Good morning everyone,
This week-end I had a random thought, which I quickly discussed with Dennis on
IRC on Sunday but that I thought might be interesting to discuss in a wider
audience.
The initial thought came from a text that Dennis wrote:
"""
Releng tracks this data in 2 systems, 1 of which we own: Koji and Bodhi. Koji
uses ssl certs tied to FAS and bodhi uses FAS for authentication to provide a
strong relationship between a user and the content
"""
Source:
https://fedoraproject.org/wiki/ReleaseEngineering/Philosophy#Auditable
This has lead me to the question: Is this all what SSL certs are bringing us?
The following only works under the assumption that it is.
So SSL certs are basically a certain type of API token. Everyone has one,
specific to koji and the lookaside cache, time limited and gives us a way of
doing authentication and authorization server side.
So on this they behave just like any other API token, but using SSL certs has
some pros and downs:
pros:
- Easy to find out when the token expires
- In place and working
- Known to the current process maintainers
cons:
- One per client
- Hard to invalidate iiuc (ie: if someone's machine is compromised/lost it is
hard to make this user's certificate invalide)
- Relise on the SSL pile
- master certificate
- self-signed vs signed by an authority
- complex tooling
- Makes us maintain a whole infrastructure stack around this (cf the dogtag
discussion)
- Relies on the master certificate that expires every X years making everyone
generate a new client certificate
On the otherside, recently we have been more and more feeling the need for a
centralized API authentication place. Something along the line of a personalized
0Auth. This has also pros and cons.
pros
- API token per user and per application
- Could support multiple tokens per application
- Central place to manage API token (ie a central place to revoke someone's
access if a machine gets compromised/lost)
- Simpler than dealing with the SSL stack
- Can be re-used by multiple applications
cons:
- It's an idea and it needs work :)
- Impacts
- dist-git
- koji
- ?
I do realize that this would be a pretty big task to undertake but we are
currently at a stage where we are planning for the future, including for the
next generation of koji but also FAS3, dogtag, our master cert expiring in a
couple of years...
So I thought I would leave this here as food for thoughts and I'm happy to
discuss pros and cons of this idea.
Thanks,
Pierre