On 09/06/2017 01:37 PM, Ben Rosser wrote: > On Wed, Sep 6, 2017 at 12:51 PM, Kevin Fenzi <kevin@xxxxxxxxx> wrote: >> On 09/06/2017 05:25 AM, Nikos Mavrogiannopoulos wrote: >>> Hi, >>> What's the story between the recently introduced support of kerberos >>> in koji? My understanding was that eventually all services of fedora >>> would switch to kerberos authentication, though information on the >>> following bugs for bodhi seems to contradict that: >>> >>> https://bugzilla.redhat.com/show_bug.cgi?id=1483538 >>> https://github.com/fedora-infra/bodhi/issues/1179 >> >> I'm not sure where you got the understanding that everything was moving >> to kerberos. Did we say that somewhere? > > No, but it seems to me like one of the advantages of using a system > like Kerberos is that, theoretically, we *could* standardize all > authentication on it We could, but there's tradeoffs. In some cases other things are better and could be transparently done via ipsilon. > > For example, I complained recently that I need Kerberos tickets to > submit builds but "pagure auth tokens" to actually request branches > using fedrepo-req: https://pagure.io/pagure/issue/2549. The same is > true to interact with copr via copr-cli. It's not clear to me why, as > a packager, I should need N different types of authentication token on > my system in order to interact with the different parts of the > packaging plumbing. It seems to me that in an ideal world it would > only require one mechanism to interact with all these services. I agree reducing the number of things is a good goal. However, support for something doesn't magically appear because we would like it. For example, pagure has no code at all for kerberos auth (that I know of). > > That mechanism doesn't need to be Kerberos, but... if it's not going > to be Kerberos, why *did* Koji switch over to Kerberos? Because koji has implemented 2 types of auth: certs (which we used to use) and kerberos (which we switched to). Kerberos is much better than certs for our needs. kevin
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
