On 08/12/2011 07:15 PM, Jan Provazník wrote:
Hi,
there are two things we need for sharing user identity in Katello and
Conductor:
1) Single sign on for Katello and Conductor:
Simplest solution is using 2 legged oauth as proposed in a mail before
(katello already uses this for accessing pulp and candlepin). In short:
auth is done on application level by sharing secret token, provider app
trusts consumer app that consumer already authenticated the user which
it passes to provider. This solution should be pretty easy to implement.
If this is not acceptable for some reason, we could consider using some
central auth service (CAS).
2) Authenticate against same external service in Katello and Conductor:
Katello and Conductor should support authentication against external
auth service (AD, LDAP, IPA, maybe more). It makes sense to use same
auth framework in both apps so we will be able to support same
authentication methods. Katello is far before conductor in
authentication, it uses warden and supports various auth strategies for
it (LDAP, SSO over http headers, certificates). I heard there was some
talk about switching to Omniauth, but I didn't find it on mailing list.
So there are two options here:
1) conductor switches to warden - this shouldn't be so difficult as we
can copy from Katello :). Also Omniauth is not packaged in Fedora,
Warden is.
2) both Katello and Conductor switch to Omniauth. I'm not sure if this
is required or optional step, Ken: you suggested switching to Omniauth,
could you please reply with your opinion about warden/omniauth (or point
me to older discussion)?
Jan
Hi Katello folks,
what are your plans about Warden vs. Omniauth - are you going to switch
to Omniauth or keep Warden? Also what's your opinion on SSO for Katello
and Conductor - is 2legged OAuth the way you want to go?
Jan