|
|
27793d |
# Authentication service for CentOS Infrastructure
|
|
|
27793d |
|
|
|
27793d |
!!! info
|
|
|
27793d |
CentOS and Fedora merged their previous authentication backend to a new solution based on [(Free)IPA](http://www.freeipa.org), but it's only valid for applications that *are* able to use such new authentication system (see below for explanations)
|
|
|
27793d |
|
|
|
27793d |
Worth knowing that majority of infra services described below are managed/hosted by Fedora Infra (while CentOS infra is *consuming* such service
|
|
|
27793d |
|
|
|
27793d |
|
|
|
27793d |
## Authentication platform components
|
|
|
27793d |
### IPA servers
|
|
|
27793d |
|
|
|
27793d |
There are actually 3 IPA servers running on RHEL8 that are used as backend authentication solution.
|
|
|
27793d |
These aren't publicly reachable and are managed/hosted by the Fedora Infra team.
|
|
|
27793d |
|
|
|
27793d |
### Community Portal (noggin)
|
|
|
27793d |
|
|
|
27793d |
The https://accounts.centos.org community portal is based on [Noggin](https://github.com/fedora-infra/noggin) where people can register is an openshift deployment done by Fedora Infra on the Fedora infra openshift cluster.
|
|
|
27793d |
CentOS Infra team though is in charge of the [haproxy](https://github/centos/ansible-role-haproxy) node in front of openshift and routing requests to correct openshift compute nodes from Fedora infra.
|
|
|
27793d |
All the needed variables for haproxy are stored in the CentOS ansible inventory, either through group_vars and/or host_vars variables
|
|
|
27793d |
|
|
|
27793d |
Same goes for the TLS certificates used on the haproxy reverse proxy : automatically applied by the ansible role *after* they are renewed through BAU process (see [dedicated TLS](/security/tls/#how-to-renew-existing-certs) documentation)
|
|
|
27793d |
|
|
|
27793d |
### Identity Provider (IdP)
|
|
|
27793d |
|
|
|
27793d |
We deploy our own IdP instance, based on [Ipsilon](https://ipsilon-project.org/) that is publicly available on https://id.centos.org.
|
|
|
27793d |
|
|
|
27793d |
It's full deployed by the [ipsilon](https://github/centos/ansible-role-ipsilon) Ansible role but needs access through fedora network as it's not directly available from outside
|
|
|
27793d |
|
|
|
27793d |
It supports the following standard protocols and uses IPA servers backends for users auth/group memberships and that node is properly enrolled in IPA itself (requirement)
|
|
|
27793d |
|
|
|
27793d |
#### Openid
|
|
|
27793d |
|
|
|
27793d |
Applications using OpenID can point directly to https://id.centos.org and some applications (like https://blog.centos.org) still rely on openid as auth protocol
|
|
|
27793d |
|
|
|
27793d |
#### OpenID Connect/Oauth2
|
|
|
27793d |
|
|
|
27793d |
OpenIDC is preferred over OpenID but needs some configuration at both IdP and Application side :
|
|
|
27793d |
|
|
|
27793d |
* on https://id.centos.org : login as account with admin right in ipsilon (managed by Ansible inventory), and create new OpenIDC app / client ID / secret / oauth callback (basically original URL callback endpoint)
|
|
|
27793d |
* on the client application side : reflect all client id / secrets / oauth callback
|
|
|
27793d |
|
|
|
27793d |
#### SAML
|
|
|
27793d |
|
|
|
27793d |
`unused` so far in CentOS Infra, but still available if needed as Ipsilon supports it
|
|
|
27793d |
|
|
|
27793d |
### FASJSON
|
|
|
27793d |
|
|
|
27793d |
[fasjson](https://github.com/fedora-infra/fasjson) API endpoint (available at https://fasjson.fedoraproject.org) permits authenticated users (through kerberos authentication/ticket) to query for users/groups information.
|
|
|
27793d |
Same remark as for noggin : deployed/maintained by Fedora infra but *crucial* for the following CentOS services :
|
|
|
27793d |
|
|
|
27793d |
* email aliases (computed automatically through fasjson API calls)
|
|
|
27793d |
* CBS koji access based on group memberships
|
|
|
27793d |
* letting users retrieve their TLS certificate to auth against some CentOS Infra services
|
|
|
27793d |
|
|
|
27793d |
#### TLS/x509 authentication
|
|
|
27793d |
|
|
|
27793d |
See public [Authentication](https://wiki.centos.org/Authentication) wiki page that covers kerberos/tls (no need to duplicate content here)
|