[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Salsa as authentication provider for Debian

Le 07/04/2020 à 16:02, Enrico Zini a écrit :
> On Tue, Apr 07, 2020 at 03:28:07PM +0200, Xavier wrote:
> 
>> With a SSO, I don't think it's a good thing to have a protected app as
>> user database (even if it's possible). Then migration consists to
>> extract gitlab accounts and push them in LDAP (2 branches, one for DD,
>> one for guests)
> 
> Ok, please help me to see where that would be an issue.

It's not an issue. With a SSO we shall probably change this: salsa
accounts will be created on-the-fly using federation mechanism, then
there is only one user database (LDAP with 2 branches)

> The current status of accounts, is that:
> 
>  - There is only one LDAP server, DSA-managed, on db.debian.org, which
>    has accounts that do not end in "-guest". They may be DD or ex-DD
>    accounts, or "guest accounts" created for non-DDs who need to have
>    temporary access to porterboxes
> 
>  - There are accounts ending in "-guest" (that are not "guest
>    accounts"), that are not managed by DSA, and used to be on Alioth's
>    separate LDAP when alioth existed.
>    
>  - "-guest" accounts for purposes on sso.debian.org authentication are
>    now stored on a hand-maintained text file that is exported somehow to
>    serve as an apache authentication source for sso.debian.org
> 
>  - "-guest" accounts on Salsa are stored on Salsa's user database
> 
> We currently have all sorts of overlaps and corner cases:
> 
>  - "guest accounts" in LDAP that do not end in "-guest" and are for
>    non-DDs
>  - "-guest" accounts in Salsa for DDs and ex-DDs, with the part before
>    "-guest" not matching the LDAP account name.
> 
> I wonder if we have the same "-guest" accounts in Salsa and in the
> sso.debian.org text file, that are controlled by different people?
> 
> With the Salsa proposal:
> 
>  - the text file disappears, reducing the count of user databases from 3
>    to 2
>  - LDAP remains as it is, and Salsa remains as it is
>  - DD accounts remain on LDAP
>  - We gain an explicit mapping between LDAP accounts and Salsa accounts,
>    via nm.debian.org, that we currently do not have
>  - People who gain or lose DD status can keep using their Salsa account
>    without needing to migrate from "something-guest" to "something", or
>    from "something" to "something-guest"
> 
> With the Salsa proposal the only change from here that I can see is that
> we would start to have non-DD accounts on Salsa that do not end with
> "-guest", like we already have non-DD accounts on LDAP now that do not
> end with "-guest".
> 
> I still don't see how the Salsa proposal makes adoption of a new system
> harder than what we have now: removing one user database and introducing
> a mapping between the remaining two, seem to me to make further
> adoptions actually easier.

No not harder, just different ;-)
Reply to: