anitya icon indicating copy to clipboard operation
anitya copied to clipboard
verified publisher icon fedora-infra

simpler options than OAuth/OpenID for login

Open luto opened this issue 8 years ago • 17 comments

It's clear to see that using the FAS is perfect to handle logins on https://release-monitoring.org/. Most of the people using that instance are fedora people anyway. For self hosted instances this introduces an external dependency. Acquiring the necessary tokens also makes the setup more complicated than it needs to be.

Do you plan on enabling a simple login process with local users, either from the database or alternatively using just a text file? Would you consider a PR to add this?

luto avatar Jun 08 '17 15:06 luto

I'm open having local users, although we also have adding GitHub OAuth (#485) and fixing Google OAuth (#437) on the roadmap. At the moment, what's in master authentication-wise is somewhat different than https://release-monitoring.org/ has, and needs a but more work before it's release-ready (https://github.com/release-monitoring/anitya/issues/485#issuecomment-302097670), so it might be a turbulent time to also add local users. On the other hand, it might be worth considering it since we need to do some database modeling for users anyway.

jeremycline avatar Jun 08 '17 17:06 jeremycline

I'd personally advise against adding local user authentication support directly to Anitya itself, since it would make Anitya responsible for secure password management and all the complexity that comes with that (password resets, etc). Any such code would also inevitably end up being under-tested, since release-monitoring.org wouldn't be using it.

However, it would be good to have a documented way of running a simple OAuth2 server up locally so folks can more readily use their own identity provider, rather than relying on a third party one like FAS.

Ipsilon generally expects to be run in combination with a full IdM server like FreeIPA, so it's probably too complex to be suitable for that usage model.

Instead, an approach that may make more sense might be to use the example auth server from flask-oauthlib: https://flask-oauthlib.readthedocs.io/en/latest/oauth2.html

Since Anitya is only relying on the authentication flows and handling role-based access control itself, the OAuth2 server it talks to doesn't need to provide the full feature set offered by something like Ipsilon or Keycloak.

ncoghlan avatar Jun 23 '17 00:06 ncoghlan

Ipsilon generally expects to be run in combination with a full IdM server like FreeIPA, so it's probably too complex to be suitable for that usage model.

Well you can pick what Ipsilon relies on in the backend, it can be LDAP, with FreeIPA or not, but it can also be something much more simple such as system accounts (actual accounts on the server) or htpasswd used by apache or even a file with username/password. So you can make it as complex or as simple as you wish.

pypingou avatar Jun 25 '17 14:06 pypingou

If there's a simple devel mode for Ipsilon (e.g. sqlite backed), than that would be ideal. However, if that's possible, it isn't clearly documented anywhere a Google search can find it.

ncoghlan avatar Jun 26 '17 02:06 ncoghlan

@puiterwijk can likely give more info, but Ipsilon is really quite flexible on what it can do.

pypingou avatar Jun 26 '17 08:06 pypingou

I know this thread is a bit old, but is adding keycloak support and option?

odra avatar Jan 22 '19 11:01 odra

We are already using python-social-auth, but I can look at the keycloak.

Zlopez avatar Jan 22 '19 11:01 Zlopez

Just a bit of context: I was looking into using this for an internal team so I kinda of needed to a custom/internal login mechanism which led me to ask about keycloak - it can be an alternative of providing custom login mechanisms without making anitya responsible for that kind of tech.

odra avatar Jan 22 '19 11:01 odra

Look at the python-social-auth, maybe this will be enough for you.

Zlopez avatar Jan 22 '19 14:01 Zlopez

@Zlopez I can work in a PR if there is interest (I kind of need it anyway)

odra avatar Jan 22 '19 14:01 odra

This is always welcomed. If you want to invest your time in this I will be glad to review it.

Zlopez avatar Jan 22 '19 14:01 Zlopez

Hello, I am getting this error in social auth (in the callback url):


psycopg2.ProgrammingError: relation "social_auth_usersocialauth" does not exist
--
  | LINE 2: FROM social_auth_usersocialauth

It seems that the social tables were not created, do you know if there is a way to force its creation?

odra avatar Jan 23 '19 12:01 odra

Did you ran the alembic migrations?

I recommend to use Vagrant for development environment, it will do everything for you.

Zlopez avatar Jan 23 '19 12:01 Zlopez

Ah right, I didn't I just created the app and rolled with it :)

Will give it a try and post the results

odra avatar Jan 23 '19 12:01 odra

still got the same error - I am trying to deploy it on openshift (fresh installation) so I don't need to import the db data into posgre

I tried running the command and specifying the alembic.ini file path in the init function from the utilities module but it didn't change anything

odra avatar Jan 23 '19 14:01 odra

If you are trying to deploy this on openshift you could actually look at our roles for deploying in fedora infrastructure. Unfortunately the DB is handled separately. But still you could look - https://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/openshift-apps/release-monitoring?id=60f89dbe30a3ad24f7168d60f571d3658910b982

There should be actually some script for creating database - https://github.com/release-monitoring/anitya/blob/master/createdb.py

Zlopez avatar Jan 23 '19 15:01 Zlopez

I am using the createdb.py but it doesn't create the social tables :(

Thanks for the links, I will take a look at the openshift templates :+1:

odra avatar Jan 23 '19 16:01 odra