|
|
f8825f |
# Authentication
|
|
|
80c633 |
|
|
|
8a162e |
!!! note
|
|
|
8a162e |
CentOS and Fedora are using the same authentication platform so if you already have a Fedora account (aka FAS) that means that you already have a CentOS account and you just need to be added in specific CentOS groups there !
|
|
|
8a162e |
|
|
|
991dca |
## Creating your account
|
|
|
991dca |
|
|
|
991dca |
You can create your account on our community portal running on [https://accounts.centos.org](https://accounts.centos.org).
|
|
|
991dca |
|
|
|
f8825f |
To register/create an account, just click on "Register" on the portal and follow the process.
|
|
|
991dca |
More information and user documentation is available on consolidated [online documentation](https://docs.fedoraproject.org/en-US/fedora-accounts/) for the portal
|
|
|
991dca |
|
|
|
991dca |
## Modifying your account
|
|
|
991dca |
|
|
|
991dca |
Once logged into the portal (still on https://accounts.centos.org) you can modify/edit your profile and see your group membership.
|
|
|
991dca |
|
|
|
991dca |
Some settings you can modify directly:
|
|
|
991dca |
|
|
|
991dca |
* First/Last Name
|
|
|
991dca |
* Locale
|
|
|
991dca |
* Timezone
|
|
|
991dca |
* email address (attention that it needs to be a valid email address)
|
|
|
991dca |
* other personal details
|
|
|
991dca |
* your password
|
|
|
991dca |
* adding/removing OTP tokens (see below for 2FA)
|
|
|
f8825f |
* ssh and gpg public keys
|
|
|
991dca |
|
|
|
991dca |
### Enabling 2FA on your account (optional)
|
|
|
991dca |
It's adviced (but not mandatory) to implement 2 Factor Authentication on your account (for some critical accounts, that's though required).
|
|
|
991dca |
|
|
|
991dca |
You can add one (or more, adviced) OTP tokens on your profile. Known to work solutions so far :
|
|
|
991dca |
|
|
|
991dca |
* Yubikey (4 and above, that supports OTP) : through rpm pkg yubioath-desktop
|
|
|
991dca |
* FreeOTP (available on Google Play Store)
|
|
|
991dca |
* OTPClient (available as rpm pkg and flatpak/flathub)
|
|
|
f8825f |
* others (list is non exhaustive)
|
|
|
991dca |
|
|
|
991dca |
More informations about 2FA is available on specific [portal documentation](https://docs.fedoraproject.org/en-US/fedora-accounts/user/#twofactor)
|
|
|
991dca |
|
|
|
991dca |
|
|
|
80c633 |
## SIG group membership
|
|
|
991dca |
|
|
|
c0e607 |
There is no current form that you can use to be added in a SIG group but you have to reach out to a SIG chair (having delegated rights to add/remove people in the SIG group you want to join) and they can then add you, after having confirmed that you can be onboarded in the SIG
|
|
|
991dca |
|
|
|
74ae2b |
To know people who can "sponsors" you in a SIG/group, you can , once authenticated, search for a group on the portal and then see people listed under the "Sponsors" area (for example, consider the [Automotive SIG](https://accounts.centos.org/group/sig-automotive/) )
|
|
|
991dca |
|
|
|
991dca |
|
|
|
991dca |
## Retrieving your TLS certificate
|
|
|
991dca |
|
|
|
991dca |
To be able to request a signed TLS certificate, you need first to install the cli tool that will use kerberos auth first to request a locally generated (automatic) CSR to be sent to IPA for signing operation and you'll then get your certificate back.
|
|
|
991dca |
|
|
|
463be8 |
Supported Linux distributions: CentOS Stream 8/9 (or el8/el9 variant) , Fedora 33 and beyond
|
|
|
991dca |
|
|
|
991dca |
```
|
|
|
463be8 |
sudo dnf install -y epel-release # only if you are using CentOS Stream or an EL variant
|
|
|
991dca |
sudo dnf install -y centos-packager
|
|
|
991dca |
```
|
|
|
991dca |
|
|
|
991dca |
Your user certificate bundle comes in the form of 1 file:
|
|
|
991dca |
|
|
|
991dca |
~/.centos.cert : PEM file with your X509 Client Certificate and Key
|
|
|
991dca |
|
|
|
991dca |
To generate your certificate you can use the 'centos-cert' tool included in the centos-packager package:
|
|
|
991dca |
|
|
|
991dca |
```
|
|
|
f8825f |
centos-cert
|
|
|
991dca |
|
|
|
991dca |
You need to call the script like this : /usr/bin/centos-cert -arguments
|
|
|
991dca |
-u : username ([REQUIRED] : your existing ACO/FAS username)
|
|
|
991dca |
-v : just validates the existing TLS certificate ([OPTIONAL])
|
|
|
991dca |
-r : REALM to use for kerberos ([OPTIONAL] : defaults to FEDORAPROJECT.ORG)
|
|
|
991dca |
-f : fasjson url ([OPTIONAL]: defaults to https://fasjson.fedoraproject.org)
|
|
|
991dca |
-h : display this help
|
|
|
991dca |
```
|
|
|
991dca |
|
|
|
991dca |
If you've signed up with the account name `tuser`, you can generate your new certificate like this:
|
|
|
991dca |
|
|
|
991dca |
```
|
|
|
f8825f |
[tuser@myworkstation]$ centos-cert -u tuser
|
|
|
991dca |
```
|
|
|
991dca |
|
|
|
f8825f |
!!! note
|
|
|
991dca |
Attention that centos-cert -u tuser will request a new certificate, so that will automatically revoke any other certificate you had in the past. If you need to use cbs/koji on multiple machines, just copy the files mentioned above on the other machine.
