On 15/12/2022 00:09, Matthew Miller wrote:
I want to sync group membership to Discourse. See one idea for this
here:
https://pagure.io/fedora-infrastructure/issue/10952
However, this would be approximately one billion times easier if I didn't
need to worry about the hard part of automating something with fasjson,
which is keeping a kerberos ticket fresh from a keytab. (I'd love to run my
whole thing as a function-as-a-service function.)
I get why we require authentication, but since this info is open to anyone
who authenticates, it's only one part of our protection. And it occured to
me that one needs a FAS account to create something in Communishift anyway.
Unless I am missing something (and I might be)... that really offers
basically the same protection. So..... would it be possible to just
allow-list connections coming from the Communishift nodes?
Well, you know that real data (users/groups/rbac rules/etc) are stored
in IPA itself, which isn't reachable directly, reason why fasjson was
created.
But because fasjson itself doesn't store any credentials, it's just an
"application proxy" that will just do the query for you/your app, reason
why it needs a kerberos ticket.
That's why all infra services (Fedora and CentOS ones) have a service
keytab to query fasjson (and so reflect users/groups membership at
various levels)
Trying to open "anonymous" requests through
fasjson.fedoraproject.org
would then mean that fasjson would need to have a built-in logic about
which info it can query and with local kerberos keytab to itself then
reach IPA ..
I'll let Aurelien comment on that one but iirc that's what they wanted
to avoid when they designed fasjson (not store anything ensuring that
all ACL checks are done at IPA level and no logic/acl/rbac rule to
create in fasjson app itself)
--
Fabian Arrotin
gpg key: 17F3B7A1 | twitter: @arrfab