[CentOS-devel] Switching to centralized authentication for centos.org infra (aka FAS vs IPA)

Mon Nov 10 15:13:53 UTC 2014
Fabian Arrotin <arrfab at centos.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

So,

We've been discussing randomly about this for quite some time now, and
things always get in the way .. But let's try to continue the thread
around this and also get forward.

Following our CBS/Infra meeting held today (minutes available here :
http://www.centos.org/minutes/2014/november/ ) , we started a
requirements list about what the centralized authentication system
should support.

Long story short : more and more tools need a central users DB and
puppet (our current CM tool for centos.org infra) doesn't scale for that.
The first tool that needs it is Koji (for the CBS -
http://cbs.centos.org - builders) but other are still to come. We've
temporary found a "workaround" for Koji, in a sense that we've created
our internal CA and are signing x509 certs with that local CA, but
switching to something that scales was on the list since "Day 1"

In the short list, we have selected IPA and FAS.
The requirement list is there :
http://wiki.centos.org/InfraWiki/CentralizedAuth (still a draft, and
to be completed)

Feel free to comment here, or update the wiki (if you have already
edit rights, otherwise feel free to ping someone from the infra team)

Cheers,

- -- 

Fabian Arrotin
The CentOS Project | http://www.centos.org
gpg key: 56BEC54E | twitter: @arrfab
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlRg1jEACgkQnVkHo1a+xU6JcgCfaU4CapZ6m/aRCoRzA3ZDp8xp
EaMAnRNzJ9+bGQbVQuOaSBu5QbUAIEzL
=wQ/r
-----END PGP SIGNATURE-----