|
|
|
991dca |
|
|
|
991dca |
!!! warning
|
|
|
991dca |
Important note WRT OTP: If you have enabled Two Factor auth, you absolutely need to get a valid kerberos ticket through other step *before* using centos-cert. See details on the [Fedora Accounts Documentation](https://docs.fedoraproject.org/en-US/fedora-accounts/user/#twofactor) for this
|
|
|
991dca |
|
|
|
74ae2b |
### TLS part for Staging env
|
|
|
74ae2b |
|
|
|
74ae2b |
In case you'd need to interact with .stg. services (like [https://cbs.stg.centos.org](https://cbs.stg.centos.org)) that are relying on TLS auth, it's worth knowing that you'd need to get a different TLS cert.
|
|
|
74ae2b |
|
|
|
74ae2b |
That means that you need an account from [https://accounts.stg.centos.org](https://accounts.stg.centos.org) , which isn't linked to production accounts.centos.org IPA backend.
|
|
|
74ae2b |
|
|
|
74ae2b |
It's adviced to use a different container or home directory to retrieve your STG cert, and you can just point to [https://fasjson.stg.fedoraproject.org](https://fasjson.stg.fedoraproject.org) url (option `-f` for centos-cert)
|
|
|
74ae2b |
|
|
|
74ae2b |
You can manually create (nothing -yet- in `centos-packager` for it) a ~/.koji/cbs-stg.conf that looks like this :
|
|
|
74ae2b |
|
|
|
74ae2b |
```
|
|
|
74ae2b |
[cbs-stg]
|
|
|
74ae2b |
|
|
|
74ae2b |
;url of XMLRPC server
|
|
|
74ae2b |
server = https://cbs.stg.centos.org/kojihub/
|
|
|
74ae2b |
|
|
|
74ae2b |
;url of web interface
|
|
|
74ae2b |
weburl = https://cbs.stg.centos.org/koji
|
|
|
74ae2b |
|
|
|
74ae2b |
;url of package download site
|
|
|
74ae2b |
topurl = http://cbs.stg.centos.org/kojifiles
|
|
|
74ae2b |
|
|
|
74ae2b |
;path to the koji top directory
|
|
|
74ae2b |
topdir = /mnt/koji
|
|
|
74ae2b |
|
|
|
74ae2b |
;client certificate
|
|
|
74ae2b |
cert = ~/.centos-stg.cert
|
|
|
74ae2b |
|
|
|
74ae2b |
;certificate of the CA that issued the HTTP server certificate
|
|
|
74ae2b |
serverca = /etc/pki/tls/certs/ca-bundle.trust.crt
|
|
|
74ae2b |
|
|
|
74ae2b |
```
|
|
|
74ae2b |
|
|
|
74ae2b |
!!! warning
|
|
|
74ae2b |
You have to also ensure that your TLS file is renamed to correct filename !
|
|
|
74ae2b |
|
|
|
74ae2b |
And you can then call koji like this :
|
|
|
74ae2b |
|
|
|
74ae2b |
```
|
|
|
74ae2b |
koji -c ~/.koji/cbs-stg.conf -p cbs-stg
|
|
|
74ae2b |
```
|
|
|
991dca |
|
|
|
03562e |
## Linking your CentOS account to gitlab
|
|
|
03562e |
|
|
|
03562e |
The first thing to understand is that gitlab will "link" an existing account
|
|
|
03562e |
with third party authentication system. In other words, you need to have a
|
|
|
03562e |
gitlab account and be logged in onto gitlab.com before you can associate your
|
|
|
03562e |
account with the CentOS Account System (ACO).
|
|
|
03562e |
|
|
|
03562e |
So if you do not have a gitlab account, create one and log with it into [
|
|
|
03562e |
https://gitlab.com](https://gitlab.com). Then visit the following link [
|
|
|
03562e |
https://id.centos.org/gitlab](https://id.centos.org/gitlab) to associate your
|
|
|
03562e |
account with CentOS' Account System.
|
|
|
03562e |
|
|
|
03562e |
From there on, everytime you visit this link, your group membership defined in
|
|
|
03562e |
ACO, will be refreshed on gitlab.
|
|
|
541244 |
|
|
|
541244 |
## Authenticating to CentOS services with your accounts
|
|
|
541244 |
Some infra services (but not all) are using the new authentication platform to give you access.
