On 08/17/2011 12:58 PM, Bryan Kearney wrote:
On 08/17/2011 03:39 PM, Mike McCune wrote:
> On 08/17/2011 11:20 AM, Jan Provazník wrote:
>> On 08/12/2011 07:15 PM, Jan Provazník wrote:
>>> Hi,
>>> there are two things we need for sharing user identity in Katello and
>>> Conductor:
>>>
>>> 1) Single sign on for Katello and Conductor:
>>> Simplest solution is using 2 legged oauth as proposed in a mail before
>>> (katello already uses this for accessing pulp and candlepin). In short:
>>> auth is done on application level by sharing secret token, provider app
>>> trusts consumer app that consumer already authenticated the user which
>>> it passes to provider. This solution should be pretty easy to implement.
>>>
>>> If this is not acceptable for some reason, we could consider using some
>>> central auth service (CAS).
>>>
>>> 2) Authenticate against same external service in Katello and Conductor:
>>> Katello and Conductor should support authentication against external
>>> auth service (AD, LDAP, IPA, maybe more). It makes sense to use same
>>> auth framework in both apps so we will be able to support same
>>> authentication methods. Katello is far before conductor in
>>> authentication, it uses warden and supports various auth strategies for
>>> it (LDAP, SSO over http headers, certificates). I heard there was some
>>> talk about switching to Omniauth, but I didn't find it on mailing list.
>>>
>>> So there are two options here:
>>> 1) conductor switches to warden - this shouldn't be so difficult as
we
>>> can copy from Katello :). Also Omniauth is not packaged in Fedora,
>>> Warden is.
>>> 2) both Katello and Conductor switch to Omniauth. I'm not sure if
this
>>> is required or optional step, Ken: you suggested switching to Omniauth,
>>> could you please reply with your opinion about warden/omniauth (or point
>>> me to older discussion)?
>>>
>>> Jan
>>
>> Hi Katello folks,
>> what are your plans about Warden vs. Omniauth - are you going to switch
>> to Omniauth or keep Warden? Also what's your opinion on SSO for Katello
>> and Conductor - is 2legged OAuth the way you want to go?
>>
>
> I'm OK with moving to Omniauth, especially if it simplifies and
> standardizes our project's auth mechanism. The migration from Warden ->
> Omniauth didn't look too hard but we just haven't put it on our backlog
> to get done in the near term. We can re-prioritize that if necessary.
If there value to move to Omniauth? I am all for not changing things
that work unless there is compelling resason. $YOURGEM suxor and $MYGEM
rules is not compelling.
I was under the impression that there was some other benefit beyond just
a standardization but I'm forgetting what it was :)
Mike
--
Mike McCune
mmccune AT
redhat.com
Red Hat Engineering | Portland, OR
Systems Management | 650.254.4248