#centos-devel log

14:01:35 <bstinson> #startmeeting CBS/Infra
14:01:35 <centbot> Meeting started Mon Feb 16 14:01:35 2015 UTC.  The chair is bstinson. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:01:35 <centbot> Useful Commands: #action #agreed #help #info #idea #link #topic.
14:01:53 <bstinson> #chair alphacc Arrfab Evolution kbsingh MerlinTHP
14:01:53 <centbot> Current chairs: Arrfab Evolution MerlinTHP alphacc bstinson kbsingh
14:02:08 <alphacc> hi
14:02:42 <bstinson> hi alphacc!
14:02:46 <bstinson> #topic Agenda
14:02:54 <bstinson> #info Topic: Status Updates
14:03:01 <bstinson> #info Topic: Document user stories identify missing parts of the workflow
14:03:07 <bstinson> #info Topic: Open Floor
14:03:39 <bstinson> #topic Status Updates
14:04:15 <bstinson> I can start with centpkg, I have a couple of commits to the repo that give koji the right giturls now
14:04:42 <bstinson> i'll be building another release this week
14:05:41 <mikem> good morning
14:06:15 <alphacc> bstinson: ok great.
14:06:44 <bstinson> kbsingh: where did we end up with the lookaside?
14:09:27 <kbsingh> tbh, i havent had the bandwidth to push it any further as yet
14:09:55 <kbsingh> this week is looking pretty full as well, its going to be mid next week before i get to that
14:10:07 <kbsingh> if this blocks anyone/anything - i am willing to get the work done manually in the interim
14:11:04 <bstinson> kbsingh: feel free to ping me next week if you need another set of hands
14:13:02 <bstinson> Evolution: how's IPA coming?
14:13:47 <Arrfab> bstinson: for the test do you mean ? afaik we never decided for ipa vs fas vs something else (so all options are still opened)
14:14:13 <Evolution> mostly the same as kbsingh's answer. I've not had time to poke it much. IPA itself allows us to do everything we need. the intermediate hooks are problematic.
14:14:40 <Arrfab> bstinson: my current understanding is that for ipa, we're still missing the self-server register portal *and* x509 automatic retrieval
14:15:02 <Evolution> I have (thanks to MerlinTHP) a nice recipe for creating groups, admin groups etc. getting certs out will require a script for the user to run (similar to how fedora does it)
14:15:17 <Arrfab> so switching to ipa now would be more issues than our current bash scripts/wrapper around openssl to createt the x509 existing certs/keys
14:15:40 <Arrfab> Evolution: like fedcert ?
14:15:41 <mikem> At FOSDEM, puiterwijk and pingou were talking to me about adding openid support to koji. Apparently Fedora wants this, so we may be seeing some patches soon
14:16:01 <Arrfab> mikem: yes, I spoke to them too ;-)
14:16:05 <mikem> not sure if that would be something that would help us
14:16:30 <Evolution> it would.
14:16:30 <Arrfab> mikem: and puiterwijk is now working on ipsilon (so upstream) instead of fedOAuth
14:17:06 <Evolution> so long as git can use it. unsure if gitblit can do openid or not.
14:18:08 <Arrfab> Evolution: that too .. so whatever the centralized auth we can use, there are plugins on top , like ipsilon for openid, while we can still use x509 (that we decided to use in first place)
14:18:45 <mikem> Well, git itself doesn't know users. It leaves file access to the os. Many layers fill that void differently
14:18:52 <Arrfab> so, as long as we have no progress on the self-service user portal, and an easy way to get those certs/keys back for the users, the current ca+wrapper will be in use
14:19:49 <kbsingh> I had a chat with dpal at Devconf - and they mentioned it might be possible to get some help from them as well
14:19:51 <Arrfab> mikem: no, but gitblit can match CN in the cert to a user, and gitblit is responsible for the auth anyway (as no user has shell/account on that gitblit server)
14:20:18 <mikem> I presume openid would be one piece of our ipa puzzle, and maybe not the piece we use for git auth
14:20:54 <Arrfab> mikem: yes and tbh, I was thinking about openid for other services (like bug tracker/forums/etc) *but* koji :-)
14:21:17 <Arrfab> good to see that it would be possible, but not sure if we want to enforce that
14:21:56 <mikem> I'm not a fan of gerrit at all, but it looks like it may support openid. Not sure if that would extend to the command line
14:22:14 <mikem> openid auth for command line tools seems like a bit of a nonstandard
14:22:23 <kbsingh> its a non trivial overhead runing gerrit - and i dont thikn we have the traffic to justify that
14:22:29 <kbsingh> yet anyway
14:22:44 <mikem> yeah, I an not seriously suggesting gerrit
14:22:59 <mikem> I kind of hate gerrit actually
14:23:00 <Arrfab> mikem: indeed ... so let's stick with what works currently : x509 certs for koji. and if openid is usable for other services, we can consider that too
14:23:04 <kbsingh> heh
14:23:36 <bstinson> Arrfab: agreed, I can start work on a centos-cert tool
14:23:58 <bstinson> what's the next step for testing backends (IPA/FAS/Something else)?
