Project

General

Profile

coordination #89020

coordination #80142: [saga][epic] Scale out openQA: Redundant/load-balancing deployments of openQA, easy containers, containers on kubernetes

[epic] Support for multiple authentication providers

Added by cdywan about 2 months ago. Updated 3 days ago.

Status:
Workable
Priority:
Normal
Assignee:
-
Category:
Feature requests
Target version:
Start date:
2021-04-09
Due date:
2021-04-24
% Done:

100%

Estimated time:
(Total: 0.00 h)
Difficulty:

Description

Motivation

Again the identity provider we use from openSUSE is making some problems, e.g. see #88751 , so we thought about investing in alternatives that we can use in parallel to the existing way. We already have support for other identity provides but not at the same time

Acceptance criteria

  • AC1: openqa.opensuse.org offers to login over both the existing provider as well as another one, e.g. using github

Observation

In the openQA configuration one can currently choose between FakeAuth, OpenID and OAuth2. Setting auth/method in the config file changes that globally. Only one method can be used at the same time. Changing it would require all logins to go through the new method. And Login always immediately redirects to the configured provider.

Suggestions

  • DONE: Add a provider column to the Users table
  • Make username unique across providers (so the new unique constraint would be username,provider and not just username)
  • Allow configuring multiple auth methods at the same time
  • Allow configuring multiple providers per auth method at the same time at least for OAuth2 (to be able to support e.g. ipsilon and GitHub at the same time)
  • Ensure existing data defaults to the active provider upon migration or continues to work as-is with manual intervention required
  • Provide UX in the web UI e.g. expose buttons for providers to choose from
  • Make it clear in the UI which authentication provider is used

Subtasks

action #90929: get OAuth2 to work with salsa.debian.org (gitlab)Resolvedmkittler

History

#1 Updated by mkittler about 2 months ago

  • Description updated (diff)

#2 Updated by okurz about 2 months ago

  • Description updated (diff)
  • Category set to Feature requests
  • Target version set to future

+1, thx

Added motivation and ACs

#3 Updated by okurz about 1 month ago

cdywan wrote:

  • Ensure existing data defaults to the active provider upon migration or continues to work as-is with manual intervention required

Also it is completely fine if the accounts from different providers are just individual accounts which do not share any data.

#4 Updated by mkittler 8 days ago

PR for adding a database column for this has been merged: https://github.com/os-autoinst/openQA/pull/3770
Draft PR containing the next step forward for the auth system: https://github.com/os-autoinst/openQA/pull/3769

#5 Updated by okurz 4 days ago

  • Tracker changed from action to coordination
  • Subject changed from Support for multiple authentication providers to [epic] Support for multiple authentication providers
  • Status changed from New to Blocked
  • Assignee set to okurz
  • Parent task set to #80142

#6 Updated by okurz 3 days ago

  • Description updated (diff)

#7 Updated by okurz 3 days ago

  • Description updated (diff)
  • Status changed from Blocked to Workable
  • Assignee deleted (okurz)

further specific subtasks can be created

Also available in: Atom PDF