Re: Salsa as authentication provider for Debian

To: debian-project@lists.debian.org
Subject: Re: Salsa as authentication provider for Debian
From: Russ Allbery <rra@debian.org>
Date: Fri, 10 Apr 2020 13:08:33 -0700
Message-id: <[🔎] 87eesv14u6.fsf@hope.eyrie.org>
In-reply-to: <[🔎] 20200410195729.yzvo26bqj4bibls3@snafu.emyr.net> (Luca Filipozzi's message of "Fri, 10 Apr 2020 19:57:29 +0000")
References: <[🔎] 20200406190726.i5xzzc6vpuxhmjks@snafu.emyr.net> <[🔎] 20200407072834.2wcqldditbnnv2dw@enricozini.org> <[🔎] 20200408150031.db5lld6mnfgrovp2@snafu.emyr.net> <[🔎] 20200408152837.oqycny7jqlgkvm6m@enricozini.org> <[🔎] 20200408154843.ra3xlildh2nwd7jv@snafu.emyr.net> <[🔎] tslmu7j5xc5.fsf@suchdamage.org> <[🔎] tsl7dyn5ol5.fsf@suchdamage.org> <[🔎] 20200410162800.67cqsedeqz7db2fq@snafu.emyr.net> <[🔎] 87blnz2r8k.fsf@hope.eyrie.org> <[🔎] tslpncf43jy.fsf@suchdamage.org> <[🔎] 20200410195729.yzvo26bqj4bibls3@snafu.emyr.net>

Luca Filipozzi <lfilipoz@debian.org> writes:

> I think that our services -- such as SCM, CI/CD, Wiki, RT, etc. --
> should evolve indepdently from the SSO infrastructure. One could argue
> that RT has a user database thatcould be used as authenticaion service
> if exposed correctly. Or the Wiki.

Let me try to rephase this and see if I understand.  Your concern is that
by using Salsa as the IdP, we're coupling identity in Debian too closely
to one component of our development infrastructure, and thus possibly
creating roadblocks in the future?  For example, we might want to switch
to a different SCM platform that doesn't provide an IdP, or we may want
IdP features that aren't a priority for GitLab?

That argument does make sense to me.  This path more tightly couples the
project to the Salsa deployment.

However, I personally am not *too* worried about this because OIDC makes
it possible to migrate IdPs without too many problems.  This is where a
standardized protocol helps considerably.  There would still be some
challenges in exporting and converting the Salsa identity database, but we
have all that data and could do that work.

I agree with you that this is a risk, and it might be good to do some
planning work up-front to identify the data we're storing in Salsa that we
may want to move to some other platform like Keycloak in the future, but I
think it's a risk we can mitigate.

-- 
Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>

Reply to:

References:
- Re: Salsa as authentication provider for Debian
  - From: Luca Filipozzi <lfilipoz@debian.org>
- Re: Salsa as authentication provider for Debian
  - From: Enrico Zini <enrico@enricozini.org>
- Re: Salsa as authentication provider for Debian
  - From: Luca Filipozzi <lfilipoz@debian.org>
- Re: Salsa as authentication provider for Debian
  - From: Enrico Zini <enrico@enricozini.org>
- Re: Salsa as authentication provider for Debian
  - From: Luca Filipozzi <lfilipoz@debian.org>
- Re: Salsa as authentication provider for Debian
  - From: Sam Hartman <hartmans@debian.org>
- Re: Salsa as authentication provider for Debian
  - From: Sam Hartman <hartmans@debian.org>
- Re: Salsa as authentication provider for Debian
  - From: Luca Filipozzi <lfilipoz@debian.org>
- Re: Salsa as authentication provider for Debian
  - From: Russ Allbery <rra@debian.org>
- Re: Salsa as authentication provider for Debian
  - From: Sam Hartman <hartmans@debian.org>
- Re: Salsa as authentication provider for Debian
  - From: Luca Filipozzi <lfilipoz@debian.org>

Prev by Date: too many acronyms [was: Testing Discourse for Debian]
Next by Date: Re: Salsa as authentication provider for Debian
Previous by thread: Re: Salsa as authentication provider for Debian
Next by thread: Re: Salsa as authentication provider for Debian
Index(es):
- Date
- Thread