[CentOS-devel] Switching to centralized authentication for CBS Infrastructure (aka FAS vs IPA)

Wed Apr 8 20:23:26 UTC 2015
Brian Stinson <brian at bstinson.com>

Hi All,

I wanted to revive this old thread so we can get moving with our Central
Auth solution. I've been playing for the past few days with both FAS and
IPA and I'd like to present my findings so far.

Here are our requirements:

- Generate and deliver x509 client certificates (this acts as a
  'passport') for all CBS services

- Self-Service account requests

- Self-Service group management (e.g. SIG admins can easily add members
  to the SIG) 

- Easily auth for CBS services (koji, git, lookaside, etc.) 


FreeIPA's advantages come from being included in the distro by default,
by having a stable upstream, and by being a robust full-fledged
ID/Security management system that includes setting up a CA in it's
deployment process. 

As to our requirements:

- FreeIPA's CA can be modified to generate and sign client certificates,
    - We would need to write/maintain our own storage and delivery tools
    - We would maintain our cert generation tools until client certs are
      supported upstream. (There is not a clear upgrade path for this,
      and would require us to roll our CA and redo our delivery tools)

- We would need to develop or maintain our own 3rd-party Self-Service
  account request system (pwm[1] is the frontrunner). 

- There are built-in tools that can manage groups (this would be
  separate from the account request system)

- LDAP is near universal, and FreeIPA speaks it fluently (for those
  tools that need more information than what is in a client certificate)

Since our requirements do not yet include the need for machine accounts,
we may not be able to take advantage of all of the features of a
Security Management System. In the future, we may find ourselves using
more applications from Fedora which are not widely tested against IPA. 


FAS's advantages come from being developed with some of our current
tools in mind. The established workflow: "Request Account, Generate
Cert, Request Group Membership, Auth with user cert" is well tested with
this tool in production, and we would be able to rely on (and contribute
to) testing in deployments similar to ours. 

As to our requirements:
- FAS manages the generation, signing, and delivery of the client

- Self-Service account requests are built in

- Self-Service group membership (and invitations) are built in

- Most tools already talk to FAS if they need it. Gitblit will need a
  little custom work (likely a plugin) to pull user and group membership

FAS is developed primarily for Fedora and would require some debranding
and other tweaks to make it "ours". It would also require a bit more
'sysadmin' type work on the backend. 


This email is already getting long, so I won't get too farther in the
weeds, though I'm happy to discuss them in this thread. In conclusion, I
would like to propose that we select FAS as our Central Authentication
solution. FAS seems to meet all of our SIG-facing requirements without
requiring many 3rd party (or custom) tools, and the work required to get
productive looks to be largely polish and packaging. 



Brian Stinson
brian at bstinson.com | IRC: bstinson | Bitbucket/Twitter: bstinsonmhk

[1]: https://code.google.com/p/pwm/