[JIRA] (OVIRT-408) migrate mailman from linode to PHX and upgrade to mailman 3

[ https://ovirt-jira.atlassian.net/browse/OVIRT-408?page=com.atlassian.jira.pl... ] eyal edri [Administrator] updated OVIRT-408: -------------------------------------------- Assignee: Marc Dequènes (Duck) (was: infra) Status: Accepted (was: New) starting with installing new VM in PHX lab: mail.phx.ovirt.org.
migrate mailman from linode to PHX and upgrade to mailman 3 -----------------------------------------------------------
Key: OVIRT-408 URL: https://ovirt-jira.atlassian.net/browse/OVIRT-408 Project: oVirt - virtualization made easy Issue Type: Task Components: Hosting Reporter: eyal edri [Administrator] Assignee: Marc Dequènes (Duck)
-- This message was sent by Atlassian JIRA (v7.2.0-OD-04-029#72002)

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --hSHhhIMRRW2INPbqh2wi6O2DudNGX1fu2 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Quack, On 03/23/2016 06:53 PM, eyal edri [Administrator] (oVirt JIRA) wrote:
migrate mailman from linode to PHX and upgrade to mailman 3 -----------------------------------------------------------
Key: OVIRT-408 URL: https://ovirt-jira.atlassian.net/browse/OVIRT-408=
Project: oVirt - virtualization made easy Issue Type: Task Components: Hosting Reporter: eyal edri [Administrator] Assignee: Marc Dequ=C3=A8nes (Duck)
This subject is still ongoing. I was finally able to talk to abompard about a few things related to the migration and auth (more details in the ticket). I'd just like to raise a specific point here. So the local auth using email addresses, like was used on MM2, is not working at the moment. abompard is working on it but he has other things in his plate and no idea when it will be finished. abompard suggested using Persona. So I don't know Persona well, but it is being decommissioned by Mozilla next October. He also heard some people would be willing to revive it (need more info on this). So this could be a path to handle the email address credentials and ease the migration from the previous installation. We could also wait for him to finish releasing MM 3.1 and then harass him (or bribe him with nice beers). I don't think allowing only external auth like Google OAuth2 would be nice at all. So before acting I'm going to have a look at Persona more deeply, but I wanted to have your opinion on this too. \_o< --hSHhhIMRRW2INPbqh2wi6O2DudNGX1fu2 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJXY6IfAAoJEFXp+fesHEQ/W1kQAMZQXezCWvNYHX78aMfHueSo cN9NX/b83s2L3OAQLNWRYOntlDXcyMOsZwhmnSAR704mkp+zlOAp7CCRXvpJHnPi yPS7dvnBFCw3n4JL1b1ChgfJNuF5bX5gR3ZJpHDlKEQX/acIJUHrspfUL+qJxLC6 xW+buBTSL5oHaGqa67GN3f6PL/dDyQf+IvxJWG/NXmyLmaDqeFxteOtIoyh2MTbc h+Vi0t8ZXa1/+M5sW5PPI3BF7no/BaqZKsqVwv1SBNRfwNwlc34hx2uteCX5898z 8vmIY9VQO+sh6ca7qU1G846Lkmt8XVBHpCMVa5RpqbONJGIg2LPAhly5Xx86O6tv g3e4hy+0jL7BTUIZ7luZU9v8XEN7ePXHqimflS3TKLamargFDnzbJeaO42rGiTxy zeD7tHwMRAV/vvjHcX9pM8oOwdgmnTtjEDK8Xi6uFjS1QDhyWSmtX/tyagsboW6v dl4g3Dkid8inRY3eEFyn2Y/gyPTKl8+wNLG9W+T34V4x1TBAuarq8WHCki6AF71a ixXVGLjPCwwnSvjCqLgHgpj9L7PiXHLkNgzWeV14SfKbevtDGnvL+Hx9BKhRbH11 EHADoCDawsG7xn4JyYwAZ0a0C7wGUmU0ocZpQDzv5DIwnkNQPCcUTmXJgfQ5Pvsi NX57vVdsrSQyh6IZ9H9U =LOo3 -----END PGP SIGNATURE----- --hSHhhIMRRW2INPbqh2wi6O2DudNGX1fu2--

בתאריך 17 ביוני 2016 10:09, "Marc Dequènes (Duck)" <duck@redhat.com> כתב:
We could also wait for him to finish releasing MM 3.1 and then harass him (or bribe him with nice beers).
I don't think allowing only external auth like Google OAuth2 would be nice at all.
So before acting I'm going to have a look at Persona more deeply, but I wanted to have your opinion on this too.
\_o<
_______________________________________________ Infra mailing list Infra@ovirt.org http://lists.ovirt.org/mailman/listinfo/infra

