coordination #89020
opencoordination #80142: [saga][epic] Scale out: Redundant/load-balancing deployments of openQA, easy containers, containers on kubernetes
[epic] Support for multiple authentication providers
100%
Description
Motivation¶
Again the identity provider we use from openSUSE is making some problems, e.g. see #88751 , so we thought about investing in alternatives that we can use in parallel to the existing way. We already have support for other identity provides but not at the same time
Acceptance criteria¶
- AC1: openqa.opensuse.org offers to login over both the existing provider as well as another one, e.g. using github
Observation¶
In the openQA configuration one can currently choose between FakeAuth, OpenID and OAuth2. Setting auth/method
in the config file changes that globally. Only one method can be used at the same time. Changing it would require all logins to go through the new method. And Login always immediately redirects to the configured provider.
Suggestions¶
- DONE:
Add a provider column to the Users table - Make username unique across providers (so the new unique constraint would be
username,provider
and not justusername
) - Allow configuring multiple auth methods at the same time
- Allow configuring multiple providers per auth method at the same time at least for OAuth2 (to be able to support e.g. ipsilon and GitHub at the same time)
- Ensure existing data defaults to the active provider upon migration or continues to work as-is with manual intervention required
- Provide UX in the web UI e.g. expose buttons for providers to choose from
- Make it clear in the UI which authentication provider is used
Updated by okurz almost 4 years ago
- Description updated (diff)
- Category set to Feature requests
- Target version set to future
+1, thx
Added motivation and ACs
Updated by okurz almost 4 years ago
cdywan wrote:
- Ensure existing data defaults to the active provider upon migration or continues to work as-is with manual intervention required
Also it is completely fine if the accounts from different providers are just individual accounts which do not share any data.
Updated by mkittler over 3 years ago
PR for adding a database column for this has been merged: https://github.com/os-autoinst/openQA/pull/3770
Draft PR containing the next step forward for the auth system: https://github.com/os-autoinst/openQA/pull/3769
Updated by okurz over 3 years ago
- Tracker changed from action to coordination
- Subject changed from Support for multiple authentication providers to [epic] Support for multiple authentication providers
- Status changed from New to Blocked
- Assignee set to okurz
- Parent task set to #80142
Updated by okurz over 3 years ago
- Description updated (diff)
- Status changed from Blocked to Workable
- Assignee deleted (
okurz)
further specific subtasks can be created