[CentOS-devel] Fedora/CentOS authentication merge : please read

Fri Mar 19 16:15:50 UTC 2021
Fabian Arrotin <arrfab at centos.org>

Hi All !

As announced multiple times (including but not limited to
https://lists.centos.org/pipermail/centos-devel/2021-February/076442.html),
Fedora and CentOS will merge authentication soon.

It was already merged for Staging environment, where SIGs contributors
could test things and now it's time to really merge
https://accounts.centos.org and https://admin.fedoraproject.org/accounts
on the new system.

Let me point you first to the mail sent to Fedora so please read it
first to have a little bit of background/history :
https://lists.fedoraproject.org/archives/list/announce@lists.fedoraproject.org/thread/JGVRX7CSXSDJ2MV5TJNYPCGVWWI5XSNB/

As you can see, the Fedora migration will happen next week.
Based on current timeline and agenda, we'll proceed like this for the
CentOS migration :

* Friday April 2nd :
  * We'll "freeze" https://accounts.centos.org in Read-only mode
  * Fedora infra team launches the fas2ipa script to import centos
users/groups not existing (yet) in new IPA setup (if you had a fedora
account matching your account in accounts.centos.org, you'll not be
imported again, but rather be added to your imported centos groups - so
merged -)

* Monday April 5th
 * quick sanity check for the import script result and some internal
checks, then
 * Real CentOS infra authentication switch : it's hard to give a
timeline but we'll start with https://cbs.centos.org (I'll announce
downtime in separate mail when we'll have full agenda) and then proceed
with the other services.

How will you be impacted ?
If you use any kind of service authenticated by either TLS cert from
https://accounts.centos.org (that's the case for cbs.centos.org, or mqtt
notifications), you'll *have* to retrieve a new cert. (more information
in the SIGGuide will appear on due time.
Same for services using authentication tied to
https://accounts.centos.org through https://id.centos.org (for
openid/openidc, etc)

So this mail doesn't contain all the information for how to retrieve new
TLS cert, how to reset password, etc but more to give you the date when
we'll have smallest possible downtime while reconfiguring system to
switch to new authentication (FWIW, all changes were automated through
ansible for our staging environment, so we'll just reapply same process
for the production one)

Have a nice week-end !

-- 
Fabian Arrotin (all excited to finally see this project arriving at
deploy time) :)
The CentOS Project | https://www.centos.org
gpg key: 17F3B7A1 | twitter: @arrfab