בתאריך 17 ביוני 2016 10:09, "Marc Dequènes (Duck)" <duck@redhat.com> כתב:
I don't think allowing only external auth like Google OAuth2 would be nice at all.
I respectfully disagree. As long as we allow more then one provider, and also allow for some free ones like Fedora its not bad at all IMO. And it has the nice benofit of not having to secure any user credential database on our infra. We've been using that approach on oVirt Gerrit forever, and are looking at ways to expand it to other parts of the infra. Long term we would probaly like all authentication done against prividers via some sort of an sso layer, while authorization will be based on group assignments in Gerrit. We have a ticket about this somewhere... (Appologies for last blank message)

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --IULdavU1ggjkj6HqLT3HatPBtc5OtUGPl Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Quack, On 06/17/2016 04:55 PM, Barak Korren wrote:
As long as we allow more then one provider, and also allow for some fre= e ones like Fedora its not bad at all IMO. And it has the nice benofit of=
not having to secure any user credential database on our infra.
It's not bad, just better to have choice not to rely on them if you (as a user) wish IMO. Also I though having a direct compatibility with MM2 would ease transition (as pointed out by Evgheni), but this is not an option right n= ow.
We've been using that approach on oVirt Gerrit forever, and are looking=
at ways to expand it to other parts of the infra.
Forever is irrelevant. If it suits the projects' needs in the contrary, then let's do this way.
Long term we would probaly like all authentication done against prividers via some sort of an sso layer, while authorization will be based on group assignments in Gerrit.
Maybe freeipa could help building this. I think Misc as more experience with this; he could probably give some advice. So as for now: - Google OAuth: enabled but not working yet, waiting to have access to data to create the API credentials - Fedora: works well, tested with Misc's account - Persona: works well - OpenID: tested with LaunchPad/UbuntuOne, works well but URL has to be entered manually, so maybe the page could be tweaked to have links like in Gerrit Would it be sufficient to begin with? I think we should warn users they would need to have their email address registered on some provider if not already done (in the announcement). \_o< --IULdavU1ggjkj6HqLT3HatPBtc5OtUGPl Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJXaQVvAAoJEFXp+fesHEQ/VkkP/RpOeoOVNKyYRckaiTk73Jso 4rCwgi6puA2YyZ1pMx/hXSN1HnbgVsoSbqs7an5vMIT4MBFLVgkM1L8t86GUTAOP b/otW2nr8l+yeDWKrb3mA5Hg/0QRcdVn2sGcbPtKvxfq84O3VFZishe+8k9qGzHS HvGyHhi/aZ1/Jnf1xAmRv3oyx6dQFVVT+Ri5CQ4Hv8m1lTnAm5DbUi/KYhqp0nwB 4ikN8SioTpdi614Wqjbn3mfQbMFNInYYE0mv8+7Y7AbXobczcFm7ueYbhVBPCKYD onADP0FA2xgVJ57tW1nvvj4SS+wlmDQe7T6z978BbjmRXemcOUqgoyyGY46GsAAE z602CmC0D8EolxEjJ8TzAQIiZgdg00pk9Efi2rtJSzsMrv9SgynHUsqmn5dB8e5f QDPm+5Bd+cxGmqBgknSMBLyo8jGV0h+GdPAR26RgP4K9uQ0wOcy7ekB6M3JQcAAe 5d/c2TCrPImJeihSPM/pHLf+B+VZ7FDWEmPvrrttVmRoDUN3bOmMDnJzIO7jQvRQ eW8pEmzSV1q7zzf1eGZPkIXY633YlZSbiVoC3ECg875Jlv3qGybp03v5fhDEzxc4 /u5cD796LI7Ekcx2XFWgAMhfxTfEd4Exc/DS0w3PXw+Iyyhnj0/iI6ujsCjrymDC 3gZSXETnOO390NZTgTqm =YIUL -----END PGP SIGNATURE----- --IULdavU1ggjkj6HqLT3HatPBtc5OtUGPl--

On 21 June 2016 at 12:14, Marc Dequènes (Duck) <duck@redhat.com> wrote:
Maybe freeipa could help building this. I think Misc as more experience with this; he could probably give some advice.
Probably not FreeIPA as it is based around its own LDAP, but maybe something like Keycloak working against external providers. (We have OVIRT-527 in Jira for this)
So as for now: - Google OAuth: enabled but not working yet, waiting to have access to data to create the API credentials - Fedora: works well, tested with Misc's account - Persona: works well - OpenID: tested with LaunchPad/UbuntuOne, works well but URL has to be entered manually, so maybe the page could be tweaked to have links like in Gerrit
Would it be sufficient to begin with?
We'd probably better support GitHub too. Also we need to make sure we know how to converge credentials when the same users use different providers to login. (We have a detailed procedure on how to do this with Gerrit...)
I think we should warn users they would need to have their email address registered on some provider if not already done (in the announcement).
No harm in accounting. Since most users already need this to use Gerrit the impact will probably not be huge. -- Barak Korren bkorren@redhat.com RHEV-CI Team

