ergo icon indicating copy to clipboard operation
ergo copied to clipboard

Published 20 hours ago verified publisher icon ergochat

Service accounts

Open kylef opened this issue 3 years ago • 1 comments

This is a feature request, which I'm not too invested in. If maintainer do not like, or are not keen on the idea feel free to close it.

At the moment today, for bots and other services you wish to run with Ergo. You need to create an account (which can be a little disruptive because you often need to make a second connection to manage new accounts). The password for the account needs to be shared by all administrators who should be able to administer the account, and the bot itself. The bot runs with full control over the account (along with all the other users). There's no way to audit the access, you can't determine which user has done an action when they all share the same password. The shared password has to be rotated when an administrator leaves the group.

The idea I'm proposing is the concept of "service" accounts, these are accounts that are owned by other users (a collection of). The service account doesn't have a passwords to adminster or control the account, this can only be done by the owners.

Service software such as bots make use of their own credentials (or mTLS), the credentials can be used with SASL as other user accounts can. Potentially it could be interesting to be able to lock down these credentials, such as they can only be used from certain CIDR's. Operations such as NickServ/ChanServ are restricted to the bearer of these credentials, if they even has access.

In IRC, other users can understand from output in whois that this is a service (with bot mode), they may also be able to find a point of contact for the service.

This may be somewhat related to #71, in which with #71 you may want some kind of credentials to use in automation. Programatically sending messages with service credentials to the REST API etc.

kylef avatar Jun 19 '21 11:06 kylef

You need to create an account (which can be a little disruptive because you often need to make a second connection to manage new accounts).

There is also /ns saregister <username> [password].

In general I wonder if this overlaps a bit with https://github.com/ergochat/ergo/issues/465 too, which I think of as GroupServ?

Mikaela avatar Jun 19 '21 11:06 Mikaela