Re: ssh git access to src.fedoraproject.org feedback
On Wed, 3 Mar 2021 at 17:13, Matthew Miller wrote: > On Wed, Mar 03, 2021 at 01:53:28PM -0800, Kevin Fenzi wrote: > > 4) We could add some kind of GSSAPI/Kerberos support to pagure, so > > people could use https and a kerberos ticket. > > What's amount of effort required for this option? Because other than "it > might be a lot of work", it seems ideal, and would resolve a lot of other > cases where it's an extra step to have to configure an access token for > pagure. But "it might be a lot of work" is a pretty big con. > > If the answer is "yeah, it's a lot", I vote for whichever other option > makes > this a logical next step when there is time to do such work. > > > The real question is 'can any of the choices be fully done in a very short schedule with many of the people who could work on it are working on meeting the first AAA deadline or F34 beta?' Basically it needs to do the following: 0. Code needs to be written and tested in sandboxes. 1. It needs to be made to work in staging and tested by people. (1 week) 2. Does the same method need to be made to work with CentOS src staging if so probably (1 week) [We are a combined auth system and git/pagure is used in both for central work. Changes we make tend to roll out over both CentOS and Fedora.] 3. It needs to be made ready to roll out in production (1 week) 4. It needs to be documented new workflow with posts and 'yes I know yesterday you did this but today you are doing this' before a F34 release 5. Rolled out. 6. What is the fall back if production doesn't work? -- Stephen J Smoogen. ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: ssh git access to src.fedoraproject.org feedback
On Wed, Mar 03, 2021 at 07:35:00PM -0500, Neal Gompa wrote: > On Wed, Mar 3, 2021 at 6:12 PM Kevin Fenzi wrote: > > > > On Wed, Mar 03, 2021 at 05:26:46PM -0500, Neal Gompa wrote: > > > On Wed, Mar 3, 2021, 5:13 PM Matthew Miller > > > wrote: > > > > > > > On Wed, Mar 03, 2021 at 01:53:28PM -0800, Kevin Fenzi wrote: > > > > > 4) We could add some kind of GSSAPI/Kerberos support to pagure, so > > > > > people could use https and a kerberos ticket. > > > > > > > > What's amount of effort required for this option? Because other than "it > > > > might be a lot of work", it seems ideal, and would resolve a lot of > > > > other > > > > cases where it's an extra step to have to configure an access token for > > > > pagure. But "it might be a lot of work" is a pretty big con. > > > > > > > > If the answer is "yeah, it's a lot", I vote for whichever other option > > > > makes > > > > this a logical next step when there is time to do such work. > > > > > > > > > > I don't think it would be that hard anymore. Recently, Pagure changed to > > > proxy and handle Git via HTTPS, meaning that we can do whatever we want to > > > authenticate pulls and pushes. > > > > Except this doesn't work currently for src.fedoraproject.org pagure, as > > the OIDC tokens take over. :( > > > > Yeah, we need to fix this somehow. But it shouldn't be too hard, I > think? We already have this setup for pagure.io... No pagure.io doesn't have mod_oidc allowing to push over https using an OIDC token. Moving to mod_gssapi may be the way to do this, however I'm no sure how eaasy/hard it will be to get it to support full pagure user account. Pierre ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
