Actions
action #138446
closedEnsure SUSE QE tooling always uses authenticated IBS API access size:M
Start date:
2023-10-24
Due date:
% Done:
0%
Estimated time:
Description
Motivation¶
As announced in https://mailman.suse.de/mlarch/SuSE/research/2023/research.2023.10/msg00059.html
As part of hardening the security posture of our internal build service, please be notified that we are going to be disabling the anonymous read access to IBS effective November 15th, possibly delayed to November 30 if there's a good reason given.
Following this change, the web user interface of IBS will not allow anonymous access to data and the API will not allow https://api.suse.de/public route.
We should ensure that our tooling if relying on that is ready for the change.
Acceptance criteria¶
- AC1: All SUSE QE Tools maintained tooling using build.suse.de or api.suse.de is using authenticated accesses
Suggestions¶
- Read the complete thread behind https://mailman.suse.de/mlarch/SuSE/research/2023/research.2023.10/msg00059.html as well as https://suse.slack.com/archives/C02CBB35W5B/p1697791512356939
- Check our tooling for use of build.suse.de or api.suse.de, e.g. https://github.com/openSUSE/qem-bot/ or https://gitlab.suse.de/qa-maintenance/teregen/ or maybe also https://github.com/openSUSE/mtui/
- Setup up or use non-personal bot accounts. According to bmwiedemann from https://suse.slack.com/archives/C02CBB35W5B/p1698157772227709?thread_ts=1697791512.356939&cid=C02CBB35W5B "team-accounts are certainly created via https://idp-portal.suse.com/univention/self-service/#page=createaccount and then need the right permission. either via SD-Ticket or autobuild@suse.de if it only needs to access IBS"
- Feed the credentials into the according gitlab CI pipelines and/or add to according user instructions
- Ensure all our automated tools as well as user facing tooling works using authenticated accesses
- qem-bot and teregen are using osc with a proper bot account, that was implemented in #111998
- mtui is using osc with a user-provided credentials, so it should be also fine
Actions