On 08/17/2011 02:18 PM, Jason Guiditta wrote:
> On Wed, 2011-08-17 at 13:47 -0700, Mike McCune wrote:
>> On 08/17/2011 12:58 PM, Bryan Kearney wrote:
>>> On 08/17/2011 03:39 PM, Mike McCune wrote:
>>>> On 08/17/2011 11:20 AM, Jan Provazník wrote:
>>>>> On 08/12/2011 07:15 PM, Jan Provazník wrote:
>>>>>> Hi,
>>>>>> there are two things we need for sharing user identity in
Katello and
>>>>>> Conductor:
>>>>>>
>>>>>> 1) Single sign on for Katello and Conductor:
>>>>>> Simplest solution is using 2 legged oauth as proposed in a mail
before
>>>>>> (katello already uses this for accessing pulp and candlepin). In
short:
>>>>>> auth is done on application level by sharing secret token,
provider app
>>>>>> trusts consumer app that consumer already authenticated the user
which
>>>>>> it passes to provider. This solution should be pretty easy to
implement.
>>>>>>
>>>>>> If this is not acceptable for some reason, we could consider
using some
>>>>>> central auth service (CAS).
>>>>>>
>>>>>> 2) Authenticate against same external service in Katello and
Conductor:
>>>>>> Katello and Conductor should support authentication against
external
>>>>>> auth service (AD, LDAP, IPA, maybe more). It makes sense to use
same
>>>>>> auth framework in both apps so we will be able to support same
>>>>>> authentication methods. Katello is far before conductor in
>>>>>> authentication, it uses warden and supports various auth
strategies for
>>>>>> it (LDAP, SSO over http headers, certificates). I heard there
was some
>>>>>> talk about switching to Omniauth, but I didn't find it on
mailing list.
>>>>>>
>>>>>> So there are two options here:
>>>>>> 1) conductor switches to warden - this shouldn't be
so difficult as we
>>>>>> can copy from Katello :). Also Omniauth is not packaged in
Fedora,
>>>>>> Warden is.
>>>>>> 2) both Katello and Conductor switch to Omniauth. I'm
not sure if this
>>>>>> is required or optional step, Ken: you suggested switching to
Omniauth,
>>>>>> could you please reply with your opinion about warden/omniauth
(or point
>>>>>> me to older discussion)?
>>>>>>
>>>>>> Jan
>>>>>
>>>>> Hi Katello folks,
>>>>> what are your plans about Warden vs. Omniauth - are you going to
switch
>>>>> to Omniauth or keep Warden? Also what's your opinion on SSO for
Katello
>>>>> and Conductor - is 2legged OAuth the way you want to go?
>>>>>
>>>>
>>>> I'm OK with moving to Omniauth, especially if it simplifies and
>>>> standardizes our project's auth mechanism. The migration from
Warden ->
>>>> Omniauth didn't look too hard but we just haven't put it on our
backlog
>>>> to get done in the near term. We can re-prioritize that if necessary.
>>>
>>> If there value to move to Omniauth? I am all for not changing things
>>> that work unless there is compelling resason. $YOURGEM suxor and $MYGEM
>>> rules is not compelling.
>>
>> I was under the impression that there was some other benefit beyond just
>> a standardization but I'm forgetting what it was :)
>
> Does Katello currently support ldap as an oauth strategy? If not, where
> is it on the todo list (hi/low)?
>
> Thinking if you already have ldap there is less reason to even be
> discussing a switch here.
>
> -j
>
yes, we can authenticate to an external LDAP store but not specifically
using OAuth. we have a Warden Strategy for LDAP:
http://git.fedorahosted.org/git/?p=katello.git;a=blob;f=src/config/initia...
Warden::Strategies.add(:ldap) do
[...]
u = User.authenticate_using_ldap!(params[:auth_username],
params[:auth_password])
[...]
Mike
This seems perfectly reasonable to me. I'll look through how the
various strategies in katello are set up to me, but unless someone comes
back with a strong case _against_ warden, I am not seeing anything that
makes me think it is insufficient. Mike (or anyone familiar with the
codebase), could you point me to some of the key places to look at auth
aside from initializer? I can find it on my own, but it would save me
some time hunting around in unfamiliar code.
Quick look tells me you are using net-ldap for that part, have you had
any issues/complaints with it?
Thanks,
-j