[CentOS-devel] auth switch status update : cbs.centos.org is back online

Tue Apr 6 06:55:21 UTC 2021
Fabian Arrotin <arrfab at centos.org>

Hi all,

As announced, we started today the centos infra switch to new
authentication source (merged with Fedora)
So https://accounts.centos.org is now live and using same auth backend
(IPA) than https://accounts.fedoraproject.org

This morning at 6:00am utc, I kicked the ansible roles to reflect new
TLS/CA for https://cbs.centos.org koji systems and took it offline for
sanity tests.

- kojihub/web were converted
- tested authentication with new TLS cert
- tested remote authentication with personal TLS cert
- tested to submit koji tasks
- verified that all builders were back on the hub and enabled
- tested a tag-build/untag-build to test the signing process
- tested the new sync script to fetch users/groups from IPA (through
https://fasjson.fedoraproject.org  , IPA API endpoint using kerberos auth)

As all was working, https://cbs.centos.org was then back online around
6:30am UTC

What do you need to do : Get your new TLS cert that will be used for
cert authentication (new TLS cert as new CA, coming from IPA backend)

The SIGGuide (https://wiki.centos.org/SIGGuide) was updated to reflect
the new way to retrieve your cert (anchor link :

PS : worth knowing that if you just had your account imported in new IPA
backend, you have *first* to reset your own password (password salt/hash
from ACO isn't compatible with the one from IPA, so just reset your
password on portal https://accounts.centos.org)

PS2: as some users were skipped during import process , it  can be that
you're in a situation where you either don't exist, or your group
membership wasn't reflected (and so you currently don't have build
rights anymore in koji/cbs). If that's the case, just ask your SIG chair
to get in touch

Now moving to other services to be converted

Fabian Arrotin
The CentOS Project | https://www.centos.org
gpg key: 17F3B7A1 | twitter: @arrfab