On 16/08/16 11:20, Laurentiu Pancescu wrote:
Are there any plans for enabling single-sign-on between the different centos.org subdomains? Perhaps at least between accounts and bugs, if not also cbs or others?
I remember seeing how SSO can work seamlessly in a big company - the Windows login and a client cert enabled access to pretty much everything, from web apps like HR, to different servers, even unlocking the LAN port you were connected to. This is highly practical when it works. Then again, I was in R&D (not in IT, which had to configure the whole thing). :)
Regards, Laurențiu
I guess you mean using ACO (https://accounts.centos.org) as the central users DB ? Actually CBS is using certificates issued from ACO directly, so it's already integrated (and people are granted/removed rights automatically at the cbs/koji level depending on their group membership in ACO)
For existing resources within centos.org that we deployed before ACO was available, those were configured to use their built-in users DB. So we can invest time to see which are the possibilities to be tied to ACO but it needs at least some glue, like for example token/oauth. Actually, ACO on its own can't do that (nor is "ldap" compatible) so we need to setup something in between (like what's done for the Fedora project) to do that, like either ipsilon (https://ipsilon-project.org/) or keycloak (http://www.keycloak.org/)
But the remaining issue would then be to have *everybody* signing through ACO to get an account that will match with each deployed applications (like MantisBT for bugs.centos.org and so on). So you can imagine the impact