On 08/04/2011 12:45 PM, Mo Morsi wrote:
Two-legged means that Candlepin/Pulp don't authenticate a user, but rather authenticate Katello using a shared secret. Katello passes Candlepin/Pulp the username via a HTTP header.
IMHO, the comparable case for us is Conductor authenticating against IWHD and Image Factory.
As well as Katello -> Conductor and Conductor -> Katello.
Sorry if I'm jumping into the discussion a little late but why are all these services authenticating against each other?
For that matter why do we store any authentication details in the db?
Why not setup a single central LDAP server and have everything authenticate against that, eg conductor, katello, candlepin, pulp, etc.
This may just be my opinion but I feel we replicate way too much data w/ aeolus, LDAP is meant for high performance authentication, and is simple to setup and use.
Yes but not all component really need authentication. As long as it is an internal component it just needs a trusted connection to a peer. If we are talking about externally facing components like Conductor and Katello there are always two options: 1) Use central auth store with SSO (that would be AD or IPA as pure LDAP does not provide SSO) and perform operations using end user identity when one component needs to talk to another 2) Create a separate channel on a separate port. This connection just requires server to server trust. It can be OAuth, SSL, Kerberos or other similar technology.
-Mo
aeolus-devel mailing list aeolus-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/aeolus-devel