From 991dca539d9bb394c86deb084ebedc0452e612b5 Mon Sep 17 00:00:00 2001 From: Fabian Arrotin Date: Dec 10 2021 10:13:23 +0000 Subject: Doc about authentication and group membership Signed-off-by: Fabian Arrotin --- diff --git a/docs/auth.md b/docs/auth.md index ed45579..8d4602f 100644 --- a/docs/auth.md +++ b/docs/auth.md @@ -1,3 +1,86 @@ # Authentication +## Creating your account + +You can create your account on our community portal running on [https://accounts.centos.org](https://accounts.centos.org). + +To register/create an account, just click on "Register" on the portal and follow the process. +More information and user documentation is available on consolidated [online documentation](https://docs.fedoraproject.org/en-US/fedora-accounts/) for the portal + +## Modifying your account + +Once logged into the portal (still on https://accounts.centos.org) you can modify/edit your profile and see your group membership. + +Some settings you can modify directly: + + * First/Last Name + * Locale + * Timezone + * email address (attention that it needs to be a valid email address) + * other personal details + * your password + * adding/removing OTP tokens (see below for 2FA) + * ssh and gpg public keys + +### Enabling 2FA on your account (optional) +It's adviced (but not mandatory) to implement 2 Factor Authentication on your account (for some critical accounts, that's though required). + +You can add one (or more, adviced) OTP tokens on your profile. Known to work solutions so far : + + * Yubikey (4 and above, that supports OTP) : through rpm pkg yubioath-desktop + * FreeOTP (available on Google Play Store) + * OTPClient (available as rpm pkg and flatpak/flathub) + * others (list is non exhaustive) + +More informations about 2FA is available on specific [portal documentation](https://docs.fedoraproject.org/en-US/fedora-accounts/user/#twofactor) + + ## SIG group membership + +There is no current form that you can use to be added in a SIG group but you have to reach out to a SIG chair (having delegated rights to add/remove people in the SIG group you want to join) and he can then add you, after having confirmed that you can be onboarded in the SIG + +To know people who can "sponsors" you in a SIG/group, you can , once authenticated, search for a group on the portal and then see people listed under the "Sponsors" area (for example, consider the [Automotive SIG](https://accounts.centos.org/group/sig-automotive/) + + +## Retrieving your TLS certificate + +To be able to request a signed TLS certificate, you need first to install the cli tool that will use kerberos auth first to request a locally generated (automatic) CSR to be sent to IPA for signing operation and you'll then get your certificate back. + +Supported Linux distributions: CentOS 8/8-s , Fedora 32,33,34 + +``` +sudo dnf install -y epel-release # only if you are on CentOS 8 / 8-stream not needed for Fedora +sudo dnf install -y centos-packager +``` + +Your user certificate bundle comes in the form of 1 file: + +~/.centos.cert : PEM file with your X509 Client Certificate and Key + +To generate your certificate you can use the 'centos-cert' tool included in the centos-packager package: + +``` + centos-cert + +You need to call the script like this : /usr/bin/centos-cert -arguments + -u : username ([REQUIRED] : your existing ACO/FAS username) + -v : just validates the existing TLS certificate ([OPTIONAL]) + -r : REALM to use for kerberos ([OPTIONAL] : defaults to FEDORAPROJECT.ORG) + -f : fasjson url ([OPTIONAL]: defaults to https://fasjson.fedoraproject.org) + -h : display this help +``` + +If you've signed up with the account name `tuser`, you can generate your new certificate like this: + +``` + [tuser@myworkstation]$ centos-cert -u tuser +``` + +!!! note + Attention that centos-cert -u tuser will request a new certificate, so that will automatically revoke any other certificate you had in the past. If you need to use cbs/koji on multiple machines, just copy the files mentioned above on the other machine. + +!!! warning + Important note WRT OTP: If you have enabled Two Factor auth, you absolutely need to get a valid kerberos ticket through other step *before* using centos-cert. See details on the [Fedora Accounts Documentation](https://docs.fedoraproject.org/en-US/fedora-accounts/user/#twofactor) for this + + + diff --git a/docs/index.md b/docs/index.md index beb6f20..90f4ae2 100644 --- a/docs/index.md +++ b/docs/index.md @@ -1 +1,12 @@ # CentOS SIG Guide + +CentOS Special Interest Groups are smaller groups within the CentOS community that focus feature work on or awareness around a topic related to CentOS Linux and CentOS Stream. + +This guide is for anyone interested in starting, managing, or contributing to a [CentOS Special Interest Group](https://wiki.centos.org/SpecialInterestGroup). + +You'll find on this (always involving) website best practices for each step in the process, including : + + * How to [join](auth.md) a SIG + * How to start [building](cbs.md) RPM packages or other artifacts + * How to [test](ci.md) your packages + * How to [push to mirror](delivery.md) network