diff options
Diffstat (limited to 'zarb-ml/mageia-sysadm/2011-May/003412.html')
| -rw-r--r-- | zarb-ml/mageia-sysadm/2011-May/003412.html | 177 |
1 files changed, 177 insertions, 0 deletions
diff --git a/zarb-ml/mageia-sysadm/2011-May/003412.html b/zarb-ml/mageia-sysadm/2011-May/003412.html new file mode 100644 index 000000000..9de75f321 --- /dev/null +++ b/zarb-ml/mageia-sysadm/2011-May/003412.html @@ -0,0 +1,177 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> +<HTML> + <HEAD> + <TITLE> [Mageia-sysadm] Users authentication on forums + </TITLE> + <LINK REL="Index" HREF="index.html" > + <LINK REL="made" HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20Users%20authentication%20on%20forums&In-Reply-To=%3C933266201.491972.1304275700739.JavaMail.root%40zimbra8-vm1.telkomsa.net%3E"> + <META NAME="robots" CONTENT="index,nofollow"> + <META http-equiv="Content-Type" content="text/html; charset=us-ascii"> + <LINK REL="Previous" HREF="003461.html"> + <LINK REL="Next" HREF="003422.html"> + </HEAD> + <BODY BGCOLOR="#ffffff"> + <H1>[Mageia-sysadm] Users authentication on forums</H1> + <B>Buchan Milne</B> + <A HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20Users%20authentication%20on%20forums&In-Reply-To=%3C933266201.491972.1304275700739.JavaMail.root%40zimbra8-vm1.telkomsa.net%3E" + TITLE="[Mageia-sysadm] Users authentication on forums">bgmilne at staff.telkomsa.net + </A><BR> + <I>Sun May 1 20:48:20 CEST 2011</I> + <P><UL> + <LI>Previous message: <A HREF="003461.html">[Mageia-sysadm] Fwd: packaging account for who comes from mandriva +</A></li> + <LI>Next message: <A HREF="003422.html">[Mageia-sysadm] Users authentication on forums +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#3412">[ date ]</a> + <a href="thread.html#3412">[ thread ]</a> + <a href="subject.html#3412">[ subject ]</a> + <a href="author.html#3412">[ author ]</a> + </LI> + </UL> + <HR> +<!--beginarticle--> +<PRE> + +----- Original Message ----- +><i> Hi there, +</I>><i> +</I>><i> a small update because I was not convinced - and waiting for beta2 was +</I>><i> a good time. :-p +</I>><i> +</I>><i> On Tue, Apr 19, 2011 at 01:10, Michael Scherer <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">misc at zarb.org</A>> wrote: +</I>><i> > - openid/oauth manage the authentication ( and some vcard stuff ) +</I>><i> > but +</I>><i> > not the autorisation. For example, Transifex ( and others django +</I>><i> > application ) do use ldap groups for autorisation and I think that's +</I>><i> > rather a good idea to manage this using ldap. +</I>><i> +</I>><i> OAuth is about authorizing a 3rd party application to get access to a +</I>><i> set of credentials (on user acceptance) - that could include groups. +</I>><i> And many other things. So that's still up to your local app to use +</I>><i> that for authorization. +</I>><i> +</I>><i> > - I think that telling to people "it is ok to give your Mageia +</I>><i> > password +</I>><i> > for services that are not managed by mageia.org sysadmins" +</I> +But, the first question is, how do people know what services are managed by mageia.org sysadmins (regardless of how they are authenticated). + +IMHO, services supported by mageia.org sysadmins should be on a mageia.org hostname, services that are not, should *not* be, or should otherwise be separately identified. So, if the forum is not going to be managed by mageia.org sysadmins, and we can't give assurances that a privacy policy is adhered to, etc. etc., then IMHO, it should not be hosted on forums.mageia.org, but maybe forums.mageia-community.org or similar. + +><i> OpenID/OAuth are precisely designed to avoid this. +</I> +Well, are designed to avoid users entering credentials into multiple sites/services. But, the confidentiality of the data that the user subsequently provides to the service is not addressed (although to some extent, data that the 2nd party - the authorizing service - provides to the 3rd is). + +><i> +</I>><i> > I recognize the solution was smart and reusing a standard protocol +</I>><i> > is quite +</I>><i> > clever, but the whole situation is more complex than just +</I>><i> > "delegating +</I>><i> > authentication should solve the issue". +</I>><i> +</I>><i> It's not about delegating authentication, that stays on mageia.org +</I>><i> servers. +</I>><i> +</I>><i> I understand your point too. Anyway. Let's see it again from a +</I>><i> different perspective now. No offense intended to anyone, but just +</I>><i> stating it plain. +</I>><i> +</I>><i> Choosing this current scheme (LDAP + Perl-based Web frontend + strict +</I>><i> policy on authentication/authorization scheme) makes it: +</I>><i> - something completely centralised where, when someone could +</I>><i> add/extend an application to the Mageia ecosystem, it has to ask for +</I>><i> permission first (LDAP app-specific credentials, app hosting control), +</I>><i> instead of just using a piece of infrastructure that would enable +</I>><i> users to use