diff options
Diffstat (limited to 'zarb-ml/mageia-sysadm/2011-April/003402.html')
| -rw-r--r-- | zarb-ml/mageia-sysadm/2011-April/003402.html | 143 |
1 files changed, 143 insertions, 0 deletions
diff --git a/zarb-ml/mageia-sysadm/2011-April/003402.html b/zarb-ml/mageia-sysadm/2011-April/003402.html new file mode 100644 index 000000000..826db532f --- /dev/null +++ b/zarb-ml/mageia-sysadm/2011-April/003402.html @@ -0,0 +1,143 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> +<HTML> + <HEAD> + <TITLE> [Mageia-sysadm] Users authentication on forums + </TITLE> + <LINK REL="Index" HREF="index.html" > + <LINK REL="made" HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20Users%20authentication%20on%20forums&In-Reply-To=%3CBANLkTi%3D-KGb1DRRaeYDmHaCPPYhrg6rsmg%40mail.gmail.com%3E"> + <META NAME="robots" CONTENT="index,nofollow"> + <META http-equiv="Content-Type" content="text/html; charset=us-ascii"> + <LINK REL="Previous" HREF="003400.html"> + <LINK REL="Next" HREF="003336.html"> + </HEAD> + <BODY BGCOLOR="#ffffff"> + <H1>[Mageia-sysadm] Users authentication on forums</H1> + <B>Romain d'Alverny</B> + <A HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20Users%20authentication%20on%20forums&In-Reply-To=%3CBANLkTi%3D-KGb1DRRaeYDmHaCPPYhrg6rsmg%40mail.gmail.com%3E" + TITLE="[Mageia-sysadm] Users authentication on forums">rda at mageia.org + </A><BR> + <I>Tue Apr 26 21:59:57 CEST 2011</I> + <P><UL> + <LI>Previous message: <A HREF="003400.html">[Mageia-sysadm] Users authentication on forums +</A></li> + <LI>Next message: <A HREF="003336.html">[Mageia-sysadm] packages uploaded only on x86_64 +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#3402">[ date ]</a> + <a href="thread.html#3402">[ thread ]</a> + <a href="subject.html#3402">[ subject ]</a> + <a href="author.html#3402">[ author ]</a> + </LI> + </UL> + <HR> +<!--beginarticle--> +<PRE>Hi there, + +a small update because I was not convinced - and waiting for beta2 was +a good time. :-p + +On Tue, Apr 19, 2011 at 01:10, Michael Scherer <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">misc at zarb.org</A>> wrote: +><i> - openid/oauth manage the authentication ( and some vcard stuff ) but +</I>><i> not the autorisation. For example, Transifex ( and others django +</I>><i> application ) do use ldap groups for autorisation and I think that's +</I>><i> rather a good idea to manage this using ldap. +</I> +OAuth is about authorizing a 3rd party application to get access to a +set of credentials (on user acceptance) - that could include groups. +And many other things. So that's still up to your local app to use +that for authorization. + +><i> - I think that telling to people "it is ok to give your Mageia password +</I>><i> for services that are not managed by mageia.org sysadmins" +</I> +OpenID/OAuth are precisely designed to avoid this. + +><i> I recognize the solution was smart and reusing a standard protocol is quite +</I>><i> clever, but the whole situation is more complex than just "delegating +</I>><i> authentication should solve the issue". +</I> +It's not about delegating authentication, that stays on mageia.org servers. + +I understand your point too. Anyway. Let's see it again from a +different perspective now. No offense intended to anyone, but just +stating it plain. + +Choosing this current scheme (LDAP + Perl-based Web frontend + strict +policy on authentication/authorization scheme) makes it: + - something completely centralised where, when someone could +add/extend an application to the Mageia ecosystem, it has to ask for +permission first (LDAP app-specific credentials, app hosting control), +instead of just using a piece of infrastructure that would enable +users to use it (OAuth + open APIs) and giving their permission - and +keeping control of it; I am not saying that Web developers are craving +to do that at once, but preventing this sort of thing from happening +doesn't help; + - discussions about improvements cut down for the sake of not +patching pieces of code, making the whole thing so generic, that it +will stay generic (genericity is good, but not at the price of not +progressing/making new stuff). + +We can either decide to stay like this - but I'm not sure to see the +point because it doesn't scale - beyond that it's not really +interesting either. Yes, the sysadmin team is not extensible and would +welcome hands to help - showing too conservative a status will not +help either. + +Or decide that we need to open and let go a bit more and design all +our services in a more modular/flexible way, yet secure. And if +needed, ask for help on the outside, among people that would be +willing to help (not only volunteers, but companies whose interest +could align with dedicating some employees time with the project). For +instance, continuing as it is today, but accepting to set up an OAuth +provider service in a given perimeter, plugging it in LDAP with the +auth part still in mageia.org, and see how things go from there? + +Note that I'm not arguing against the team or anyone here, but for a +different take on how some services may be provided in a more flexible +way. :-) I'm sure a set of beers and a whiteboard would help a lot +here but all we have for now is this text-based thing. + +(that's not a binary switch - I discussed with some of af83 engineers +about one of their project they demonstrated at WebWorkersCamp past +week-end (<A HREF="https://github.com/AF83/auth_server">https://github.com/AF83/auth_server</A> ) - and it seems they +would be happy to help with this - that's in part why I suggest a bit +more about this) + +So the question, to sum it up is this: would the sysadmin team be ok with: + - experimenting such an authorization gateway (as oauth2 here) that +would allow other apps to use Mageia user accounts for +authentication/authorization; + - possibly setup and implemented/provided by non sysadmins + +It's not about setting a fight between systems integrity/admin and +foolish experiments/developments - it's about allowing ideas to bubble +through the project without too many obstacles in the middle. + +No hurry either, better make sure everyone is on par on this. + + +Cheers, + +Romain +</PRE> + +<!--endarticle--> + <HR> + <P><UL> + <!--threads--> + <LI>Previous message: <A HREF="003400.html">[Mageia-sysadm] Users authentication on forums +</A></li> + <LI>Next message: <A HREF="003336.html">[Mageia-sysadm] packages uploaded only on x86_64 +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#3402">[ date ]</a> + <a href="thread.html#3402">[ thread ]</a> + <a href="subject.html#3402">[ subject ]</a> + <a href="author.html#3402">[ author ]</a> + </LI> + </UL> + +<hr> +<a href="https://www.mageia.org/mailman/listinfo/mageia-sysadm">More information about the Mageia-sysadm +mailing list</a><br> +</body></html> |