Background
For the last 12 + months, the Community Platform Engineering team have been developing a new service to replace the current FAS2 application for the Fedora Account System.
The FAS2 application was written over 10 years ago with python2 and TurboGears1 framework. Due to its dependencies, it is tied to a RHEL6 deployment and could not be moved to a newer OS without rewriting. Finally FAS2 has a very small deployment base and we had to maintain it all.
The new account system is based on the widely used IPA product. We have created a community portal frontend for managing account details (noggin). This means we only need to maintain the frontend and can leave the high security parts to IPA. Additionally, noggin may be used by many more community products.
Key Dates - Subject to Change*
Tuesday 23rd March: Data sync to IPA Wednesday 24th & Thursday 25th March: System-Wide Outage for machine config to Noggin 25th March: Final Run-Through of Production Rollout 26th March: Production Rollout Complete 29th March March onwards: Support for post deployment issues We do not anticipate these dates to change, however our team will meet for a final review of work on Tuesday 23rd March and once satisfied all rollback paths are in place and risks have been mitigated, we intend to deploy to production against the dates listed above. Please keep an eye on this mail for any potential last minute updates
What This Means for You
Everyone
If you have an otp token enrolled it will be needed everywhere. This will include logging in through ipsilon or getting a kerberos ticket(kinit) which was not previously the case. Outages and interruptions to services during migration dates
System Administrators
All system administrators will need to enroll a new otp token with noggin Sudo command will ask for First factor and Second factor separately which is a slight change from the previous password+otp prompt
Packagers & Package Maintainers
Any packager that has otp enabled will have to follow new process in docs for kinit/pkinit
‘Drive-By’ Contributors
If you are a ‘drive-by’ or more casual contributor to the Fedora project, you may have to reset your password. We anticipate the number of people who will need to do this is low, depending on when you last logged in. Please re-sign into your Fedora account post migration date.
Post Deployment Support
If you experience issues with your workflow as a result of FAS changing please log an issue on the fedora infra tracker https://pagure.io/fedora-infrastructure/issues.
FAS will be left in a read-only state to support any applications that you might not be in a position to migrate immediately. However, we don’t recommend using it as the data it contains will quickly become out of date.
Maintainer-test instances will be left in a “frozen” state which means any user changes such as new users or new ssh keys will not be reflected on these machines.
Further Information
Outage ticket link: https://pagure.io/fedora-infrastructure/issue/9747 Community blog post: https://communityblog.fedoraproject.org/introducing-the-new-fedora-accounts/ Noggin Documentation: https://noggin-aaa.readthedocs.io/en/latest/userguide.html#user-accounts
announce@lists.fedoraproject.org