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --3WHKemVhAtMa2CNuBXcIx2imArhN7lmDQ Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Quack, On 06/21/2016 06:30 PM, Barak Korren wrote:
Probably not FreeIPA as it is based around its own LDAP, but maybe something like Keycloak working against external providers. (We have OVIRT-527 in Jira for this)
Thanks for the info.
We'd probably better support GitHub too.
Ok, will look into it.
Also we need to make sure we know how to converge credentials when the same users use different providers to login. (We have a detailed procedure on how to do this with Gerrit...)
Agreed. \_o< --3WHKemVhAtMa2CNuBXcIx2imArhN7lmDQ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJXapiEAAoJEFXp+fesHEQ/DagQAKKPn3EVr1FNj6uTI23amZH+ lp2RtNIXsofZwOMw+oaZGzTxCWe56WMh9I6pYhkRIP/1j2fAW+LYhaMpXtStqTZT QGVkbS/zegeIJpqlfjEb9IL91sUxMd0OGI0UumryiPxqYF0V5G0p3pJmoMTIRjOG Lc1X9FnGyHJo4l49M+ae1ZIGO6T8CQtCZD4SJ3T6H/IJJnvoOKID8qHpI3Fy0pqx 4FQN4/5iey+D8plg5WDCJcCEHX3LTCNHpYy0pcQL9enqEUVlFqGC8jHATIbLagfZ 0aHboX9jNxhQCu5nqT6iGHhAbWZSWbHWXow7qSkwCsS5C7Tb9RRRS2ICNrbnU0Ie M0XNrRq2YF8GQb/68FZ1Zx7BodPAIXTfkgcXyRNSmJreNMxpWgxIvaFr9eItPxSh GNSrCfmn6Ci1kwAU2O2U3BASlaHfWSvm+JQZlGdfVt4IvK4EufKYCYL4+rPrpmWb qfD/zfw4XFku01nh23aoCdTyOtg9SkH2lTYIRZ1TGoOp20Q25RvHWGJLL3jiRQ1M 6rO33cZozRa4zzOlUATQNqyLPOi+5YHNJE26XBRgILKMsQfn3hAFwM1SQ7jfHqOA FbvRTqHhQlkYv7EjWGWWqzUojEbq83VI7t0tqpLRv5jbq4/LBMVe9rg6xH0g2lys 3T/KjMavhqDh+Q3ixTKW =19cw -----END PGP SIGNATURE----- --3WHKemVhAtMa2CNuBXcIx2imArhN7lmDQ--

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --ar20hAh3GuQHIu9TnnqoO7rNT0Mg2ht2j Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Quack again, So the work is located here: https://gitlab.com/duck-rh/ovirt-infra-ansib= le The roles are listed in the requirements.yml file (for Ansible galaxy). You can have a look at the web interface by adding this to your /etc/host= s: 66.187.230.55 lists.ovirt.org TLS certificates are not installed here, so HTTP only at the moment. I guess oVirt uses DigiCert for its certificates IIRC. If not also letsencrypt is a nice option. I will look into this later. If you want to experiment with admin rights and are in the Puppet admin list, then give me your account ID and I will upgrade your account. \_o< --ar20hAh3GuQHIu9TnnqoO7rNT0Mg2ht2j Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJXapicAAoJEFXp+fesHEQ/ozgP/3CkZceDOT7oxuuBkspI5dwX nebGuJBJChj2Yh8VPRWwhOY1nrX9cYN/7imCgHnzcbOWvlzvB4/eUguPPje/CLQt KIat71HXTdVgDFVniJk1yT54WC2qUhMa0KLbez6cD6MI0a+dVjXtuxzaK2GmP/SH 9/Kuph/BidwAHtC0xFSqSG6giywVZjLHQoo+SN3sZnCmxYQZomwZ1Q6/eow4Upm8 1HxI9EtWX57ehiuAeNYbF3dZUh6AwP5Brz/xrX/2U3lfTEsmkTkqY59SFUz/QmC6 a7aDR4Zy+kdLrwe4bx+BEJhggrFNuymgwCuetZYyz6ZrMj89GOXxvBts1DH0jcWY uW16luLtrX+6Dtl4vYV6YB1HIoGjr+UQp0MC6QvP3rfBeFNdn7LMLEYCAd5PvmR+ +Y7q0v7h8a3O94gN3+pmGiZwbkGsATYe4bdaBlly4/IXkgQMLiJPGo9pzly2/Bm0 oqQT5LLkFSvl2eJ1vHHi59xgNR7TQlR3dtmn9Tl16Oym1tFJnJYW3OaPEIZuCSsG euVJV3TU9d56dFhhRAlZe64XaZWe70LIEK7GGziy/IosheojwL1pzLkGGN3nWey5 eKmD0eJRjU7h5+dJgboM0voLM+a8A5phWbdJczew5/BDXPPu84X2Hu983ptLYKYo OV0Bt47Z+p/yEtKnzzSr =Tq9b -----END PGP SIGNATURE----- --ar20hAh3GuQHIu9TnnqoO7rNT0Mg2ht2j--
participants (3)
-
Barak Korren
-
eyal edri [Administrator] (oVirt JIRA)
-
Marc Dequènes (Duck)