On 16/09/2014 21:24, Fabian Arrotin wrote: > Yes, the main blocker on CBS isn't (at the moment) the central > authentication. Koji supports both kerberos and x509 certificates. The > IPA/FAS discussion is related but not directly required for the CBS > effort. That's the reason why , due to the small amount of people > requiring CBS access $now, it was decided with Thomas to start small, > with our own internal CA to generate our keys/certs for koji and let > people start using the CBS platform. In parallel, the FAS/IPA/other > solution discussion can be held/debated/selected. And we'll always > have a solution to migrate CBS to the other x509 setup we'll have in > production. Speaking personally, I'm quite an IPA advocate, and have done a bunch of work customising it for $employer and tying various bits of software into it as an authn/authz source. However, I'm trying not to push it too hard (not least because I had a brief chat with Jim, and he said that there were some issues around using it that'd require potential functionality development in IPA itself, some of which may not be trivial). FAS works nicely for Fedora, and the potential for federating Fedora and CentOS FAS does sound quite appealing. Is there somewhere we can start collating requirements for the auth system? The Trello board, or a wiki page maybe? We could use that to start making a requirements vs software features matrix to help guide our descisions. ( I also missed the #centos-devel conversation, and need to go back and read the logs ) -- HJ