Project

General

Profile

Actions

coordination #89020

open

coordination #80142: [saga][epic] Scale out: Redundant/load-balancing deployments of openQA, easy containers, containers on kubernetes

[epic] Support for multiple authentication providers

Added by livdywan almost 4 years ago. Updated over 3 years ago.

Status:
Workable
Priority:
Normal
Assignee:
-
Category:
Feature requests
Target version:
Start date:
2021-04-09
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)

Description

Motivation

Again the identity provider we use from openSUSE is making some problems, e.g. see #88751 , so we thought about investing in alternatives that we can use in parallel to the existing way. We already have support for other identity provides but not at the same time

Acceptance criteria

  • AC1: openqa.opensuse.org offers to login over both the existing provider as well as another one, e.g. using github

Observation

In the openQA configuration one can currently choose between FakeAuth, OpenID and OAuth2. Setting auth/method in the config file changes that globally. Only one method can be used at the same time. Changing it would require all logins to go through the new method. And Login always immediately redirects to the configured provider.

Suggestions

  • DONE: Add a provider column to the Users table
  • Make username unique across providers (so the new unique constraint would be username,provider and not just username)
  • Allow configuring multiple auth methods at the same time
  • Allow configuring multiple providers per auth method at the same time at least for OAuth2 (to be able to support e.g. ipsilon and GitHub at the same time)
  • Ensure existing data defaults to the active provider upon migration or continues to work as-is with manual intervention required
  • Provide UX in the web UI e.g. expose buttons for providers to choose from
  • Make it clear in the UI which authentication provider is used

Subtasks 1 (0 open1 closed)

action #90929: get OAuth2 to work with salsa.debian.org (gitlab)Resolvedmkittler2021-04-09

Actions
Actions #1

Updated by mkittler almost 4 years ago

  • Description updated (diff)
Actions #2

Updated by okurz almost 4 years ago

  • Description updated (diff)
  • Category set to Feature requests
  • Target version set to future

+1, thx

Added motivation and ACs

Actions #3

Updated by okurz almost 4 years ago

cdywan wrote:

  • Ensure existing data defaults to the active provider upon migration or continues to work as-is with manual intervention required

Also it is completely fine if the accounts from different providers are just individual accounts which do not share any data.

Actions #4

Updated by mkittler over 3 years ago

PR for adding a database column for this has been merged: https://github.com/os-autoinst/openQA/pull/3770
Draft PR containing the next step forward for the auth system: https://github.com/os-autoinst/openQA/pull/3769

Actions #5

Updated by okurz over 3 years ago

  • Tracker changed from action to coordination
  • Subject changed from Support for multiple authentication providers to [epic] Support for multiple authentication providers
  • Status changed from New to Blocked
  • Assignee set to okurz
  • Parent task set to #80142
Actions #6

Updated by okurz over 3 years ago

  • Description updated (diff)
Actions #7

Updated by okurz over 3 years ago

  • Description updated (diff)
  • Status changed from Blocked to Workable
  • Assignee deleted (okurz)

further specific subtasks can be created

Actions

Also available in: Atom PDF