Text Blame History Raw

Authentication service for CentOS Infrastructure

Info

CentOS and Fedora merged their previous authentication backend to a new solution based on (Free)IPA, but it's only valid for applications that are able to use such new authentication system (see below for explanations)

Worth knowing that majority of infra services described below are managed/hosted by Fedora Infra (while CentOS infra is consuming such service

Authentication platform components

IPA servers

There are actually 3 IPA servers running on RHEL8 that are used as backend authentication solution. These aren't publicly reachable and are managed/hosted by the Fedora Infra team.

Community Portal (noggin)

The https://accounts.centos.org community portal is based on Noggin where people can register is an openshift deployment done by Fedora Infra on the Fedora infra openshift cluster. CentOS Infra team though is in charge of the haproxy node in front of openshift and routing requests to correct openshift compute nodes from Fedora infra. All the needed variables for haproxy are stored in the CentOS ansible inventory, either through group_vars and/or host_vars variables

Same goes for the TLS certificates used on the haproxy reverse proxy : automatically applied by the ansible role after they are renewed through BAU process (see dedicated TLS documentation)

Identity Provider (IdP)

We deploy our own IdP instance, based on Ipsilon that is publicly available on https://id.centos.org.

It's full deployed by the ipsilon Ansible role but needs access through fedora network as it's not directly available from outside

It supports the following standard protocols and uses IPA servers backends for users auth/group memberships and that node is properly enrolled in IPA itself (requirement)

Openid

Applications using OpenID can point directly to https://id.centos.org and some applications (like https://blog.centos.org) still rely on openid as auth protocol

OpenID Connect/Oauth2

OpenIDC is preferred over OpenID but needs some configuration at both IdP and Application side :

  • on https://id.centos.org : login as account with admin right in ipsilon (managed by Ansible inventory), and create new OpenIDC app / client ID / secret / oauth callback (basically original URL callback endpoint)
  • on the client application side : reflect all client id / secrets / oauth callback

SAML

unused so far in CentOS Infra, but still available if needed as Ipsilon supports it

FASJSON

fasjson API endpoint (available at https://fasjson.fedoraproject.org) permits authenticated users (through kerberos authentication/ticket) to query for users/groups information. Same remark as for noggin : deployed/maintained by Fedora infra but crucial for the following CentOS services :

  • email aliases (computed automatically through fasjson API calls)
  • CBS koji access based on group memberships
  • letting users retrieve their TLS certificate to auth against some CentOS Infra services

TLS/x509 authentication

See public Authentication wiki page that covers kerberos/tls (no need to duplicate content here)