Re: ssh git access to src.fedoraproject.org feedback
Dne 03. 03. 21 v 22:53 Kevin Fenzi napsal(a): * All users in the 'packager' group have accounts on pkgs01.iad2 * All these users have a 'wrapper' on their ssh key that runs the pagure wrapper that checks who they are, etc. Cons: * only packagers have accounts for ssh, so non packagers just get permission denied and it confuses them. Non packagers are recommend to do fedpkg clone -a which will use url=https://src.fedoraproject.org How we could change it: 1) Do nothing. We could add packager again when we move to sssd/ipa and everything keeps working pretty much the same way it does now. +1 I, as an user, would not appreciate any of this changes. So it is lot of work with zero benefits for users and nearly zero benefits for sysadmins. My $0.02. -- Miroslav Suchy, RHCA Red Hat, Associate Manager, Community Packaging Tools, #brno, #fedora-buildsys ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: ssh git access to src.fedoraproject.org feedback
On Wed, 3 Mar 2021 at 17:13, Matthew Miller wrote: > On Wed, Mar 03, 2021 at 01:53:28PM -0800, Kevin Fenzi wrote: > > 4) We could add some kind of GSSAPI/Kerberos support to pagure, so > > people could use https and a kerberos ticket. > > What's amount of effort required for this option? Because other than "it > might be a lot of work", it seems ideal, and would resolve a lot of other > cases where it's an extra step to have to configure an access token for > pagure. But "it might be a lot of work" is a pretty big con. > > If the answer is "yeah, it's a lot", I vote for whichever other option > makes > this a logical next step when there is time to do such work. > > > The real question is 'can any of the choices be fully done in a very short schedule with many of the people who could work on it are working on meeting the first AAA deadline or F34 beta?' Basically it needs to do the following: 0. Code needs to be written and tested in sandboxes. 1. It needs to be made to work in staging and tested by people. (1 week) 2. Does the same method need to be made to work with CentOS src staging if so probably (1 week) [We are a combined auth system and git/pagure is used in both for central work. Changes we make tend to roll out over both CentOS and Fedora.] 3. It needs to be made ready to roll out in production (1 week) 4. It needs to be documented new workflow with posts and 'yes I know yesterday you did this but today you are doing this' before a F34 release 5. Rolled out. 6. What is the fall back if production doesn't work? -- Stephen J Smoogen. ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: ssh git access to src.fedoraproject.org feedback
On Wed, Mar 03, 2021 at 07:35:00PM -0500, Neal Gompa wrote: > On Wed, Mar 3, 2021 at 6:12 PM Kevin Fenzi wrote: > > > > On Wed, Mar 03, 2021 at 05:26:46PM -0500, Neal Gompa wrote: > > > On Wed, Mar 3, 2021, 5:13 PM Matthew Miller > > > wrote: > > > > > > > On Wed, Mar 03, 2021 at 01:53:28PM -0800, Kevin Fenzi wrote: > > > > > 4) We could add some kind of GSSAPI/Kerberos support to pagure, so > > > > > people could use https and a kerberos ticket. > > > > > > > > What's amount of effort required for this option? Because other than "it > > > > might be a lot of work", it seems ideal, and would resolve a lot of > > > > other > > > > cases where it's an extra step to have to configure an access token for > > > > pagure. But "it might be a lot of work" is a pretty big con. > > > > > > > > If the answer is "yeah, it's a lot", I vote for whichever other option > > > > makes > > > > this a logical next step when there is time to do such work. > > > > > > > > > > I don't think it would be that hard anymore. Recently, Pagure changed to > > > proxy and handle Git via HTTPS, meaning that we can do whatever we want to > > > authenticate pulls and pushes. > > > > Except this doesn't work currently for src.fedoraproject.org pagure, as > > the OIDC tokens take over. :( > > > > Yeah, we need to fix this somehow. But it shouldn't be too hard, I > think? We already have this setup for pagure.io... No pagure.io doesn't have mod_oidc allowing to push over https using an OIDC token. Moving to mod_gssapi may be the way to do this, however I'm no sure how eaasy/hard it will be to get it to support full pagure user account. Pierre ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: ssh git access to src.fedoraproject.org feedback
On Wed, Mar 3, 2021 at 6:12 PM Kevin Fenzi wrote: > > On Wed, Mar 03, 2021 at 05:26:46PM -0500, Neal Gompa wrote: > > On Wed, Mar 3, 2021, 5:13 PM Matthew Miller > > wrote: > > > > > On Wed, Mar 03, 2021 at 01:53:28PM -0800, Kevin Fenzi wrote: > > > > 4) We could add some kind of GSSAPI/Kerberos support to pagure, so > > > > people could use https and a kerberos ticket. > > > > > > What's amount of effort required for this option? Because other than "it > > > might be a lot of work", it seems ideal, and would resolve a lot of other > > > cases where it's an extra step to have to configure an access token for > > > pagure. But "it might be a lot of work" is a pretty big con. > > > > > > If the answer is "yeah, it's a lot", I vote for whichever other option > > > makes > > > this a logical next step when there is time to do such work. > > > > > > > I don't think it would be that hard anymore. Recently, Pagure changed to > > proxy and handle Git via HTTPS, meaning that we can do whatever we want to > > authenticate pulls and pushes. > > Except this doesn't work currently for src.fedoraproject.org pagure, as > the OIDC tokens take over. :( > Yeah, we need to fix this somehow. But it shouldn't be too hard, I think? We already have this setup for pagure.io... > > Ideally, we'd support it as a full login backend, so that logins this way > > would also generate accounts automatically. > > As long as those were pagure accounts, sure. > We don't want real system accounts. :) > Of course! These would be Pagure accounts, not Linux system accounts. > > We do have a ticket for GSSAPI for Git+HTTPS: > > https://pagure.io/pagure/issue/4995 > > Yeah, perhaps mod_auth_gssapi would be a short way to this. > > kevin > ___ > infrastructure mailing list -- infrastructure@lists.fedoraproject.org > To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure -- 真実はいつも一つ!/ Always, there's only one truth! ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: ssh git access to src.fedoraproject.org feedback
