1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE> [Mageia-sysadm] Users authentication on forums
</TITLE>
<LINK REL="Index" HREF="index.html" >
<LINK REL="made" HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20Users%20authentication%20on%20forums&In-Reply-To=%3CBANLkTi%3D-KGb1DRRaeYDmHaCPPYhrg6rsmg%40mail.gmail.com%3E">
<META NAME="robots" CONTENT="index,nofollow">
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
<LINK REL="Previous" HREF="003400.html">
<LINK REL="Next" HREF="003336.html">
</HEAD>
<BODY BGCOLOR="#ffffff">
<H1>[Mageia-sysadm] Users authentication on forums</H1>
<B>Romain d'Alverny</B>
<A HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20Users%20authentication%20on%20forums&In-Reply-To=%3CBANLkTi%3D-KGb1DRRaeYDmHaCPPYhrg6rsmg%40mail.gmail.com%3E"
TITLE="[Mageia-sysadm] Users authentication on forums">rda at mageia.org
</A><BR>
<I>Tue Apr 26 21:59:57 CEST 2011</I>
<P><UL>
<LI>Previous message: <A HREF="003400.html">[Mageia-sysadm] Users authentication on forums
</A></li>
<LI>Next message: <A HREF="003336.html">[Mageia-sysadm] packages uploaded only on x86_64
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#3402">[ date ]</a>
<a href="thread.html#3402">[ thread ]</a>
<a href="subject.html#3402">[ subject ]</a>
<a href="author.html#3402">[ author ]</a>
</LI>
</UL>
<HR>
<!--beginarticle-->
<PRE>Hi there,
a small update because I was not convinced - and waiting for beta2 was
a good time. :-p
On Tue, Apr 19, 2011 at 01:10, Michael Scherer <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">misc at zarb.org</A>> wrote:
><i> - openid/oauth manage the authentication ( and some vcard stuff ) but
</I>><i> not the autorisation. For example, Transifex ( and others django
</I>><i> application ) do use ldap groups for autorisation and I think that's
</I>><i> rather a good idea to manage this using ldap.
</I>
OAuth is about authorizing a 3rd party application to get access to a
set of credentials (on user acceptance) - that could include groups.
And many other things. So that's still up to your local app to use
that for authorization.
><i> - I think that telling to people "it is ok to give your Mageia password
</I>><i> for services that are not managed by mageia.org sysadmins"
</I>
OpenID/OAuth are precisely designed to avoid this.
><i> I recognize the solution was smart and reusing a standard protocol is quite
</I>><i> clever, but the whole situation is more complex than just "delegating
</I>><i> authentication should solve the issue".
</I>
It's not about delegating authentication, that stays on mageia.org servers.
I understand your point too. Anyway. Let's see it again from a
different perspective now. No offense intended to anyone, but just
stating it plain.
Choosing this current scheme (LDAP + Perl-based Web frontend + strict
policy on authentication/authorization scheme) makes it:
- something completely centralised where, when someone could
add/extend an application to the Mageia ecosystem, it has to ask for
permission first (LDAP app-specific credentials, app hosting control),
instead of just using a piece of infrastructure that would enable
users to use it (OAuth + open APIs) and giving their permission - and
keeping control of it; I am not saying that Web developers are craving
to do that at once, but preventing this sort of thing from happening
doesn't help;
- discussions about improvements cut down for the sake of not
patching pieces of code, making the whole thing so generic, that it
will stay generic (genericity is good, but not at the price of not
progressing/making new stuff).
We can either decide to stay like this - but I'm not sure to see the
point because it doesn't scale - beyond that it's not really
interesting either. Yes, the sysadmin team is not extensible and would
welcome hands to help - showing too conservative a status will not
help either.
Or decide that we need to open and let go a bit more and design all
our services in a more modular/flexible way, yet secure. And if
needed, ask for help on the outside, among people that would be
willing to help (not only volunteers, but companies whose interest
could align with dedicating some employees time with the project). For
instance, continuing as it is today, but accepting to set up an OAuth
provider service in a given perimeter, plugging it in LDAP with the
auth part still in mageia.org, and see how things go from there?
Note that I'm not arguing against the team or anyone here, but for a
different take on how some services may be provided in a more flexible
way. :-) I'm sure a set of beers and a whiteboard would help a lot
here but all we have for now is this text-based thing.
(that's not a binary switch - I discussed with some of af83 engineers
about one of their project they demonstrated at WebWorkersCamp past
week-end (<A HREF="https://github.com/AF83/auth_server">https://github.com/AF83/auth_server</A> ) - and it seems they
would be happy to help with this - that's in part why I suggest a bit
more about this)
So the question, to sum it up is this: would the sysadmin team be ok with:
- experimenting such an authorization gateway (as oauth2 here) that
would allow other apps to use Mageia user accounts for
authentication/authorization;
- possibly setup and implemented/provided by non sysadmins
It's not about setting a fight between systems integrity/admin and
foolish experiments/developments - it's about allowing ideas to bubble
through the project without too many obstacles in the middle.
No hurry either, better make sure everyone is on par on this.
Cheers,
Romain
</PRE>
<!--endarticle-->
<HR>
<P><UL>
<!--threads-->
<LI>Previous message: <A HREF="003400.html">[Mageia-sysadm] Users authentication on forums
</A></li>
<LI>Next message: <A HREF="003336.html">[Mageia-sysadm] packages uploaded only on x86_64
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#3402">[ date ]</a>
<a href="thread.html#3402">[ thread ]</a>
<a href="subject.html#3402">[ subject ]</a>
<a href="author.html#3402">[ author ]</a>
</LI>
</UL>
<hr>
<a href="https://www.mageia.org/mailman/listinfo/mageia-sysadm">More information about the Mageia-sysadm
mailing list</a><br>
</body></html>
|
