Discussion:
best way to get a non-human Fedora account
Matthew Miller
2021-06-02 18:45:41 UTC
Permalink
For the Fedora Contributor Trends project, Josseline is working on a module
which will gather some information from Fedora Accounts. This needs to
authenticate, and rather than doing it under a human name we'd like to have
a dedicated account. What's the best way to set this up?

--
Matthew Miller
<***@fedoraproject.org>
Fedora Project Leader
_______________________________________________
infrastructure mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org
Do not reply to spam on the list, report it:
Fabian Arrotin
2021-06-03 07:29:13 UTC
Permalink
Post by Matthew Miller
For the Fedora Contributor Trends project, Josseline is working on a module
which will gather some information from Fedora Accounts. This needs to
authenticate, and rather than doing it under a human name we'd like to have
a dedicated account. What's the best way to set this up?
It depends on how it will be used but either a service account that is
just a "normal" account that would point to an email alias (if it has to
be shared between multiple people) but (imho, and what we decided to use
for centos infra when using fasjson) maybe a dedicated keytab tied to a
defined service in IPA backend is the way to go.
--
Fabian Arrotin
gpg key: 17F3B7A1 | twitter: @arrfab
Matthew Miller
2021-06-03 14:51:25 UTC
Permalink
Post by Fabian Arrotin
It depends on how it will be used but either a service account that is
just a "normal" account that would point to an email alias (if it has to
be shared between multiple people) but (imho, and what we decided to use
for centos infra when using fasjson) maybe a dedicated keytab tied to a
defined service in IPA backend is the way to go.
The latter sounds more "right" to me. Should we file a ticket for this?

--
Matthew Miller
<***@fedoraproject.org>
Fedora Project Leader
_______________________________________________
infrastructure mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/f
Kevin Fenzi
2021-06-04 00:03:42 UTC
Permalink
Post by Matthew Miller
Post by Fabian Arrotin
It depends on how it will be used but either a service account that is
just a "normal" account that would point to an email alias (if it has to
be shared between multiple people) but (imho, and what we decided to use
for centos infra when using fasjson) maybe a dedicated keytab tied to a
defined service in IPA backend is the way to go.
The latter sounds more "right" to me. Should we file a ticket for this?
So, in the fas2 world we just left, we had no option for tokens or
keytabs, people needed the password to authenticate as that user (in
most cases). So, we just told people to create the account themselves
and use 'bot' in the name and we then marked them in the database as
being a bot account (which didn't mean too much).

Since we can now use keytabs, I am happy moving to a model where
external services that need auth request and get a dedicated keytab.

So, yeah, ticket and we can get them a dedicated keytab sounds fine to me.

kevin

Loading...