# Introduction and background
As it was preannounced some time ago , the CentOS Board agreed to merge the CentOS accounts (https://accounts.centos.org) with the Fedora FAS (https://admin.fedoraproject.org/accounts/)
As both projects were running their own instance of FAS (running on el6/CentOS 6, so coming to EOL, so that needed to be migrated to new solution/platform), but that there are a lot of contributors common to both projects, it made sense to "migrate and merge" both into one, and so having only one account that can be used for both.
The AAA/Noggin team worked in the last months on the new authentication system that will be used as foundation.
The core block will be (Free)IPA (https://www.freeipa.org , already available in the distribution) and the community portal feature will be provided by noggin (https://github.com/fedora-infra/noggin)
If you want to know more about noggin, consider watching the presentation given at last Fedora Nest event (https://www.youtube.com/watch?v=x1SevUmkE60)
# What does it mean for you, contributors and SIG members ?
Fedora already had an IPA infra, but "hidden" behind FAS, so accounts were already created in IPA backend. For CentOS, we were just using plain FAS, so users in our own backend (fas db).
The "Merge" operation will go like this :
- Fedora will kick fas2ipa script (https://github.com/fedora-infra/fas2ipa), synchronizing FAS attributes back into IPA, including group memberships coming from FAS/Fedora - Then the same process will be ran but importing from ACO (https://accounts.centos.org) into the same IPA backend.
That's where the "fun" begins:
* If the same nick/account exists at both side, the script is considering FAS as authoritative (remember, the FAS user *already* exists there, and is only modified for group[s] membership and attributes) * What is used to consider same nick/account being the same person ? the email (validated when registering account) will be used as primary key. So that means that you should *now* verify/update your email address in FAS and ACO so that they match * in case of a email address mismatch, the ACO account isn't migrated (group membership) but put in a queue to be verified * in case of matching email address, existing account is added to imported ACO groups
The "open" question is about what to do for same account but in fact being different people (question is debated between Fedora and CentOS through the AAA initiative)
# What has been already done ?
You can follow publicly the status through dedicated tracker ( https://github.com/orgs/fedora-infra/projects/6 ), but let me focus on the CentOS Side (sending this to centos-devel so centos contributors)
In the last months, Fedora already deployed a staging (.stg.) IPA instance, as well as a noggin community portal.
For CentOS, we deployed (to be able to test integration) the following components in front of the Fedora IPA: * https://accounts.stg.centos.org (using noggin, with a centos visual theme applied) * https://id.stg.centos.org (ipsilon, used for openid/openidc IdP)
We then reached out to some "key users" to validate that some applications migrated to new authentication system were working fine.
We tested with : * pagure (https://git.stg.centos.org) * koji * openshift/OCP * some other apps using openid
In December 2020, there was a first ran of the fas2ipa script, so (consider this a snapshot) existing accounts in both FAS and ACO were merged.
From that import, there were 123 accounts that were duplicates ones, but
as said, it can be that they are the same account but using different email addresses.
# What do you have to do ? You can try to login through https://accounts.stg.centos.org and see if you can login. Important remark: if you *didn't* have a FAS account , your account was imported/created for the first time in IPA, so that means that you'll have to use the "Forgot Password ?" feature on portal to reset your account (mail will be sent to email address tied to your account)
# When will the real migration happen ?
We'll wait on AAA/noggin team to give us estimated date, and when they'll migrate Fedora first. Once that will be done, we'll migrate ACO to the new setup (probably fas2ipa script ran during a week-end, but to be announced)
# How will that impact my workflow for CentOS as SIG member ?
Worth knowing that all deployed services using ACO will have to be reconfigured for AAA. That currently means :
* https://git.centos.org (and also the MQTT bus for git push notifications) * https://cbs.centos.org (and also non public signing service) * other small services using OpenID/OpenIDC for authentication (https://blog.centos.org, some jenkins instances used by QA team, etc)
As said, we have already staged all changes to support new auth in our ansible roles. When we'll have rolled out these changes, your existing TLS certificate that you use to authenticate with for cbs.centos.org *will not* work anymore (important)
That means that you'll have to retrieve a new TLS cert, signed by the IPA CA cert. How to do that ? I'll see about how porting this to know repository, but for now, there is a copr repo that you can use : https://copr.fedorainfracloud.org/coprs/arrfab/fasjson-client/
IMPORTANT : do *not* use this pkg now, or do this from another workstation/vm/account/whatever : the new 'centos-cert' util would replace your currently working TLS cert (from ACO) . (Well, as fasjson for prod *isn't* deployed yet, that would not work at all, but it would when deployed
If you have questions, feel free to ask in this thread, or join #fedora-aaa on Freenode.
On Wed, Jan 27, 2021 at 08:58:13AM +0100, Fabian Arrotin wrote:
As it was preannounced some time ago , the CentOS Board agreed to merge the CentOS accounts (https://accounts.centos.org) with the Fedora FAS (https://admin.fedoraproject.org/accounts/)
I'm super-excited to hear this. This will make it easier for Fedora and CentOS SIG contributors to collaborate in a seamless way.
The "open" question is about what to do for same account but in fact being different people (question is debated between Fedora and CentOS through the AAA initiative)
How many of these are there?
On 27/01/2021 16:59, Matthew Miller wrote:
On Wed, Jan 27, 2021 at 08:58:13AM +0100, Fabian Arrotin wrote:
As it was preannounced some time ago , the CentOS Board agreed to merge the CentOS accounts (https://accounts.centos.org) with the Fedora FAS (https://admin.fedoraproject.org/accounts/)
I'm super-excited to hear this. This will make it easier for Fedora and CentOS SIG contributors to collaborate in a seamless way.
Yes ! and that's the goal :-)
The "open" question is about what to do for same account but in fact being different people (question is debated between Fedora and CentOS through the AAA initiative)
How many of these are there?
As said, the first run created a list of 123 accounts in that situation but that have to be verified . I guess AAA team will have a better view once people have updated their email address to match at both sides. :) But during stg testing we had at least one case for a "key user" who couldn't log nor reset his account , and then realizing that his nick name was already taken by someone else at FAS side, so not imported from ACO
Am 27.01.21 um 17:24 schrieb Fabian Arrotin:
As said, the first run created a list of 123 accounts in that situation but that have to be verified . I guess AAA team will have a better view once people have updated their email address to match at both sides. :) But during stg testing we had at least one case for a "key user" who couldn't log nor reset his account , and then realizing that his nick name was already taken by someone else at FAS side, so not imported from ACO
It seems that this apply to my account:
I do not have a FAS account. Login works on https://accounts.centos.org but not on https://accounts.stg.centos.org. "Forgot password?" on A.stg.CO does not send me a mail. So, I conclude that FAS has an account with the same "Account Name" that was imported into A.stg.CO and that does not belong to me. Anything that I can do?
-- Leon
-
Fabian Arrotin -
Leon Fauster -
Matthew Miller