14:24:38 <Arrfab> bstinson: let me take the question in reverse : what's the actual blocker for SIGs member with the actual setup ?
14:25:14 <Arrfab> not that I want to keep the wrapper script around our CA, but trying to see where invested time would be good for users.
14:25:24 <Arrfab> are they blocked now ?
14:26:22 <bstinson> i think 2 features would be the most critical: 1.) self-service account creation and 2.) self-service ACL approval
14:26:42 <Arrfab> bstinson: I can understand #1. but can you elaborate on #2 ?
14:26:48 <bstinson> but i don't think they're blocked necessarily, so there's time to get it right
14:28:21 <bstinson> as for #2: if i'm the leader of a SIG, i want to be able to sponsor you into the group which would give you access to the appropriate git branches and koji targets
14:29:07 <Arrfab> bstinson: so that would imply the fact that gitblit is then driven/configured externally, which is not the case now
14:30:11 <Arrfab> kbsingh: is that something you'd allow ? actually it's all manual and on your shoulders, right ?
14:30:40 <kbsingh> getting better at what we do should never be optional, it should by design :)
14:30:49 <Arrfab> :-)
14:30:54 <kbsingh> we need central single auth
14:31:43 <kbsingh> the actual pipeline, from git to delivery to commnuity interfaces should all really come from one auth layer, so folks can do whatever they need when they need it
14:32:42 <kbsingh> ( does that answer the question )
14:34:46 <bstinson> the upshot being that gitblit will eventually need to be plugged into whatever auth system we decide on
14:35:48 <kbsingh> yup
14:35:49 <Arrfab> bstinson: and then that gitblit will be configured by that intermediate level code and be authorized to change the ACL and create users directly into gitblit too
14:36:16 <kbsingh> and gitblit has lots of options around the sort of content it can consume / hook into - the x509 certs just seemed easiest since they can be shared with the koji side of things
14:36:28 <kbsingh> ( thereby making git.c.o part of the CBS, and not a feeder into )
14:37:20 <Arrfab> kbsingh: and we can continue to use it, but afaik you still have to create the users into gitblit and then do the "match" with CN= in x509 certs, right ? and also then doing the ACLs per user/group
14:38:13 <kbsingh> do we need to resolve the mechanics right now ?
14:39:13 <Arrfab> kbsingh: no, it will be to the guy/developer in charge of writing and maintaining that (currently inexisting) code
14:40:26 <bstinson> we can at least move forward with our backend testing (IPA/FAS/etc.)
14:42:05 <bstinson> Evolution: i'll bug you this week about IPA to see where I can help
14:43:28 <bstinson> #topic Document user stories to identify missing parts of the workflow
14:43:40 <bstinson> we only have a few minutes left, but we can get started on this too
14:43:47 <kbsingh> ok
14:43:55 <kbsingh> do we have a few users identified to help with this
14:44:10 <kbsingh> maybe we can rope in every SIG, and ask for 1 person from every group
14:45:09 <bstinson> do you think this sort of discussion might be best over a google hangout?
14:48:27 <kbsingh> yup
14:51:49 <bstinson> it might be a little bit early for the US folks, but we could use our CBS meeting time in 2 weeks
14:53:41 <bstinson> Google Hangout 02-Mar-2015 at 14:00 UTC?
14:54:21 <Evolution> wfm.
14:54:36 <kbsingh> works for me too
14:55:17 <bstinson> cool, i'll visit some SIG meetings to make sure they have representation and send a message to the list
14:57:19 <bstinson> #info SIG Workflow Discussion: 02-Mar-2015 14:00 UTC on Google Hangouts
14:57:44 <bstinson> #topic Open Floor
14:59:46 <bstinson> closing in 1m
15:00:29 <bstinson> thanks everyone!
15:00:33 <bstinson> #endmeeting