On Wed, 2011-08-17 at 15:43 -0400, Hugh Brock wrote:
On Wed, Aug 17, 2011 at 12:39:37PM -0700, Mike McCune wrote:
> On 08/17/2011 11:20 AM, Jan Provazník wrote:
> > On 08/12/2011 07:15 PM, Jan Provazník wrote:
> >> Hi,
> >> there are two things we need for sharing user identity in Katello and
> >> Conductor:
> >>
> >> 1) Single sign on for Katello and Conductor:
> >> Simplest solution is using 2 legged oauth as proposed in a mail before
> >> (katello already uses this for accessing pulp and candlepin). In short:
> >> auth is done on application level by sharing secret token, provider app
> >> trusts consumer app that consumer already authenticated the user which
> >> it passes to provider. This solution should be pretty easy to implement.
> >>
> >> If this is not acceptable for some reason, we could consider using some
> >> central auth service (CAS).
> >>
> >> 2) Authenticate against same external service in Katello and Conductor:
> >> Katello and Conductor should support authentication against external
> >> auth service (AD, LDAP, IPA, maybe more). It makes sense to use same
> >> auth framework in both apps so we will be able to support same
> >> authentication methods. Katello is far before conductor in
> >> authentication, it uses warden and supports various auth strategies for
> >> it (LDAP, SSO over http headers, certificates). I heard there was some
> >> talk about switching to Omniauth, but I didn't find it on mailing
list.
> >>
> >> So there are two options here:
> >> 1) conductor switches to warden - this shouldn't be so difficult as
we
> >> can copy from Katello :). Also Omniauth is not packaged in Fedora,
> >> Warden is.
> >> 2) both Katello and Conductor switch to Omniauth. I'm not sure if
this
> >> is required or optional step, Ken: you suggested switching to Omniauth,
> >> could you please reply with your opinion about warden/omniauth (or point
> >> me to older discussion)?
> >>
> >> Jan
> >
> > Hi Katello folks,
> > what are your plans about Warden vs. Omniauth - are you going to switch
> > to Omniauth or keep Warden? Also what's your opinion on SSO for Katello
> > and Conductor - is 2legged OAuth the way you want to go?
> >
>
> I'm OK with moving to Omniauth, especially if it simplifies and
> standardizes our project's auth mechanism. The migration from Warden ->
> Omniauth didn't look too hard but we just haven't put it on our backlog
> to get done in the near term. We can re-prioritize that if necessary.
>
> As far as SSO, we have had good success with OAuth between Katello ->
> Pulp/Candlepin (the subsystems underneath Katello) and would recommend
> it as well for auth between Katello <-> Conductor.
Ken, Jay Guiditta, you guys were the leading voices calling for
Omniauth over Warden -- can you give Mike some idea of the level of
difficulty to migrate and the reasons we would do that rather than
just going with what they already have (Warden)?
To clarify, I have no issues with warden (as I am just about to start
researching auth options to replace authlogic for this feature, and know
nothing about warden yet). What I think I said was that I knew of
omniauth and had heard good things about it. That said, this was a
while back, and I do not recall what about it was particularly good,
trying to look into this more today/tomorrow. One of our sprint tasks
on the infra side was to look into options and see what looked to be the
most promising. Due to other obligations, I am just starting this now,
so I have no strong opinion in any direction yet (though I would say I
prefer a rack-based solution to anything rails-specific, to allow
greater flexibility in type of ruby app that can use it).
Nutshell - if there is nothing compelling about a non-warden solution,
then I would favor keeping it so both projects dont have to change their
entire auth system.
-j
Thanks,
--Hugh