[CentOS-devel] Fedora/CentOS authentication merge : please read

Fri Mar 26 14:11:26 UTC 2021
Fabian Arrotin <arrfab at centos.org>

On 19/03/2021 17:15, Fabian Arrotin wrote:
> Hi All !
> 
> As announced multiple times (including but not limited to
> https://lists.centos.org/pipermail/centos-devel/2021-February/076442.html),
> Fedora and CentOS will merge authentication soon.
> 
> It was already merged for Staging environment, where SIGs contributors
> could test things and now it's time to really merge
> https://accounts.centos.org and https://admin.fedoraproject.org/accounts
> on the new system.
> 
> Let me point you first to the mail sent to Fedora so please read it
> first to have a little bit of background/history :
> https://lists.fedoraproject.org/archives/list/announce@lists.fedoraproject.org/thread/JGVRX7CSXSDJ2MV5TJNYPCGVWWI5XSNB/
> 
> As you can see, the Fedora migration will happen next week.
> Based on current timeline and agenda, we'll proceed like this for the
> CentOS migration :
> 
> * Friday April 2nd :
>   * We'll "freeze" https://accounts.centos.org in Read-only mode
>   * Fedora infra team launches the fas2ipa script to import centos
> users/groups not existing (yet) in new IPA setup (if you had a fedora
> account matching your account in accounts.centos.org, you'll not be
> imported again, but rather be added to your imported centos groups - so
> merged -)
> 
> * Monday April 5th
>  * quick sanity check for the import script result and some internal
> checks, then
>  * Real CentOS infra authentication switch : it's hard to give a
> timeline but we'll start with https://cbs.centos.org (I'll announce
> downtime in separate mail when we'll have full agenda) and then proceed
> with the other services.
> 
> How will you be impacted ?
> If you use any kind of service authenticated by either TLS cert from
> https://accounts.centos.org (that's the case for cbs.centos.org, or mqtt
> notifications), you'll *have* to retrieve a new cert. (more information
> in the SIGGuide will appear on due time.
> Same for services using authentication tied to
> https://accounts.centos.org through https://id.centos.org (for
> openid/openidc, etc)
> 
> So this mail doesn't contain all the information for how to retrieve new
> TLS cert, how to reset password, etc but more to give you the date when
> we'll have smallest possible downtime while reconfiguring system to
> switch to new authentication (FWIW, all changes were automated through
> ansible for our staging environment, so we'll just reapply same process
> for the production one)
> 
> Have a nice week-end !
> 

Just a quick status update : Fedora has now migrated to IPA and so new
community portal for user accounts is now
https://accounts.fedoraproject.org.

If you had a Fedora FAS account, it was already there and you can login
to existing services.
Kudos to the Fedora Infra team for the huge work that was involved to
make it go live !

Now that it's done, next step, as announced, is to consolidate
CentOS/ACO (https://accounts.centos.org) with the Fedora ones.

As a recap, what about your fas/aco account:

# Case 1 : you had only a FAS/Fedora account :
easy, you probably never used then anything at the CentOS infra
side/service that requires auth, so nothing to do :)

# Case 2 : you had both a FAS/Fedora and ACO/CentOS accounts :
## same nickname, same email address (matching) :
When the migration script will be 'kicked', your existing FAS account
(now in IPA so same password) will just inherit CentOS groups membership
that you had before, granting so same rights in CentOS infra (like
koji/cbs.centos.org etc)

## same nickname, *different* email address :
You now have just some days to ensure that they matches, the fas2ipa
script will reject your CentOS account and no centos group will be added
to your fedora account (no way to ensure that you're the same person
basically). So if you're in that scenario, just go to
https://accounts.centos.org and modify your email address *now* ! :-)

## different nickname : special case but no way to differentiate so the
fas2ipa script will import you as new user (you'll so exist *twice* in
same IPA backend)
You can still then later through group sponsors decide to just
consolidate to one account and drop the other one, up2you (but preferred)

# Case 3 : you only had a ACO/CentOS account :
the fas2ipa script will create you as new user in the (Free)IPA setup
and you'll be automatically added to CentOS groups you were belonging
to. The only real remark is that because you're newly created, the only
way to be able to login is first to reset your account password ,
through portal (https://accounts.fedoraproject.org *or*
https://accounts.centos.org, when it will be migrated, see below), and
so sending instructions to the email address you used to register (and
so important that it's really up2date)

In all cases, *all* SIG members are encouraged to read the nice
documentation written by Ryan and available (with screenshot of the
Fedora instance but same will apply for the centos variant, using same
and only one backend anyway) :
https://docs.fedoraproject.org/en-US/fedora-accounts/

*important* : new dates for migration, due to required people in fedora
and centos team and some public holidays here and there :

* Thursday April 1st (not a joke) :
  - We'll turn https://accounts.centos.org into Read-Only mode (no way
to change passwords, being added/removed to/from groups, nor change your
personal settings like email address, so do that *before*)
   - The fas2ipa script is launched and process initialized

<insert here some public holidays and weekend>

* Tuesday April 6th :
  - Sanity check for the process import and eventually last run to
verify that it's all good
  - Kicking the CentOS Infra changes to modify services authentication
to new IPA system, so expect a small downtime for the following services :
    - git.centos.org (fast switch so short downtime)
    - mqtt.git.centos.org (new TLS cert from new auth system so quick
switch too)
    - cbs.centos.org : longer downtime due to multiple systems but
expected downtime is ~1.5h (and hopefully faster)
    - other services using OpenID/OpenIDC-Oauth2 for authentication will
be done quickly after

As you probably saw, the switch to new auth/IPA setup means a new TLS CA
and so new TLS certs (for both hosts and user certs).
We'll have a new `centos-packager` pkg (instructions will be on the
wiki, already "staged") that will have the `centos-cert` tool, updated
to reflect the needed other tools (like fasjson-client) to request a new
TLS cert (in case you need one , like for https://cbs.centos.org, or other)


Worth knowing that CentOS Board approved the idea of granting
automatically a @centosproject.org email alias for every SIG member.
That will be applied automatically after the migration, through group
membership check on the new auth system ! :-)

Thanks for having read this long email  .. and being that far ..
especially on a Friday !

See you next week and I'll keep on posting here status about this
authentication consolidation process

-- 
Fabian Arrotin
The CentOS Project | https://www.centos.org
gpg key: 17F3B7A1 | twitter: @arrfab