[katello-devel] Signo and shared user management

Tom McKay thomasmckay at redhat.com
Thu Jun 20 12:40:15 UTC 2013



----- Original Message -----
> From: "Marek Hulan" <mhulan at redhat.com>
> To: katello-devel at redhat.com, foreman-dev at googlegroups.com
> Sent: Thursday, June 20, 2013 3:50:19 AM
> Subject: [katello-devel] Signo and shared user management
> 
> Hello Foreman and Katello,
> 
> I'd like to start discussion about future of user management in
> katello/foreman/signo trio. As you probably noticed Signo currently serve
> only
> for authentication purpose. It does not know any information about user that
> is trying to log in. In fact it asks Katello or LDAP (or Kerberos soon)
> whether given credentials are valid.
> 
> This means that we cannot create users on fly at the moment. This is
> especially
> annoying when you use LDAP because you have to login into Katello using old
> way so the user is created in Katello DB (which creates him in Foreman DB as
> well).
> 
> We could make Signo load more info from auth backends (we need email at
> least)
> and serve it to apps so they can create users. I'm not sure how this would
> work with Kerberos - there is no email for principal.
> 
> Or we take a bigger step and can move users to Signo. Signo would then be a
> primary database of users. In future Signo would take user CRUD
> functionality.
> We could then use dynflow for user propagation to Katello and Foreman. At the
> same time we could make Signo a single place where user roles would be
> defined.
> Since Katello and Foreman have different roles sets, Signo would define some
> generic roles and any system could translate them into its own roles.
> Assigning organizations etc. should remain in apps.
> 
> Ivan, could you please describe pros of having roles in Signo as we discussed
> it?
> 
> What do teams think? Ohad, Mike would you support such change?
> 
> --
> Marek
> 
> _______________________________________________
> katello-devel mailing list
> katello-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/katello-devel
> 

"Or we take a bigger step and can move users to Signo."

As I've mentioned to "those in charge," I feel strongly that the architecture of having Katello and Foreman as separate code bases is a mistake. One of the products should "win" and the others' begin to be folded into it in a nice software engineering sort of way (engines or such). Signo was a bandaid for single sign on for two separate tools; can their be serious discussions about the reasons why we would wish to continue to keep them separate code?

P.S. This is not meant as a poke at signo or its author, but rather a questioning of why a signo even needs to exist.




More information about the katello-devel mailing list