Hi All !
As announced multiple times (including but not limited to https://lists.centos.org/pipermail/centos-devel/2021-February/076442.html), Fedora and CentOS will merge authentication soon.
It was already merged for Staging environment, where SIGs contributors could test things and now it's time to really merge https://accounts.centos.org and https://admin.fedoraproject.org/accounts on the new system.
Let me point you first to the mail sent to Fedora so please read it first to have a little bit of background/history : https://lists.fedoraproject.org/archives/list/announce@lists.fedoraproject.o...
As you can see, the Fedora migration will happen next week. Based on current timeline and agenda, we'll proceed like this for the CentOS migration :
* Friday April 2nd : * We'll "freeze" https://accounts.centos.org in Read-only mode * Fedora infra team launches the fas2ipa script to import centos users/groups not existing (yet) in new IPA setup (if you had a fedora account matching your account in accounts.centos.org, you'll not be imported again, but rather be added to your imported centos groups - so merged -)
* Monday April 5th * quick sanity check for the import script result and some internal checks, then * Real CentOS infra authentication switch : it's hard to give a timeline but we'll start with https://cbs.centos.org (I'll announce downtime in separate mail when we'll have full agenda) and then proceed with the other services.
How will you be impacted ? If you use any kind of service authenticated by either TLS cert from https://accounts.centos.org (that's the case for cbs.centos.org, or mqtt notifications), you'll *have* to retrieve a new cert. (more information in the SIGGuide will appear on due time. Same for services using authentication tied to https://accounts.centos.org through https://id.centos.org (for openid/openidc, etc)
So this mail doesn't contain all the information for how to retrieve new TLS cert, how to reset password, etc but more to give you the date when we'll have smallest possible downtime while reconfiguring system to switch to new authentication (FWIW, all changes were automated through ansible for our staging environment, so we'll just reapply same process for the production one)
Have a nice week-end !
On 19/03/2021 17:15, Fabian Arrotin wrote:
Hi All !
As announced multiple times (including but not limited to https://lists.centos.org/pipermail/centos-devel/2021-February/076442.html), Fedora and CentOS will merge authentication soon.
It was already merged for Staging environment, where SIGs contributors could test things and now it's time to really merge https://accounts.centos.org and https://admin.fedoraproject.org/accounts on the new system.
Let me point you first to the mail sent to Fedora so please read it first to have a little bit of background/history : https://lists.fedoraproject.org/archives/list/announce@lists.fedoraproject.o...
As you can see, the Fedora migration will happen next week. Based on current timeline and agenda, we'll proceed like this for the CentOS migration :
- Friday April 2nd :
- We'll "freeze" https://accounts.centos.org in Read-only mode
- Fedora infra team launches the fas2ipa script to import centos
users/groups not existing (yet) in new IPA setup (if you had a fedora account matching your account in accounts.centos.org, you'll not be imported again, but rather be added to your imported centos groups - so merged -)
- Monday April 5th
- quick sanity check for the import script result and some internal
checks, then
- Real CentOS infra authentication switch : it's hard to give a
timeline but we'll start with https://cbs.centos.org (I'll announce downtime in separate mail when we'll have full agenda) and then proceed with the other services.
How will you be impacted ? If you use any kind of service authenticated by either TLS cert from https://accounts.centos.org (that's the case for cbs.centos.org, or mqtt notifications), you'll *have* to retrieve a new cert. (more information in the SIGGuide will appear on due time. Same for services using authentication tied to https://accounts.centos.org through https://id.centos.org (for openid/openidc, etc)
So this mail doesn't contain all the information for how to retrieve new TLS cert, how to reset password, etc but more to give you the date when we'll have smallest possible downtime while reconfiguring system to switch to new authentication (FWIW, all changes were automated through ansible for our staging environment, so we'll just reapply same process for the production one)
Have a nice week-end !
Just a quick status update : Fedora has now migrated to IPA and so new community portal for user accounts is now https://accounts.fedoraproject.org.
If you had a Fedora FAS account, it was already there and you can login to existing services. Kudos to the Fedora Infra team for the huge work that was involved to make it go live !
Now that it's done, next step, as announced, is to consolidate CentOS/ACO (https://accounts.centos.org) with the Fedora ones.
