On 16/09/2014 21:24, Fabian Arrotin wrote:
Yes, the main blocker on CBS isn't (at the moment) the central authentication. Koji supports both kerberos and x509 certificates. The IPA/FAS discussion is related but not directly required for the CBS effort. That's the reason why , due to the small amount of people requiring CBS access $now, it was decided with Thomas to start small, with our own internal CA to generate our keys/certs for koji and let people start using the CBS platform. In parallel, the FAS/IPA/other solution discussion can be held/debated/selected. And we'll always have a solution to migrate CBS to the other x509 setup we'll have in production.
Speaking personally, I'm quite an IPA advocate, and have done a bunch of work customising it for $employer and tying various bits of software into it as an authn/authz source. However, I'm trying not to push it too hard (not least because I had a brief chat with Jim, and he said that there were some issues around using it that'd require potential functionality development in IPA itself, some of which may not be trivial). FAS works nicely for Fedora, and the potential for federating Fedora and CentOS FAS does sound quite appealing.
Is there somewhere we can start collating requirements for the auth system? The Trello board, or a wiki page maybe? We could use that to start making a requirements vs software features matrix to help guide our descisions.
( I also missed the #centos-devel conversation, and need to go back and read the logs )