tdawson / centos / sig-guide

Forked from centos/sig-guide 2 months ago
Clone
Blob Blame History Raw
# Authentication

## Creating your account

You can create your account on our community portal running on [https://accounts.centos.org](https://accounts.centos.org).

To register/create an account, just click on "Register" on the portal and follow the process.
More information and user documentation is available on consolidated [online documentation](https://docs.fedoraproject.org/en-US/fedora-accounts/) for the portal

## Modifying your account

Once logged into the portal (still on https://accounts.centos.org) you can modify/edit your profile and see your group membership.

Some settings you can modify directly:

 * First/Last Name
 * Locale
 * Timezone
 *  email address (attention that it needs to be a valid email address)
 *  other personal details
 *  your password
 *  adding/removing OTP tokens (see below for 2FA)
 *  ssh and gpg public keys

### Enabling 2FA on your account (optional)
It's adviced (but not mandatory) to implement 2 Factor Authentication on your account (for some critical accounts, that's though required).

You can add one (or more, adviced) OTP tokens on your profile. Known to work solutions so far :

 * Yubikey (4 and above, that supports OTP) : through rpm pkg yubioath-desktop
 * FreeOTP (available on Google Play Store)
 * OTPClient (available as rpm pkg and flatpak/flathub)
 * others (list is non exhaustive)

More informations about 2FA is available on specific [portal documentation](https://docs.fedoraproject.org/en-US/fedora-accounts/user/#twofactor)


## SIG group membership

There is no current form that you can use to be added in a SIG group but you have to reach out to a SIG chair (having delegated rights to add/remove people in the SIG group you want to join) and he can then add you, after having confirmed that you can be onboarded in the SIG

To know people who can "sponsors" you in a SIG/group, you can , once authenticated, search for a group on the portal and then see people listed under the "Sponsors" area (for example, consider the [Automotive SIG](https://accounts.centos.org/group/sig-automotive/) )


## Retrieving your TLS certificate

To be able to request a signed TLS certificate, you need first to install the cli tool that will use kerberos auth first to request a locally generated (automatic) CSR to be sent to IPA for signing operation and you'll then get your certificate back.

Supported Linux distributions: CentOS Stream 8 (or el8 variant) , Fedora 33 and beyond

!!! warning
    There is currently no centos-packager pkg in epel9 so if you're using el9 (variant) you'll have to use a centos stream 8 or Fedora container

```
sudo dnf install -y epel-release # only if you are on CentOS 8 / 8-stream not needed for Fedora
sudo dnf install -y centos-packager
```

Your user certificate bundle comes in the form of 1 file:

~/.centos.cert : PEM file with your X509 Client Certificate and Key

To generate your certificate you can use the 'centos-cert' tool included in the centos-packager package:

```
 centos-cert

You need to call the script like this : /usr/bin/centos-cert -arguments
 -u : username ([REQUIRED] : your existing ACO/FAS username)
 -v : just validates the existing TLS certificate ([OPTIONAL])
 -r : REALM to use for kerberos ([OPTIONAL] : defaults to FEDORAPROJECT.ORG)
 -f : fasjson url ([OPTIONAL]: defaults to https://fasjson.fedoraproject.org)
 -h : display this help
```

If you've signed up with the account name `tuser`, you can generate your new certificate like this:

```
    [tuser@myworkstation]$ centos-cert -u tuser
```

!!! note
    Attention that centos-cert -u tuser will request a new certificate, so that will automatically revoke any other certificate you had in the past. If you need to use cbs/koji on multiple machines, just copy the files mentioned above on the other machine.

!!! warning
    Important note WRT OTP: If you have enabled Two Factor auth, you absolutely need to get a valid kerberos ticket through other step *before* using centos-cert. See details on the [Fedora Accounts Documentation](https://docs.fedoraproject.org/en-US/fedora-accounts/user/#twofactor) for this

### TLS part for Staging env

In case you'd need to interact with .stg. services (like [https://cbs.stg.centos.org](https://cbs.stg.centos.org)) that are relying on TLS auth, it's worth knowing that you'd need to get a different TLS cert.

That means that you need an account from [https://accounts.stg.centos.org](https://accounts.stg.centos.org) , which isn't linked to production accounts.centos.org IPA backend.

It's adviced to use a different container or home directory to retrieve your STG cert, and you can just point to [https://fasjson.stg.fedoraproject.org](https://fasjson.stg.fedoraproject.org) url (option `-f` for centos-cert)

You can manually create (nothing -yet- in `centos-packager` for it) a ~/.koji/cbs-stg.conf that looks like this : 

```
[cbs-stg]

;url of XMLRPC server
server = https://cbs.stg.centos.org/kojihub/

;url of web interface
weburl = https://cbs.stg.centos.org/koji

;url of package download site
topurl = http://cbs.stg.centos.org/kojifiles

;path to the koji top directory
topdir = /mnt/koji

;client certificate
cert = ~/.centos-stg.cert

;certificate of the CA that issued the HTTP server certificate
serverca = /etc/pki/tls/certs/ca-bundle.trust.crt

```

!!! warning
    You have to also ensure that your TLS file is renamed to correct filename !

And you can then call koji like this : 

```
koji -c ~/.koji/cbs-stg.conf -p cbs-stg
```

## Linking your CentOS account to gitlab

The first thing to understand is that gitlab will "link" an existing account
with third party authentication system. In other words, you need to have a
gitlab account and be logged in onto gitlab.com before you can associate your
account with the CentOS Account System (ACO).

So if you do not have a gitlab account, create one and log with it into [
https://gitlab.com](https://gitlab.com). Then visit the following link [
https://id.centos.org/gitlab](https://id.centos.org/gitlab) to associate your
account with CentOS' Account System.

From there on, everytime you visit this link, your group membership defined in
ACO, will be refreshed on gitlab.