On Wed, Mar 03, 2021 at 05:26:46PM -0500, Neal Gompa wrote: > On Wed, Mar 3, 2021, 5:13 PM Matthew Miller > wrote: > > > On Wed, Mar 03, 2021 at 01:53:28PM -0800, Kevin Fenzi wrote: > > > 4) We could add some kind of GSSAPI/Kerberos support to pagure, so > > > people could use https and a kerberos ticket. > > > > What's amount of effort required for this option? Because other than "it > > might be a lot of work", it seems ideal, and would resolve a lot of other > > cases where it's an extra step to have to configure an access token for > > pagure. But "it might be a lot of work" is a pretty big con. > > > > If the answer is "yeah, it's a lot", I vote for whichever other option > > makes > > this a logical next step when there is time to do such work. > > > > I don't think it would be that hard anymore. Recently, Pagure changed to > proxy and handle Git via HTTPS, meaning that we can do whatever we want to > authenticate pulls and pushes. Except this doesn't work currently for src.fedoraproject.org pagure, as the OIDC tokens take over. :( > Ideally, we'd support it as a full login backend, so that logins this way > would also generate accounts automatically. As long as those were pagure accounts, sure. We don't want real system accounts. :) > We do have a ticket for GSSAPI for Git+HTTPS: > https://pagure.io/pagure/issue/4995 Yeah, perhaps mod_auth_gssapi would be a short way to this. kevin signature.asc Description: PGP signature ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: ssh git access to src.fedoraproject.org feedback
On Wed, Mar 3, 2021, 5:13 PM Matthew Miller wrote: > On Wed, Mar 03, 2021 at 01:53:28PM -0800, Kevin Fenzi wrote: > > 4) We could add some kind of GSSAPI/Kerberos support to pagure, so > > people could use https and a kerberos ticket. > > What's amount of effort required for this option? Because other than "it > might be a lot of work", it seems ideal, and would resolve a lot of other > cases where it's an extra step to have to configure an access token for > pagure. But "it might be a lot of work" is a pretty big con. > > If the answer is "yeah, it's a lot", I vote for whichever other option > makes > this a logical next step when there is time to do such work. > I don't think it would be that hard anymore. Recently, Pagure changed to proxy and handle Git via HTTPS, meaning that we can do whatever we want to authenticate pulls and pushes. Ideally, we'd support it as a full login backend, so that logins this way would also generate accounts automatically. We do have a ticket for GSSAPI for Git+HTTPS: https://pagure.io/pagure/issue/4995 > ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: ssh git access to src.fedoraproject.org feedback
On Wed, Mar 03, 2021 at 01:53:28PM -0800, Kevin Fenzi wrote: > 4) We could add some kind of GSSAPI/Kerberos support to pagure, so > people could use https and a kerberos ticket. What's amount of effort required for this option? Because other than "it might be a lot of work", it seems ideal, and would resolve a lot of other cases where it's an extra step to have to configure an access token for pagure. But "it might be a lot of work" is a pretty big con. If the answer is "yeah, it's a lot", I vote for whichever other option makes this a logical next step when there is time to do such work. -- Matthew Miller Fedora Project Leader ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
ssh git access to src.fedoraproject.org feedback
Greetings everyone. As you may know we are planning on rolling out our new account system in a few weeks. During this changeover it might be a good time (or might not!) to change how our ssh auth for git works with src.fedoraproject.org (well, pkgs.fedoraproject.org really). How it works now: * All users in the 'packager' group have accounts on pkgs01.iad2 * All these users have a 'wrapper' on their ssh key that runs the pagure wrapper that checks who they are, etc. Cons: * only packagers have accounts for ssh, so non packagers just get permission denied and it confuses them. * operating on the idea of least privledge, having everyone in the packager group having real accounts seems wrong/bad. How we could change it: 1) Do nothing. We could add packager again when we move to sssd/ipa and everything keeps working pretty much the same way it does now. 2) We could move from ssh://username@pkgs to ssh://git@pkgs and not have real shell accounts for packagers. Everything would get sorted out by the wrapper on the git account. Cons: * Everyone with an existing checkout would have to update their url * We still have to deal with ssh port open to the world Pros: * Everyone could use the ssh://git@pkgs url, no need to just be a packager 3) We could just retire the ssh part of this and ask everyone to use https. Cons: * Everyone who had a ssh checkout would have to change it to https. * Some people like ssh over https and would be mad at us. * https pushing needs a browser to get a token, so it would be a pain for people with no local gui session. Pros: * No need to have the ssh port on pkgs01.iad2 open to the internet anymore. * https can be load balanced vis proxies, etc 4) We could add some kind of GSSAPI/Kerberos support to pagure, so people could use https and a kerberos ticket. 5) Your idea here So, thoughts? kevin signature.asc Description: PGP signature ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
