[katello-devel] Signo and shared user management

Bryan Kearney bkearney at redhat.com
Fri Jun 28 16:16:58 UTC 2013 

On 06/24/2013 05:31 AM, Jan Pazdziora wrote:
> On Thu, Jun 20, 2013 at 09:50:19AM +0200, Marek Hulan wrote:
>> Hello Foreman and Katello,
>>
>> I'd like to start discussion about future of user management in
>> katello/foreman/signo trio. As you probably noticed Signo currently serve only
>> for authentication purpose. It does not know any information about user that
>> is trying to log in. In fact it asks Katello or LDAP (or Kerberos soon)
>> whether given credentials are valid.
>>
>> This means that we cannot create users on fly at the moment. This is especially
>> annoying when you use LDAP because you have to login into Katello using old
>> way so the user is created in Katello DB (which creates him in Foreman DB as
>> well).
>>
>> We could make Signo load more info from auth backends (we need email at least)
>> and serve it to apps so they can create users. I'm not sure how this would
>> work with Kerberos - there is no email for principal.
>>
>> Or we take a bigger step and can move users to Signo. Signo would then be a
>> primary database of users. In future Signo would take user CRUD functionality.
>> We could then use dynflow for user propagation to Katello and Foreman. At the
>> same time we could make Signo a single place where user roles would be defined.
>> Since Katello and Foreman have different roles sets, Signo would define some
>> generic roles and any system could translate them into its own roles.
>> Assigning organizations etc. should remain in apps.
>>
>> Ivan, could you please describe pros of having roles in Signo as we discussed
>> it?
>>
>> What do teams think? Ohad, Mike would you support such change?
>
> It seems you are essentially trying to (re)write sssd.
>
> If you use system calls, sssd will do the heavy lifting under the
> hood for you. The sssd team will be happy to talk about what it can
> do in the context of your application -- please poke me or them
> directly.
>
> Thank you,
>
Where is sssd suport on non fedora systems? Good/bad?

-- bk

More information about the katello-devel mailing list