Contents
Current situation for CentOS.org infra
Actually we have decided to use FAS as the authentication backend for various services within CentOS.org infra. The goal is to slowly migrate existing services to that new setup and so have SSO available within centos.org. The entry point for our own instance is https://accounts.centos.org (also referenced as ACO to not confuse Fedora users with FAS itself, as they are independant and not federated) Currently, FAS/ACO doesn't provide "standard" API layer for authentication, like LDAP as an example, nor kerberos.
FAS/ACO by itself is currently providing :
- user/password validation (with group membership)
- TLS/X509 user/server certificates
The idea is to use an openid/saml2 proxy that would use our ACO backend (so acting like an IdP). The proposed solution would be Ipsilon as it's the only IdP that has a FAS backend plugin available (and that's what is used within the Fedora project infrastructure too) If an application doesn't support natively openid/saml2 tokens, we can also use http_auth and then let httpd/apache handle the authentication too (but integration would then be minimal so openid/saml2 should always be preferred). That would be possible through modules like mod_auth_openid as an example, so redirecting http_auth through that module against Ipsilon (so http_auth -> openid (Ipsilon) -> ACO)
Here is a list of the services we'd like to slowly integrate with ACO:
- CentOS Community Build Service
- Git Repositories
- CentOS Bug tracker
- CI/CD project
- CentOS forums
- CentOS Wiki
- Centralized blogging platform
- Infra kanboard service
- CentOS monitoring service
We'll list all those here with the possible solution for each service
CentOS Community Build Service
- current status: fully integrated
application : Koji
- supports natively openid : NO
- supports natively http_auth: NO
- supports natively x509 auth: YES (and that's how it's configured)
- note : there are integrations scripts between ACO and CBS to add/remove users from groups, and so giving/removing build rights against specific tags/targets
Git Repositories
- current status: not integrated
application : GitBlit
- supports natively openid : NO
supports natively http_auth: YES (http://gitblit.com/setup_authentication.html)
- supports natively x509 auth: YES
CentOS Bug Tracker
- current status: not integrated
application : Mantis BT
- supports natively openid : NO (work in progress)
- supports natively http_auth: YES (creates the user on first login)
CI/CD project
- current status: not integrated
application : Jenkins
support natively openid: YES (through plugin, but maintained : https://wiki.jenkins-ci.org/display/JENKINS/OpenID+plugin)
support natively http_auth: YES (https://www.phpbb.com/support/docs/en/3.1/ug/adminguide/general_client)
CentOS forums
- current status: not integrated
application : phpBB
- support natively openid: NO
support natively http_auth: YES (https://www.phpbb.com/support/docs/en/3.1/ug/adminguide/general_client)
CentOS wiki
- current status: not integrated
application : MoinMoin
support natively openid: YES ? (https://moinmo.in/HelpOnAuthentication)
support natively http_auth: YES (https://moinmo.in/HelpOnAuthentication)
Centralized blogging platform
- current status: not integrated
application : WordPress
support natively openid: NO ( but maybe through plugin, like https://wordpress.org/plugins/openid/ and then we need to add another plugin that let us configure which idp to use, so we can add our own : https://puiterwijk.fedorapeople.org/fedora-autologin-42.zip)
support natively http_auth: NO ( same remark as above : through plugin , like https://wordpress.org/support/plugin/http-auth ? )
Infra kanboard service
- current status: not integrated
application : Kanboard
- support natively openid: NO
support natively http_auth: YES ( https://kanboard.net/documentation/reverse-proxy-authentication )
supports natively x509 auth: YES (https://kanboard.net/plugins and https://github.com/kanboard/plugin-client-certificate)
CentOS monitoring service
- current status: not integrated, but tested and works
application : Zabbix
- supports natively openid : NO
- supports natively http_auth: YES (but user has to exist in the zabbix DB !)
- NOTE : http_auth for zabbix will only verify that user/pass auth is done, so users have to exist in the Zabbix DB as before
CentOS [[https://wiki.centos.org/DevCloud|DevCloud]]
- current status: not integrated
application : OpenNebula, but we use custom scripts
- supports natively openid : NO
- supports natively http_auth: NO
- Idea would be to do like for Koji : scripts syncing users from ACO and fetching the ssh pub keys from ACO too (so adding/removing users, based on group membership)