Identity
Goals - support authentication against external LDAP - provide authentication mechanism across aeolus components
Conversation Topics
* LDAP Support:
* Conductor auth against LDAP with local DB Fallback
* conductor first tries authenticate user against external LDAP server. If user is found there, user account in local db is created (except credentials) if it doesn't exist yet. If user is not found in LDAP, local db is searched.
* Keep Consistent With Katello
* This means Using DB as initial resource and falling back to LDAP
* if admin deletes a LDAP user in admin section, user is deleted only from local db, but this user can login again (as she will be authenticated against LDAP)
* user listing in conductor - shoud we list only local users or all including LDAP?
* do we need UI for LDAP config (it's probably only IP + port, maybe LDAP domain), if so we will need some table for saving configuration (we don't have this yet)
* should be LDAP server setup part of aeolus-configure script? I don't think so.
* but we should probably have something in aeolus-configure to make conductor/etc aware of the ldap store
* IWHD Auth against:
* Conductor?
* warehouse should know about same set of users as conductor? No
* warehouse is going to support GSSAPI. So if someone is authenticating to warehouse, identity check should be done against conductor?
* LDAP?
* Should IWHD and imagefactory users be independent
* should IWHD authenticate always against conductor or against LDAP or other resource? if not against conductor local db users won't have access to iwhd
* Should ImageFactory Authenticate users?Yes
* Authentication across components
* Use OAuth?
* Already Support By Katello
* supports OAuth (two-legged), so it's not a problem for conductor to be a 'consumer' of Katello service and use two-legged OAuth too (in case conductor will use Katello as a service)
* OAuth Providers:
* Conductor
* IWHD?
* Will IWHD Support OAuth as well as GSSAPI?
* OAuth Clients
* aeolus-image
* imagefactory
* IWHD?
* if iwhd supports only GSSAPI (and should authenticate against conductor) then conductor should act as GSSAPI server. Also user creds in image build process will have to be passed through aeolus-image->imagefactory->iwhd
* any other alternative to OAuth?
Task List
* Add LDAP support in conductor
* Update authentication model to auth againsts LDAP id available
* Create non existing users to local db
* Add OAuth Provider Support to
* Conductor
* IWHD?
* Add OAuth Client Support to
* Imagefactory
* aoelus-image
* IWHD?
* Add Deps to componets and fedora
* gem used in conductor for ldap auth, could be part of some more sophisticated gem (devise, omniauth)
* oauth, gssapi libs