|
|
|
# AURweb SSO
|
|
|
|
|
|
|
|
https://lists.archlinux.org/pipermail/arch-devops/2020-May/000373.html
|
|
|
|
|
|
|
|
# Discuss previous meeting topic progress
|
|
|
|
|
|
|
|
[AURweb SSO migration proposal](https://wiki.archlinux.org/index.php/DeveloperWiki:DevopsMeetings/2020-05-06).
|
|
|
|
|
|
|
|
## Linking application
|
|
|
|
|
|
|
|
Create a linking application (web application) which links all your accounts and we switch everything to SSO.
|
|
|
|
|
|
|
|
* Logon to linking application
|
|
|
|
* Allow the option to link the AUR, wiki using the credentials of the service databases.
|
|
|
|
|
|
|
|
On SSO migration we dump the user table of all to be migrated applications and disable registration. Then load this database on the linking
|
|
|
|
|
|
|
|
|
|
|
|
### Challenges
|
|
|
|
|
|
|
|
* A pitfall is creating a new account on Keycloak and then logging in on $application before linking the account.
|
|
|
|
|
|
|
|
* What if a user forgot his password? The linking application should probably a reset option and email verification.
|
|
|
|
|
|
|
|
## Wiki proposal
|
|
|
|
|
|
|
|
Mediawiki does verification when signing up but it allows email removal from your account.
|
|
|
|
|
|
|
|
An option is writing an application which authenticates as mediawiki and then configures keycloak in mediawiki for that user.
|
|
|
|
|
|
|
|
A pitfall is creating a new account on Keycloak and then logging in on mediawiki before linking the account.
|
|
|
|
|
|
|
|
### research
|
|
|
|
|
|
|
|
* How does mediawiki work with openid, what needs to be set in the database to allow linking?
|
|
|
|
* Does mediawiki allow SSO and password logins at the same time?
|
|
|
|
|
|
|
|
https://www.mediawiki.org/wiki/Extension:OpenID_Connect
|
|
|
|
|
|
|
|
|
|
|
|
## Proofing in account
|
|
|
|
|
|
|
|
Modify the application to allow "proofing" that this account belongs to this keycloak account.
|
|
|
|
|
|
|
|
https://wiki.archlinux.org/index.php/DeveloperWiki:SSOMigration
|
|
|
|
|
|
|
|
# Gitlab project creation
|
|
|
|
|
|
|
|
We already have some projects on the Arch Linux namespace and some
|
|
|
|
questions where raised about this:
|
|
|
|
|
|
|
|
* Do we want to add an infrastructure namespace or other specific
|
|
|
|
namespaces?
|
|
|
|
|
|
|
|
Defer
|
|
|
|
|
|
|
|
* Do we already onboard projects, what is the procedure and what
|
|
|
|
permissions do we set?
|
|
|
|
|
|
|
|
New documentation is created in docs/new-gitlab-project.md
|
|
|
|
|
|
|
|
* Do we always set up Github sync?
|
|
|
|
|
|
|
|
Depends on project owner.
|
|
|
|
|
|
|
|
# New secure runner
|
|
|
|
|
|
|
|
A new runner has been ordered at Hetzner for things which need to be secure such as the archiso or the arch-boxes (vagrant images)
|
|
|
|
|
|
|
|
# Onboarding people to the Arch Linux group
|
|
|
|
|
|
|
|
Do we already onboard people, it is a manual task and error prone.
|
|
|
|
Another problem is that we have onboarded users on keycloak which are
|
|
|
|
now ex-developers or inactive, do we remove these accounts? How do we
|
|
|
|
onboard new staff on keycloak?
|
|
|
|
|
|
|
|
A new rust project has been started to do Gitlab and Keycloak related changes.
|
|
|
|
|
|
|
|
* Enforce 2FA for Arch Staff
|
|
|
|
* Not all applications support the perfect saml mapping so this application handles it.
|
|
|
|
* Onboard Arch Linux Staff to the Arch Linux group on Gitlab.
|
|
|
|
|
|
|
|
This application also handles "off boarding" when someone becomes an ex-tu/dev. Maybe with an email notification to other devops.
|
|
|
|
|
|
|
|
# Prometheus monitoring
|
|
|
|
|
|
|
|
We have discussed changing our monitoring to Prometheus in the interest
|
|
|
|
of further automation and having configuration in code.
|
|
|
|
|
|
|
|
https://gitlab.archlinux.org/archlinux/infrastructure/-/issues/31
|
|
|
|
|
|
|
|
# Discuss priority's
|
|
|
|
|
|
|
|
We should discuss what our priorities are and blocking issues for Gitlab
|
|
|
|
and ideally organize our Gitlab board to reflect this. |
|
|
|
\ No newline at end of file |