QA » openQA Project

So far my knowledge is that the openID provider by openSUSE should stay. Wrote an email to to Evzenie Sujskaja evzenie.sujskaja@suse.com , copy to osd-admins@suse.de, for clarification.

bmwiedemann is working on openID for openSUSE as replacement for the existing solution as I learned from personal email traffic. Accenture plans to switch off the current openID provider in the next weeks.

Progress as visible on http://okurz-vm.qa.suse.de/ looks promising. Login over openID works using the provider URL https://www.opensuse.org/idp/ works but does not yet give back a proper username but the complete authentication URL "https://www.opensuse.org/idp/openid/id/okurz/" as username.

As of today login over the openID provider https://www.opensuse.org/openid/user/ does not seem to work anymore from openqa.opensuse.org and also not other instances. Has the upstream openID provider been switched off before a replacement has been put in place?

I have created
https://infra.nue.suse.com/SelfService/Display.html?id=171520 with the content

Login over the openID provider https://www.opensuse.org/openid/user/ does not seem to work anymore from openqa.opensuse.org and also not other instances. Has the upstream openID provider been switched off before a replacement has been put in place? The response is simply "Forbidden".
To my understanding the plan was that SUSE-IT (or Engineering Infra) will ensure the continuinity of service behind the above URL. I see this is critical not only for the SUSE and openSUSE openQA instances but also in particular as the above URL is provided as the default for any openQA installation so many more users and services are affected.

Also see https://progress.opensuse.org/issues/66703 for details.

as a workaround: The webui continues to be readable read-only for most data and the API authentication over API key/secret is available for all operations needing authentication, e.g. operator and admin views as well as writing operations

[02/06/2020 14:13:16] <okurz> http://okurz-vm.qa.suse.de/ looks promising regarding pure openSUSE openID. There was a problem in the config of the openID server
[02/06/2020 14:18:06] <mkittler> Ok. If that works, can we configure OSD/o3 in the same way?
[02/06/2020 14:22:24] <okurz> we could. I configured o3 for a split-second in that way but the problem is that as long as the authentication URL is not the same we would not be recognized as the same users. We could certainly have a temporary workaround for that as well but maybe we can move to the old authentication URL easier

The instance managed by MF-IT is still offline. We found a way that works using the new authentication provider. So the login using the existing methods without needing any change in openQA configuration works. Expect a new dialog asking for username+password from the "Ipsilon server". Still pending: proper database and backups on the OpenID server side.

[03/06/2020 08:38:16] <bmwiedemann1> okurz: looks a bit better now. I adjusted redirects on ipsilon.
[03/06/2020 08:39:10] <okurz> I'd even say it looks very good :)
[03/06/2020 08:39:37] <okurz> as in, I think I am the same user as on the old openID server
[03/06/2020 08:40:28] <okurz> so with this I assume the only thing left is to switch the redirect on w3 again?
[03/06/2020 08:40:33] <bmwiedemann1> but I noticed that login went through www.opensuse.org/login now, which does not exist yet
[03/06/2020 08:43:30] <bmwiedemann1> OK. let's try to switch on w3
[03/06/2020 08:57:52] <okurz> bmwiedemann1: "unexpected_url_redirect: Discovery for the given ID ended up at the wrong place" when returning back from ipsilon
[03/06/2020 09:01:50] <pjessen> is anyone working on the mirrors listing page?  something is not right with the shading of alternating lines
[03/06/2020 09:01:57] <okurz> bmwiedemann1: it also fails on http://okurz-vm.qa/ now which should still directly point to id.opensuse.org
[03/06/2020 09:03:17] <bmwiedemann1> okurz: works there now
[03/06/2020 09:03:31] <bmwiedemann1> I changed the redirect on w3 into a proxy
[03/06/2020 09:03:56] <bmwiedemann1> the perl openID consumer did not like the id.o.o vs www.o.o mismatch
[03/06/2020 09:03:57] <okurz> nice, that looks better :)
[03/06/2020 09:04:21] <okurz> yeah I guess for authentication system one has to be a bit more picky when you want to trust ;)
[03/06/2020 09:15:58] <bmwiedemann1> OK, now how do we tell users about that change? I'll update idp-portal-info as the first step.
[03/06/2020 09:17:53] <okurz> that's good.
[03/06/2020 09:18:35] <okurz> do you want to declare it production-ready already? I did not see further problems. I could update all openSUSE users using opensuse-factory and SUSE internal using openqa@suse.de
[03/06/2020 09:21:59] <bmwiedemann1> I just hit some other problem. The authorization step does not work here
[03/06/2020 09:23:06] <bmwiedemann1> and there is more to do for it to be production-ready.
[03/06/2020 09:23:13] <bmwiedemann1> e.g. proper DB and backups
[03/06/2020 09:24:58] <okurz> so I would wait until we more widely announce that