Re: how bad would it be if we allowed all systems in communishift to get read-only access to fasjson?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 15/12/2022 00:09, Matthew Miller wrote:
I want to sync group membership to Discourse. See one idea for this here:
https://pagure.io/fedora-infrastructure/issue/10952

However, this would be approximately one billion times easier if I didn't
need to worry about the hard part of automating something with fasjson,
which is keeping a kerberos ticket fresh from a keytab. (I'd love to run my
whole thing as a function-as-a-service function.)

I get why we require authentication, but since this info is open to anyone
who authenticates, it's only one part of our protection. And it occured to
me that one needs a FAS account to create something in Communishift anyway.
Unless I am missing something (and I might be)... that really offers
basically the same protection. So..... would it be possible to just
allow-list connections coming from the Communishift nodes?



Well, you know that real data (users/groups/rbac rules/etc) are stored in IPA itself, which isn't reachable directly, reason why fasjson was created. But because fasjson itself doesn't store any credentials, it's just an "application proxy" that will just do the query for you/your app, reason why it needs a kerberos ticket.

That's why all infra services (Fedora and CentOS ones) have a service keytab to query fasjson (and so reflect users/groups membership at various levels)

Trying to open "anonymous" requests through fasjson.fedoraproject.org would then mean that fasjson would need to have a built-in logic about which info it can query and with local kerberos keytab to itself then reach IPA .. I'll let Aurelien comment on that one but iirc that's what they wanted to avoid when they designed fasjson (not store anything ensuring that all ACL checks are done at IPA level and no logic/acl/rbac rule to create in fasjson app itself)

--
Fabian Arrotin
gpg key: 17F3B7A1 | twitter: @arrfab

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

_______________________________________________
infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux