On 15/12/2022 00:09, Matthew Miller wrote:
I want to sync group membership to Discourse. See one idea for this here: https://pagure.io/fedora-infrastructure/issue/10952 However, this would be approximately one billion times easier if I didn't need to worry about the hard part of automating something with fasjson, which is keeping a kerberos ticket fresh from a keytab. (I'd love to run my whole thing as a function-as-a-service function.) I get why we require authentication, but since this info is open to anyone who authenticates, it's only one part of our protection. And it occured to me that one needs a FAS account to create something in Communishift anyway. Unless I am missing something (and I might be)... that really offers basically the same protection. So..... would it be possible to just allow-list connections coming from the Communishift nodes?
Well, you know that real data (users/groups/rbac rules/etc) are stored in IPA itself, which isn't reachable directly, reason why fasjson was created. But because fasjson itself doesn't store any credentials, it's just an "application proxy" that will just do the query for you/your app, reason why it needs a kerberos ticket.
That's why all infra services (Fedora and CentOS ones) have a service keytab to query fasjson (and so reflect users/groups membership at various levels)
Trying to open "anonymous" requests through fasjson.fedoraproject.org would then mean that fasjson would need to have a built-in logic about which info it can query and with local kerberos keytab to itself then reach IPA .. I'll let Aurelien comment on that one but iirc that's what they wanted to avoid when they designed fasjson (not store anything ensuring that all ACL checks are done at IPA level and no logic/acl/rbac rule to create in fasjson app itself)
-- Fabian Arrotin gpg key: 17F3B7A1 | twitter: @arrfab
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue