Switch to new SUSE/openSUSE authentication system
Currently SUSE is in the process of switching from an Microfocus authentication system to multiple different, new authentication systems, also see https://idp-portal-info.suse.com/ . So far openQA was and is still using the openID provide from openSUSE https://www.opensuse.org/openid/user . There had been some misunderstandings and conflicts especially around the Open Build Service which service it should use. So far for openQA the story was that nothing needs to be changed because we can still use the openID provider by openSUSE which will just not redirect to Microfocus anymore. Just for reference, Fedora is also using openID on https://openqa.fedoraproject.org/ successfully, so is https://openqa.qubes-os.org . We need to continue supporting a login for openSUSE as well as SUSE users with a common authentication service
- AC1: Login on https://openqa.opensuse.org works without relying on Microfocus infrastructure
- AC2: Same as AC1 for https://openqa.suse.de
- AC3: Other non-openSUSE/non-SUSE instances are unaffected
- Wait for switch over by other services completed
- Monitor how the situation evolves
#4 Updated by okurz over 1 year ago
Progress as visible on http://okurz-vm.qa.suse.de/ looks promising. Login over openID works using the provider URL https://www.opensuse.org/idp/ works but does not yet give back a proper username but the complete authentication URL "https://www.opensuse.org/idp/openid/id/okurz/" as username.
As of today login over the openID provider https://www.opensuse.org/openid/user/ does not seem to work anymore from openqa.opensuse.org and also not other instances. Has the upstream openID provider been switched off before a replacement has been put in place?
I have created
https://infra.nue.suse.com/SelfService/Display.html?id=171520 with the content
Login over the openID provider https://www.opensuse.org/openid/user/ does not seem to work anymore from openqa.opensuse.org and also not other instances. Has the upstream openID provider been switched off before a replacement has been put in place? The response is simply "Forbidden". To my understanding the plan was that SUSE-IT (or Engineering Infra) will ensure the continuinity of service behind the above URL. I see this is critical not only for the SUSE and openSUSE openQA instances but also in particular as the above URL is provided as the default for any openQA installation so many more users and services are affected. Also see https://progress.opensuse.org/issues/66703 for details. as a workaround: The webui continues to be readable read-only for most data and the API authentication over API key/secret is available for all operations needing authentication, e.g. operator and admin views as well as writing operations
#7 Updated by okurz over 1 year ago
[02/06/2020 14:13:16] <okurz> http://okurz-vm.qa.suse.de/ looks promising regarding pure openSUSE openID. There was a problem in the config of the openID server [02/06/2020 14:18:06] <mkittler> Ok. If that works, can we configure OSD/o3 in the same way? [02/06/2020 14:22:24] <okurz> we could. I configured o3 for a split-second in that way but the problem is that as long as the authentication URL is not the same we would not be recognized as the same users. We could certainly have a temporary workaround for that as well but maybe we can move to the old authentication URL easier
#8 Updated by okurz over 1 year ago
The instance managed by MF-IT is still offline. We found a way that works using the new authentication provider. So the login using the existing methods without needing any change in openQA configuration works. Expect a new dialog asking for username+password from the "Ipsilon server". Still pending: proper database and backups on the OpenID server side.
[03/06/2020 08:38:16] <bmwiedemann1> okurz: looks a bit better now. I adjusted redirects on ipsilon. [03/06/2020 08:39:10] <okurz> I'd even say it looks very good :) [03/06/2020 08:39:37] <okurz> as in, I think I am the same user as on the old openID server [03/06/2020 08:40:28] <okurz> so with this I assume the only thing left is to switch the redirect on w3 again? [03/06/2020 08:40:33] <bmwiedemann1> but I noticed that login went through www.opensuse.org/login now, which does not exist yet [03/06/2020 08:43:30] <bmwiedemann1> OK. let's try to switch on w3 [03/06/2020 08:57:52] <okurz> bmwiedemann1: "unexpected_url_redirect: Discovery for the given ID ended up at the wrong place" when returning back from ipsilon [03/06/2020 09:01:50] <pjessen> is anyone working on the mirrors listing page? something is not right with the shading of alternating lines [03/06/2020 09:01:57] <okurz> bmwiedemann1: it also fails on http://okurz-vm.qa/ now which should still directly point to id.opensuse.org [03/06/2020 09:03:17] <bmwiedemann1> okurz: works there now [03/06/2020 09:03:31] <bmwiedemann1> I changed the redirect on w3 into a proxy [03/06/2020 09:03:56] <bmwiedemann1> the perl openID consumer did not like the id.o.o vs www.o.o mismatch [03/06/2020 09:03:57] <okurz> nice, that looks better :) [03/06/2020 09:04:21] <okurz> yeah I guess for authentication system one has to be a bit more picky when you want to trust ;) [03/06/2020 09:15:58] <bmwiedemann1> OK, now how do we tell users about that change? I'll update idp-portal-info as the first step. [03/06/2020 09:17:53] <okurz> that's good. [03/06/2020 09:18:35] <okurz> do you want to declare it production-ready already? I did not see further problems. I could update all openSUSE users using opensuse-factory and SUSE internal using firstname.lastname@example.org [03/06/2020 09:21:59] <bmwiedemann1> I just hit some other problem. The authorization step does not work here [03/06/2020 09:23:06] <bmwiedemann1> and there is more to do for it to be production-ready. [03/06/2020 09:23:13] <bmwiedemann1> e.g. proper DB and backups [03/06/2020 09:24:58] <okurz> so I would wait until we more widely announce that
#9 Updated by okurz over 1 year ago
- Due date set to 2020-06-09
- Status changed from Blocked to Feedback
Sent email to email@example.com and internal chat and [#opensuse-factory](irc://chat.freenode.net/opensuse-factory) . With this we do not rely on the MF-IT instance anymore at all. Let's collect feedback over some days to see if this all works out ok. The new instance showed two problems so far: 1. a temporary problem #67714 and 2. the casing of the username is now important, i.e. how you write your username in ipsilon is forwarded to openQA . IIUC bmwiedemann is aware of this and might implement something on server side, otherwise we can implement a workaround in openQA to use lowercase only for internal referencing.
#10 Updated by okurz over 1 year ago
- Due date changed from 2020-06-09 to 2020-06-30
I failed to login on http://jenkins.qa.suse.de/ since we switched the authentication instance . I created https://infra.nue.suse.com/SelfService/Display.html?id=171656 for that.
No update from bmwiedemann so far.