|
|
|
541244 |
|
|
|
541244 |
### IdP for CentOS service
|
|
|
541244 |
|
|
|
541244 |
As IPA backend itself doesn't provide IdP features, we have the service https://id.centos.org that is registered in IPA, and so that can be used as IdP, to support OpenID, OpenIDC, SAML2 authentication for applications/services that can recognize and use such protocol/standards
|
|
|
541244 |
|
|
|
541244 |
### Authenticating with your username and password
|
|
|
541244 |
Once you'll try to login to a service that requires auth, you'll be automatically redirected to https://id.centos.org.
|
|
|
541244 |
You can then provide your username and password combination to proceed with authentication and be then redirected to the initial service you wanted to auth with.
|
|
|
541244 |
|
|
|
541244 |
!!! warning
|
|
|
541244 |
If you have enabled 2FA (see above), your password field is a combination of '''both''' your real password and the OTP token
|
|
|
541244 |
|
|
|
541244 |
|
|
|
541244 |
### Enabling kerberos for IdP
|
|
|
541244 |
If you want to instead use your kerberos ticket to auth against services (and so transparently) and not having to type your user/password (+OTP if enabled) combination each time, you can just configure your workstation to transparently use gssapi authentication against https://id.centos.org
|
|
|
541244 |
|
|
|
541244 |
For this you need to first install a mandatory package, that has the needed configuration for kerberos :
|
|
|
541244 |
|
|
|
541244 |
```
|
|
|
463be8 |
sudo dnf install -y epel-release # Only on EL , not needed on Fedora
|
|
|
541244 |
sudo dnf install -y fedora-packager
|
|
|
541244 |
```
|
|
|
541244 |
|
|
|
541244 |
!!! important
|
|
|
541244 |
You need to have fedora-packager >= 0.6.0.5-2 installed on your system for this to work !
|
|
|
541244 |
|
|
|
541244 |
|
|
|
541244 |
After that, you can kinit as usual (see [[https://docs.fedoraproject.org/en-US/fedora-accounts/user/#pkinit|upstream doc]] and you should have your kerberos ticket ready to be used for authentication
|
|
|
541244 |
|
|
|
541244 |
You still need to configure your browser :
|
|
|
541244 |
|
|
|
541244 |
### Firefox settings
|
|
|
541244 |
While in Firefox, type '''about:config''' in the location/url bar and press enter.
|
|
|
541244 |
You can then edit the following key/value :
|
|
|
541244 |
|
|
|
541244 |
```
|
|
|
541244 |
network.negotiate-auth.trusted-uris: .fedoraproject.org,.centos.org
|
|
|
541244 |
```
|
|
|
541244 |
|
|
|
541244 |
Close and then firefox will allow kerberos/GSSAPI transaction to proceed, meaning that next time one service will redirect you to https://id.centos.org, you'll be automatically logged on through kerberos (no need to specify again user/password)
|
|
|
541244 |
|
|
|
541244 |
### Chrome/Chromium
|
|
|
541244 |
Depending on Chrome or Chromium, the path of the json file to create is different :
|
|
|
541244 |
|
|
|
541244 |
* Chrome : /etc/opt/chrome/policies/managed/fedora-centos.json
|
|
|
541244 |
* Chromium : /etc/chromium/policies/managed/fedora-centos.json
|
|
|
541244 |
|
|
|
541244 |
You should have there something like this :
|
|
|
541244 |
|
|
|
541244 |
```
|
|
|
541244 |
{
|
|
|
541244 |
"AuthServerAllowlist": "*.fedoraproject.org,*.centos.org",
|
|
|
541244 |
"AuthNegotiateDelegateAllowlist": "*.fedoraproject.org,*.centos.org"
|
|
|
541244 |
}
|
|
|
541244 |
```
|
|
|
541244 |
|
|
|
541244 |
!!! warning
|
|
|
541244 |
Chrome/Chromium browsers with version < '100' were using different names like ''AuthServerWhitelist'' and ''AuthNegotiateDelegateWhitelist'' so check version and adapt accordingly
|
|
|
541244 |
|
|
|
541244 |
|
|
|
5a8b98 |
## Email aliases
|
|
|
5a8b98 |
|
|
|
5a8b98 |
### Personal email alias
|
|
|
5a8b98 |
|
|
|
5a8b98 |
The CentOS Project offers automatically a `<your_fas_account>@centosproject.org` email alias for each onboarded and active SIG member.
|
|
|
5a8b98 |
Emails will be just forwarded to your primary email address that you used when registering your FAS/ACO account and it will be automatically updated if you update it in your accounts.centos.org profile.
|
|
|
5a8b98 |
|
|
|
5a8b98 |
### Group alias[es]
|
|
|
5a8b98 |
|
|
|
5a8b98 |
An automatic email alias is created (at onboarding time for a new SIG) for the group following the naming convention `sig-<name>@centosproject.org`.
|
|
|
5a8b98 |
That email alias will automatically include all sig members email addresses, once added (and removed when removed)
|
|
|
5a8b98 |
|
|
|
5a8b98 |
Should you need another specific email alias (not containing all the SIG group members), feel free to create an [infra ticket](https://pagure.io/centos-infra/new_issue) to request another group to be manually created.
|