it (OAuth + open APIs) and giving their permission - and +</I>><i> keeping control of it; I am not saying that Web developers are craving +</I>><i> to do that at once, but preventing this sort of thing from happening +</I>><i> doesn't help; +</I>><i> - discussions about improvements cut down for the sake of not +</I>><i> patching pieces of code, making the whole thing so generic, that it +</I>><i> will stay generic (genericity is good, but not at the price of not +</I>><i> progressing/making new stuff). +</I>><i> +</I>><i> We can either decide to stay like this - but I'm not sure to see the +</I>><i> point because it doesn't scale - beyond that it's not really +</I>><i> interesting either. Yes, the sysadmin team is not extensible and would +</I>><i> welcome hands to help - showing too conservative a status will not +</I>><i> help either. +</I> +><i>From the start, the intention was to be able provide an OpenID provider on mageia.org, authenticating against LDAP. so that contributors could use their mageia identity on other open-source platforms. +</I> +><i> +</I>><i> Or decide that we need to open and let go a bit more and design all +</I>><i> our services in a more modular/flexible way, yet secure. And if +</I>><i> needed, ask for help on the outside, among people that would be +</I>><i> willing to help (not only volunteers, but companies whose interest +</I>><i> could align with dedicating some employees time with the project). For +</I>><i> instance, continuing as it is today, but accepting to set up an OAuth +</I>><i> provider service in a given perimeter, plugging it in LDAP with the +</I>><i> auth part still in mageia.org, and see how things go from there? +</I>><i> +</I>><i> Note that I'm not arguing against the team or anyone here, but for a +</I>><i> different take on how some services may be provided in a more flexible +</I>><i> way. :-) I'm sure a set of beers and a whiteboard would help a lot +</I>><i> here but all we have for now is this text-based thing. +</I>><i> +</I>><i> (that's not a binary switch - I discussed with some of af83 engineers +</I>><i> about one of their project they demonstrated at WebWorkersCamp past +</I>><i> week-end (<A HREF="https://github.com/AF83/auth_server">https://github.com/AF83/auth_server</A> ) - and it seems they +</I>><i> would be happy to help with this - that's in part why I suggest a bit +</I>><i> more about this) +</I> +My plan was to use something like <A HREF="https://identity.mageia.org/openid">https://identity.mageia.org/openid</A> as an OpenID provider, using some of the existing Perl modules that provide some OpenID support (e.g. <A HREF="http://search.cpan.org/~lyokato/OpenID-Lite-0.01_04/lib/OpenID/Lite/Provider.pm">http://search.cpan.org/~lyokato/OpenID-Lite-0.01_04/lib/OpenID/Lite/Provider.pm</A>), but unfortunately I have 1)been a bit busy with a new baby in the house, 2)very limited bandwidth at home, 3)new responsibilities at work. + +If someone else has some more experience with OpenID and/or OAuth, and can give some pointers, that may help. + +><i> So the question, to sum it up is this: would the sysadmin team be ok +</I>><i> with: +</I>><i> - experimenting such an authorization gateway (as oauth2 here) that +</I>><i> would allow other apps to use Mageia user accounts for +</I>><i> authentication/authorization; +</I> +Sure. + +><i> - possibly setup and implemented/provided by non sysadmins +</I> +Tested/written by non sysadmins, sure, setup, no, as the software will need some more privileged access to LDAP that most user accounts. + +><i> It's not about setting a fight between systems integrity/admin and +</I>><i> foolish experiments/developments - it's about allowing ideas to bubble +</I>><i> through the project without too many obstacles in the middle. +</I> +Well, even though some pieces took a while to get into place, I think we have managed to provide an adequate experience to users, and been able to encourage a lot of contributors to have accounts which can be used for a number of services. But, until now, most services have had LDAP support, and many of them needed to run on our infrastructure. + +This by no means means that this is all we should or are willing to support, but there is a bit more work left to provide more modular authentication. + +Regards, +Buchan +</PRE> + + + + + + + +<!--endarticle--> + <HR> + <P><UL> + <!--threads--> + <LI>Previous message: <A HREF="003461.html">[Mageia-sysadm] Fwd: packaging account for who comes from mandriva +</A></li> + <LI>Next message: <A HREF="003422.html">[Mageia-sysadm] Users authentication on forums +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#3412">[ date ]</a> + <a href="thread.html#3412">[ thread ]</a> + <a href="subject.html#3412">[ subject ]</a> + <a href="author.html#3412">[ author ]</a> + </LI> + </UL> + +<hr> +<a href="https://www.mageia.org/mailman/listinfo/mageia-sysadm">More information about the Mageia-sysadm +mailing list</a><br> +</body></html> |