "openid" and UCS only provides "openid connect". Yes thats true. In our original schedule we would have had more time to address such issues. Right now I asked Bernhard Wiedemann (CCed) to look into this topic. He is planning to provide openid with UCS in the backend. I think he will even accept helping hands. This solution might just be a quick workaround for some time, yes. But I hope that we can find volunteer that will look into packaging a solid solution that can be installed via the UCS app store natively. Then we will happily switch to this solution. Let me quickly recap: 1. I am not against any future separation. I will happily take part in such discussions and even help from the technical side. 2. The current schedule just does not allow any separation work or discussion right now. The deadline with Microfocus is fixed and we have very little time left. 3. Please postpone related discussions to June - then we will have more time for this. 4. Help is welcome to offer the missing features - if you can name them.
Furthermore it is my private opinion that we should not confuse openSUSE users by the launch of two independ account systems at the same time.
Just bear in mind what it will look like for a customer from mid May on: - Customer will have an Okta account to manage his subscriptions. - If he want to also contribute to Bugzilla or OBS he needs a UCS account. - If we do the separation in the future and this user wants to also contribute to openSUSE forums, he also needs an openSUSE account. Ciao, Daniel -- J. Daniel Schmidt <jdsn@suse.com> | Engineering Infrastructure SUSE Linux GmbH, Maxfeldstr. 5, D-90409 Nürnberg GF: Felix Imendörffer, Mary Higgins, Sri Rasiah, HRB 21284 (AG Nürnberg) -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
On Wed, Apr 29, 2020 at 12:42, J. Daniel Schmidt <jdsn@suse.com> wrote:
Given the current timeline that we have to become independent of Microfocus I am asking all of you to postpone this discussion to at least after May 18th - maybe even to June. Currently we just don't have the time or resources for such a discussion not even for any technical changes.
We tried to contact you twice before about this via email, and even before this on progress-o-o opensuse-admin project and the lack of communication there was the main reason why we didn't even bother thinking about SUSE's system, and worked out our own. If this is how we are going to work this out, I would prefer to switch over now, since you already answered, and not in a few months when I will be waiting for any communication again.
I heard rumors that the missing feature might be "openid" and UCS only provides "openid connect". Yes thats true. In our original schedule we would have had more time to address such issues. Right now I asked Bernhard Wiedemann (CCed) to look into this topic. He is planning to provide openid with UCS in the backend. I think he will even accept helping hands. This solution might just be a quick workaround for some time, yes. But I hope that we can find volunteer that will look into packaging a solid solution that can be installed via the UCS app store natively. Then we will happily switch to this solution.
This seems like a massive omission on your part, since both internal and external openQA relies on OpenID (and for openSUSE Weblate and Jenkins). I seriously cannot fathom you didn't actually look at the infrastructure and think about what service requires what IDP. What were the criteria then? Not to mention, I noted this as a requirement in the opensuse-admin ticket where we were trying you to answer questions about the account system too. No needs of openSUSE were ever considered, and it's depressing. LCP [Stasiek] https://lcp.world -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
On Wed, Apr 29, 2020 at 11:26, Adrian Schröter <adrian@suse.de> wrote:
The big topic are the legal, trust and policy changes here. You basically ask for root access on every user installation which uses any repository from OBS. And you ask for access to content SUSE gets only under hard NDA's. Also legal would need to clarify if openSUSE would still be the same legal entity for this data as before and if a duplication is acceptable (because this is personal data which is under DSGVO regulations).
In short this most likely violates a number of contracts, certifications and law's.
Good, 4 weeks ago was to let the board know there might be some legal stuff to take care of here, but since Daniel did not bother responding to any of my emails about the transition, I couldn't take this any further. LCP [Stasiek] https://lcp.world -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
Hi, Dear all, let's please calm down a bit and will save some harsh words for the another day. Stasiek, I'm Daniel's manager, joined SUSE in Dec, and let me assure you, that OpenSUSE interests are very much in our list - and Daniel personally is one of the most loyal and eager representatives. I'm deeply sorry if you're feeling differently; we will try to make it better. I'm the escalation point, and you could contact me at any moment. Not sure, if it has been properly communicated outside, but SUSE is right now in the end of IT separation with Microfocus, the previous owner. At the very last moment, the timeline for the identity management has been cut for 6 weeks out of 12 - you can imagine, which unbelievable workload it brings to us, and to the UCS implementation team specifically. That's very unfortunate for all of us; right now we foresee no free weekends till the cutover date, May 18th. No at all. Last four weeks Daniel barely has had time to sleep - not much. I believe, that's the reason of this miscommunication. At this situation, we are trying to avoid gaps and miscommunication - but not always succeed. So we are asking for help and support - I'm not ashamed of that; and we find it in many places, thanks God for a development world. This is extremely important for the whole company, which we all want to prosper. If we don't get in time - the impact, both financial and reputational, would be crucial. On the other side, any requests potentially impacting the security, should be taken with double precautions. Security certification costs hell of a money to SUSE - as again, impact of any breach could be irreversible, if we make one wrong step. So please let me understand, if we can proceed with a workaround Daniel proposed you and Bernhard is working on now - under the condition, that we will sit together in the end of May to develop a permanent solution and avoid a technical debt. We would very much appreciate community's hands both for the workaround and for the final solution. I hate this phrase, but we ARE in the same boat now, especially now - when future of any company is not that obvious. No one wants to damage SUSE. Please help us now. I give you my word, I'll raise it up to the top management level and do all I can to find resources to drive it. If we could meet (I mean call for now) and you could explain or write me what exactly is the matter - it would be great and helped me a lot, unfortunately I've missed part of the discussion I'll do my best to join a Hero on Tue monthly meeting in irc and will be happy to know you better. In any case, here is my contact info below, and I'm at your service. Zhenya Evženie Šujskaja (esujskaja@suse.com) +420 702 285 979 Engineering Infrastructure team lead Křižíkova 148/34 186 00 Praha, CZ -----Original Message----- From: Stasiek Michalski <hellcp@opensuse.org> Sent: Wednesday, April 29, 2020 2:41 PM To: Adrian Schröter <adrian@suse.de> Cc: openSUSE Heroes <heroes@opensuse.org>; Stephan Kulow <coolo@suse.com>; James Mason <JMason@suse.com>; bmwiedemann@opensuse.org; Daniel Schmidt <jdsn@suse.com>; Neal Gompa <ngompa13@gmail.com>; board@opensuse.org Subject: Re: [heroes] Re: openSUSE Accounts system On Wed, Apr 29, 2020 at 11:26, Adrian Schröter <adrian@suse.de> wrote:
The big topic are the legal, trust and policy changes here. You basically ask for root access on every user installation which uses any repository from OBS. And you ask for access to content SUSE gets only under hard NDA's. Also legal would need to clarify if openSUSE would still be the same legal entity for this data as before and if a duplication is acceptable (because this is personal data which is under DSGVO regulations).
