action #138446
closedEnsure SUSE QE tooling always uses authenticated IBS API access size:M
0%
Description
Motivation¶
As announced in https://mailman.suse.de/mlarch/SuSE/research/2023/research.2023.10/msg00059.html
As part of hardening the security posture of our internal build service, please be notified that we are going to be disabling the anonymous read access to IBS effective November 15th, possibly delayed to November 30 if there's a good reason given.
Following this change, the web user interface of IBS will not allow anonymous access to data and the API will not allow https://api.suse.de/public route.
We should ensure that our tooling if relying on that is ready for the change.
Acceptance criteria¶
- AC1: All SUSE QE Tools maintained tooling using build.suse.de or api.suse.de is using authenticated accesses
Suggestions¶
- Read the complete thread behind https://mailman.suse.de/mlarch/SuSE/research/2023/research.2023.10/msg00059.html as well as https://suse.slack.com/archives/C02CBB35W5B/p1697791512356939
- Check our tooling for use of build.suse.de or api.suse.de, e.g. https://github.com/openSUSE/qem-bot/ or https://gitlab.suse.de/qa-maintenance/teregen/ or maybe also https://github.com/openSUSE/mtui/
- Setup up or use non-personal bot accounts. According to bmwiedemann from https://suse.slack.com/archives/C02CBB35W5B/p1698157772227709?thread_ts=1697791512.356939&cid=C02CBB35W5B "team-accounts are certainly created via https://idp-portal.suse.com/univention/self-service/#page=createaccount and then need the right permission. either via SD-Ticket or autobuild@suse.de if it only needs to access IBS"
- Feed the credentials into the according gitlab CI pipelines and/or add to according user instructions
- Ensure all our automated tools as well as user facing tooling works using authenticated accesses
- qem-bot and teregen are using osc with a proper bot account, that was implemented in #111998
- mtui is using osc with a user-provided credentials, so it should be also fine
Updated by jbaier_cz 6 months ago
- Related to action #111998: Make our SLE related tooling work with upcoming changes to build.suse.de (2FA and ssh key based authentication) size:M added
Updated by jbaier_cz 6 months ago
As I predicted, the tooling is fine. The only place I am not sure about is actually in our osd configuration: https://gitlab.suse.de/openqa/salt-states-openqa/-/blob/master/openqa/server.sls?ref_type=heads#L87
Updated by jbaier_cz 6 months ago
So it seems that our ObsRsync plugin needs to support authentication and 2FA during for making a status query in https://github.com/os-autoinst/openQA/blob/94ee81246a77eba00c74b336f7c8d6e6c6d60915/lib/OpenQA/WebAPI/Plugin/ObsRsync.pm#L383
Updated by jbaier_cz 6 months ago
- Related to action #139073: ObsRsync plugin needs to support authentication with 2FA size:M added