As a recap, what about your fas/aco account:
# Case 1 : you had only a FAS/Fedora account : easy, you probably never used then anything at the CentOS infra side/service that requires auth, so nothing to do :)
# Case 2 : you had both a FAS/Fedora and ACO/CentOS accounts : ## same nickname, same email address (matching) : When the migration script will be 'kicked', your existing FAS account (now in IPA so same password) will just inherit CentOS groups membership that you had before, granting so same rights in CentOS infra (like koji/cbs.centos.org etc)
## same nickname, *different* email address : You now have just some days to ensure that they matches, the fas2ipa script will reject your CentOS account and no centos group will be added to your fedora account (no way to ensure that you're the same person basically). So if you're in that scenario, just go to https://accounts.centos.org and modify your email address *now* ! :-)
## different nickname : special case but no way to differentiate so the fas2ipa script will import you as new user (you'll so exist *twice* in same IPA backend) You can still then later through group sponsors decide to just consolidate to one account and drop the other one, up2you (but preferred)
# Case 3 : you only had a ACO/CentOS account : the fas2ipa script will create you as new user in the (Free)IPA setup and you'll be automatically added to CentOS groups you were belonging to. The only real remark is that because you're newly created, the only way to be able to login is first to reset your account password , through portal (https://accounts.fedoraproject.org *or* https://accounts.centos.org, when it will be migrated, see below), and so sending instructions to the email address you used to register (and so important that it's really up2date)
In all cases, *all* SIG members are encouraged to read the nice documentation written by Ryan and available (with screenshot of the Fedora instance but same will apply for the centos variant, using same and only one backend anyway) : https://docs.fedoraproject.org/en-US/fedora-accounts/
*important* : new dates for migration, due to required people in fedora and centos team and some public holidays here and there :
* Thursday April 1st (not a joke) : - We'll turn https://accounts.centos.org into Read-Only mode (no way to change passwords, being added/removed to/from groups, nor change your personal settings like email address, so do that *before*) - The fas2ipa script is launched and process initialized
<insert here some public holidays and weekend>
* Tuesday April 6th : - Sanity check for the process import and eventually last run to verify that it's all good - Kicking the CentOS Infra changes to modify services authentication to new IPA system, so expect a small downtime for the following services : - git.centos.org (fast switch so short downtime) - mqtt.git.centos.org (new TLS cert from new auth system so quick switch too) - cbs.centos.org : longer downtime due to multiple systems but expected downtime is ~1.5h (and hopefully faster) - other services using OpenID/OpenIDC-Oauth2 for authentication will be done quickly after
As you probably saw, the switch to new auth/IPA setup means a new TLS CA and so new TLS certs (for both hosts and user certs). We'll have a new `centos-packager` pkg (instructions will be on the wiki, already "staged") that will have the `centos-cert` tool, updated to reflect the needed other tools (like fasjson-client) to request a new TLS cert (in case you need one , like for https://cbs.centos.org, or other)
Worth knowing that CentOS Board approved the idea of granting automatically a @centosproject.org email alias for every SIG member. That will be applied automatically after the migration, through group membership check on the new auth system ! :-)
Thanks for having read this long email .. and being that far .. especially on a Friday !
See you next week and I'll keep on posting here status about this authentication consolidation process
On 26/03/2021 15:11, Fabian Arrotin wrote: <snip>
Important remark wrt nickname conflict between FAS and ACO, so adding new sub-case for Case 2 :
# Case 2 : you had both a FAS/Fedora and ACO/CentOS accounts : ## same nickname, same email address (matching) : When the migration script will be 'kicked', your existing FAS account (now in IPA so same password) will just inherit CentOS groups membership that you had before, granting so same rights in CentOS infra (like koji/cbs.centos.org etc)
## same nickname, *different* email address : You now have just some days to ensure that they matches, the fas2ipa script will reject your CentOS account and no centos group will be added to your fedora account (no way to ensure that you're the same person basically). So if you're in that scenario, just go to https://accounts.centos.org and modify your email address *now* ! :-)
## same nickame, *different* email address because *different* user: This specific case is really the one that is difficult to solve, as if FAS user registered nickname, and ACO/different person had same nickname in ACO, there is no way to import your user automatically, because of the nickname conflict . One possibility was to then import user with a prefix but we thought that it would be better to let ACO users in such case (normally you *should* have received during STG tests a mail about this) chose themselves a new nickname. So the solution for non imported users will be to then "register" (you can already do that through https://accounts.fedoraproject.org) a new nick name and then ask your SIG chair to be sponsored in previous groups you were members of. Just to track such case[s], it's a good idea to still create ticket on https://pagure.io/centos-infra/issues with nickname, and we can also reflect the new nick in history (like for example on https://cbs.centos.org / koji)
## different nickname : special case but no way to differentiate so the fas2ipa script will import you as new user (you'll so exist *twice* in same IPA backend) You can still then later through group sponsors decide to just consolidate to one account and drop the other one, up2you (but preferred)
<snip>