Hi All,
I wanted to revive this old thread so we can get moving with our Central Auth solution. I've been playing for the past few days with both FAS and IPA and I'd like to present my findings so far.
Here are our requirements:
- Generate and deliver x509 client certificates (this acts as a 'passport') for all CBS services
- Self-Service account requests
- Self-Service group management (e.g. SIG admins can easily add members to the SIG)
- Easily auth for CBS services (koji, git, lookaside, etc.)
FreeIPA =============
FreeIPA's advantages come from being included in the distro by default, by having a stable upstream, and by being a robust full-fledged ID/Security management system that includes setting up a CA in it's deployment process.
As to our requirements:
- FreeIPA's CA can be modified to generate and sign client certificates, but: - We would need to write/maintain our own storage and delivery tools - We would maintain our cert generation tools until client certs are supported upstream. (There is not a clear upgrade path for this, and would require us to roll our CA and redo our delivery tools)
- We would need to develop or maintain our own 3rd-party Self-Service account request system (pwm[1] is the frontrunner).
- There are built-in tools that can manage groups (this would be separate from the account request system)
- LDAP is near universal, and FreeIPA speaks it fluently (for those tools that need more information than what is in a client certificate)
Since our requirements do not yet include the need for machine accounts, we may not be able to take advantage of all of the features of a Security Management System. In the future, we may find ourselves using more applications from Fedora which are not widely tested against IPA.
FAS =============
FAS's advantages come from being developed with some of our current tools in mind. The established workflow: "Request Account, Generate Cert, Request Group Membership, Auth with user cert" is well tested with this tool in production, and we would be able to rely on (and contribute to) testing in deployments similar to ours.
As to our requirements: - FAS manages the generation, signing, and delivery of the client certificate
- Self-Service account requests are built in
- Self-Service group membership (and invitations) are built in
- Most tools already talk to FAS if they need it. Gitblit will need a little custom work (likely a plugin) to pull user and group membership information
FAS is developed primarily for Fedora and would require some debranding and other tweaks to make it "ours". It would also require a bit more 'sysadmin' type work on the backend.
Conclusions ============
This email is already getting long, so I won't get too farther in the weeds, though I'm happy to discuss them in this thread. In conclusion, I would like to propose that we select FAS as our Central Authentication solution. FAS seems to meet all of our SIG-facing requirements without requiring many 3rd party (or custom) tools, and the work required to get productive looks to be largely polish and packaging.
Thoughts/Questions?
Brian
-- Brian Stinson brian@bstinson.com | IRC: bstinson | Bitbucket/Twitter: bstinsonmhk