On Thu, Jun 03, 2021 at 10:51:25AM -0400, Matthew Miller wrote: > On Thu, Jun 03, 2021 at 09:29:13AM +0200, Fabian Arrotin wrote: > > It depends on how it will be used but either a service account that is > > just a "normal" account that would point to an email alias (if it has to > > be shared between multiple people) but (imho, and what we decided to use > > for centos infra when using fasjson) maybe a dedicated keytab tied to a > > defined service in IPA backend is the way to go. > > The latter sounds more "right" to me. Should we file a ticket for this? So, in the fas2 world we just left, we had no option for tokens or keytabs, people needed the password to authenticate as that user (in most cases). So, we just told people to create the account themselves and use 'bot' in the name and we then marked them in the database as being a bot account (which didn't mean too much). Since we can now use keytabs, I am happy moving to a model where external services that need auth request and get a dedicated keytab. So, yeah, ticket and we can get them a dedicated keytab sounds fine to me. kevin
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
