Re: Status update for the new AAA system

Thu, 04 Feb 2021 08:37:01 -0800 


Dne 04. 02. 21 v 15:52 Aurelien Bompard napsal(a):

Hey folks!

As you've probably heard before, we're upgrading our authentication system to 
something that is based on FreeIPA.
Here's a quick status report on that initiative.



Thx for the update!



  We're currently in an integration phase, figuring out the smaller details of 
configuration and infrastructure setup before we switch production.
- The infra team wants to do a couple things that FreeIPA does not support out 
of the box, like enforcing 2FA for specific services such as sudo, so we need 
to think about how we want to do it.
- Also, using kinit with 2FA tokens proved to be more complex than we'd like it 
to be.
- We're trying out a more continuous approach to importing accounts, because a 
full run takes 3 days and during the migration we'll want to run the import 
script without having a 3 days downtime.
- We also have to do some FreeIPA performance tuning, because we have something 
like 120k accounts and the default configuration is not appropriate for that 
amount of data, especially when we want to list all groups or worse, all users.
Isn't there a plan to reduce the number of imported accounts? As far as I remember, there is not more then 1000 active Fedora contributors ... 


Vít




To sum it up, we're currently working on integration and migration preparation. 
We need to fix these issues before we go to prod, but it's a bit difficult to 
say how long it's going to take (especially with perf tuning, fix one perf 
issue and there can be another one right behind).
One sure thing is that it's better to have these issues now rather than after 
the switch to prod.

Cheers!

Aurélien
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org

Reply via email to