Note
CentOS and Fedora are using the same authentication platform so if you already have a Fedora account (aka FAS) that means that you already have a CentOS account and you just need to be added in specific CentOS groups there !
You can create your account on our community portal running on https://accounts.centos.org.
To register/create an account, just click on "Register" on the portal and follow the process. More information and user documentation is available on consolidated online documentation for the portal
Once logged into the portal (still on https://accounts.centos.org) you can modify/edit your profile and see your group membership.
Some settings you can modify directly:
It's adviced (but not mandatory) to implement 2 Factor Authentication on your account (for some critical accounts, that's though required).
You can add one (or more, adviced) OTP tokens on your profile. Known to work solutions so far :
More informations about 2FA is available on specific portal documentation
There is no current form that you can use to be added in a SIG group but you have to reach out to a SIG chair (having delegated rights to add/remove people in the SIG group you want to join) and he can then add you, after having confirmed that you can be onboarded in the SIG
To know people who can "sponsors" you in a SIG/group, you can , once authenticated, search for a group on the portal and then see people listed under the "Sponsors" area (for example, consider the Automotive SIG )
To be able to request a signed TLS certificate, you need first to install the cli tool that will use kerberos auth first to request a locally generated (automatic) CSR to be sent to IPA for signing operation and you'll then get your certificate back.
Supported Linux distributions: CentOS Stream 8/9 (or el8/el9 variant) , Fedora 33 and beyond
sudo dnf install -y epel-release # only if you are using CentOS Stream or an EL variant sudo dnf install -y centos-packager
Your user certificate bundle comes in the form of 1 file:
~/.centos.cert : PEM file with your X509 Client Certificate and Key
To generate your certificate you can use the 'centos-cert' tool included in the centos-packager package:
centos-cert You need to call the script like this : /usr/bin/centos-cert -arguments -u : username ([REQUIRED] : your existing ACO/FAS username) -v : just validates the existing TLS certificate ([OPTIONAL]) -r : REALM to use for kerberos ([OPTIONAL] : defaults to FEDORAPROJECT.ORG) -f : fasjson url ([OPTIONAL]: defaults to https://fasjson.fedoraproject.org) -h : display this help
If you've signed up with the account name tuser
, you can generate your new certificate like this:
[tuser@myworkstation]$ centos-cert -u tuser
Note
Attention that centos-cert -u tuser will request a new certificate, so that will automatically revoke any other certificate you had in the past. If you need to use cbs/koji on multiple machines, just copy the files mentioned above on the other machine.
Warning
Important note WRT OTP: If you have enabled Two Factor auth, you absolutely need to get a valid kerberos ticket through other step before using centos-cert. See details on the Fedora Accounts Documentation for this
In case you'd need to interact with .stg. services (like https://cbs.stg.centos.org) that are relying on TLS auth, it's worth knowing that you'd need to get a different TLS cert.
That means that you need an account from https://accounts.stg.centos.org , which isn't linked to production accounts.centos.org IPA backend.
It's adviced to use a different container or home directory to retrieve your STG cert, and you can just point to https://fasjson.stg.fedoraproject.org url (option -f
for centos-cert)
You can manually create (nothing -yet- in centos-packager
for it) a ~/.koji/cbs-stg.conf that looks like this :
[cbs-stg] ;url of XMLRPC server server = https://cbs.stg.centos.org/kojihub/ ;url of web interface weburl = https://cbs.stg.centos.org/koji ;url of package download site topurl = http://cbs.stg.centos.org/kojifiles ;path to the koji top directory topdir = /mnt/koji ;client certificate cert = ~/.centos-stg.cert ;certificate of the CA that issued the HTTP server certificate serverca = /etc/pki/tls/certs/ca-bundle.trust.crt
Warning
You have to also ensure that your TLS file is renamed to correct filename !
And you can then call koji like this :
koji -c ~/.koji/cbs-stg.conf -p cbs-stg
The first thing to understand is that gitlab will "link" an existing account with third party authentication system. In other words, you need to have a gitlab account and be logged in onto gitlab.com before you can associate your account with the CentOS Account System (ACO).
So if you do not have a gitlab account, create one and log with it into https://gitlab.com. Then visit the following link https://id.centos.org/gitlab to associate your account with CentOS' Account System.
From there on, everytime you visit this link, your group membership defined in ACO, will be refreshed on gitlab.
Some infra services (but not all) are using the new authentication platform to give you access.
As IPA backend itself doesn't provide IdP features, we have the service https://id.centos.org that is registered in IPA, and so that can be used as IdP, to support OpenID, OpenIDC, SAML2 authentication for applications/services that can recognize and use such protocol/standards
Once you'll try to login to a service that requires auth, you'll be automatically redirected to https://id.centos.org. You can then provide your username and password combination to proceed with authentication and be then redirected to the initial service you wanted to auth with.
Warning
If you have enabled 2FA (see above), your password field is a combination of '''both''' your real password and the OTP token
If you want to instead use your kerberos ticket to auth against services (and so transparently) and not having to type your user/password (+OTP if enabled) combination each time, you can just configure your workstation to transparently use gssapi authentication against https://id.centos.org
For this you need to first install a mandatory package, that has the needed configuration for kerberos :
sudo dnf install -y epel-release # Only on EL , not needed on Fedora sudo dnf install -y fedora-packager
Important
You need to have fedora-packager >= 0.6.0.5-2 installed on your system for this to work !
After that, you can kinit as usual (see [[https://docs.fedoraproject.org/en-US/fedora-accounts/user/#pkinit|upstream doc]] and you should have your kerberos ticket ready to be used for authentication
You still need to configure your browser :
While in Firefox, type '''about:config''' in the location/url bar and press enter. You can then edit the following key/value :
network.negotiate-auth.trusted-uris: .fedoraproject.org,.centos.org
Close and then firefox will allow kerberos/GSSAPI transaction to proceed, meaning that next time one service will redirect you to https://id.centos.org, you'll be automatically logged on through kerberos (no need to specify again user/password)
Depending on Chrome or Chromium, the path of the json file to create is different :
You should have there something like this :
{ "AuthServerAllowlist": "*.fedoraproject.org,*.centos.org", "AuthNegotiateDelegateAllowlist": "*.fedoraproject.org,*.centos.org" }
Warning
Chrome/Chromium browsers with version < '100' were using different names like ''AuthServerWhitelist'' and ''AuthNegotiateDelegateWhitelist'' so check version and adapt accordingly
The CentOS Project offers automatically a <your_fas_account>@centosproject.org
email alias for each onboarded and active SIG member.
Emails will be just forwarded to your primary email address that you used when registering your FAS/ACO account and it will be automatically updated if you update it in your accounts.centos.org profile.
An automatic email alias is created (at onboarding time for a new SIG) for the group following the naming convention sig-<name>@centosproject.org
.
That email alias will automatically include all sig members email addresses, once added (and removed when removed)
Should you need another specific email alias (not containing all the SIG group members), feel free to create an infra ticket to request another group to be manually created.