In short this most likely violates a number of contracts, certifications and law's.
Good, 4 weeks ago was to let the board know there might be some legal stuff to take care of here, but since Daniel did not bother responding to any of my emails about the transition, I couldn't take this any further. LCP [Stasiek] https://lcp.world -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
On Wed 2020-04-29, Evzenie Sujskaja wrote:
Dear all, let's please calm down a bit
That's a fine suggestion, Evzenie. (The good thing is that at SUSE and openSUSE we are a bunch of people who care very much; the downside is, well, we care very much. ;-)
I'm the escalation point, and you could contact me at any moment.
That appears to be part of my (new) job description as well; a common aspect in our different roles.
Not sure, if it has been properly communicated outside, but SUSE is right now in the end of IT separation with Microfocus, the previous owner. At the very last moment, the timeline for the identity management has been cut for 6 weeks out of 12 - you can imagine, which unbelievable workload it brings to us
Yikes, even I as a SUSE employee was not aware of that! That definitely sounds very tough. Kudos and good luck to Daniel, you, and the team!
At this situation, we are trying to avoid gaps and miscommunication - but not always succeed. So we are asking for help and support
Neal reached out to me, and earlier today (well, yesterday by now), he, Stasiek, and me had a good call where I learned a bit about the situation from their perspective/openSUSE. They agreed to summarize the current state, goal state, and requirements from their perspective which I expect will be a good base to sync between them/the openSUSE heroes and your team and whoever is engaging around the transition on the SUSE side.
So please let me understand, if we can proceed with a workaround Daniel proposed you and Bernhard is working on now - under the condition, that we will sit together in the end of May to develop a permanent solution and avoid a technical debt. We would very much appreciate community's hands both for the workaround and for the final solution.
I sensed a lot of engagement and willingness to help from Neal and Stasiek (and would not be surprised for there to be others). Personally I am not an expert and so cannot advise whether the workaround you mention is going to work, and hope their summary will help with that conversation.
Please help us now. I give you my word, I'll raise it up to the top management level and do all I can to find resources to drive it. If we could meet (I mean call for now) and you could explain or write me what exactly is the matter - it would be great and helped me a lot, unfortunately I've missed part of the discussion
Great minds think alike? (I ended up stepping away from my notebook after my meeting with the two before sending an update, but it seems you and me were thinking along the same lines. <g>)
I'll do my best to join a Hero on Tue monthly meeting in irc and will be happy to know you better.
In any case, here is my contact info below, and I'm at your service.
That's a great offer, thank you! How about if you and me briefly sync tomorrow (Thursday), then we wait for the summary, and then take it from there? Good night, Gerald -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
Hi folks, as an interim update: having talked with Neal and Stasiek on Wednesday and Evzenie on Thursday, I believe there may incomplete information involved. As Neal noted, SUSE is moving to an Okta based single sign on solution, which includes services for employees (some already in place), partners, and customers. However, for services close to product development (engineering,...) there is another system rolled out in the coming weeks - which is what Daniel is working on. That one is open source and from what I understand supports OpenID. I leave it to the experts to provide more background and suggest not to start a mega thread (yet ;-) based on this note of mine, but also wanted to share this quickly. Cheers, Gerald -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
Hi, On Friday, May 1, 2020 1:31:55 AM CEST Gerald Pfeifer wrote:
I leave it to the experts to provide more background and suggest not to start a mega thread (yet ;-) based on this note of mine, but also wanted to share this quickly.
Without the aim to create a big thread I wanted to share that some deadlines in our plan are not as short as they were until this morning. This means we have more time for migration and planning of adaptions of the services that are affected (except Bugzilla). I will share more details in tomorrows heroes meeting and would like to start the discussion how we go forward. Ciao, Daniel -- J. Daniel Schmidt <jdsn@suse.com> | Engineering Infrastructure SUSE Linux GmbH, Maxfeldstr. 5, D-90409 Nürnberg GF: Felix Imendörffer, Mary Higgins, Sri Rasiah, HRB 21284 (AG Nürnberg) -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
participants (6)
-
Adrian Schröter -
Evzenie Sujskaja -
Gerald Pfeifer -
J. Daniel Schmidt -
Neal Gompa -
Stasiek Michalski