Sorry if I'm jumping into the discussion a little late but why are all these services authenticating against each other?
For that matter why do we store any authentication details in the db?
Why not setup a single central LDAP server and have everything authenticate against that, eg conductor, katello, candlepin, pulp, etc.
This may just be my opinion but I feel we replicate way too much data w/ aeolus, LDAP is meant for high performance authentication, and is simple to setup and use.
Yes but not all component really need authentication. As long as it is an internal component it just needs a trusted connection to a peer.
Thats fine, those components would be unaffected by all of this
If we are talking about externally facing components like Conductor and Katello there are always two options:
- Use central auth store with SSO (that would be AD or IPA as pure LDAP
does not provide SSO) and perform operations using end user identity when one component needs to talk to another
If we're just talking about the web interfaces couldn't we just use a shared cookie or similar? Then when communicating between conductor / katello on the backend, we just need to simply pass around the current logged in user over a trusted connection, no need for auth between those components.
- Create a separate channel on a separate port. This connection just
requires server to server trust. It can be OAuth, SSL, Kerberos or other similar technology.
I don't have much experience w/ it, but OAuth seems to be quickly becoming a standard for these matters. Perhaps supporting OAuth logins into conductor and katello would be a good solution?
-Mo