Re: [IAM PoC] Starting with implementation
> On Jan 12, 2017, at 1:22 PM, Pierre Smits wrote: > > Please do not use the syncope implementation via the unencrypted tomcat port > 8080/ > Then configure tomcat to only listen on loopback, or only allow access from the local interface then. Better yet change the firewall rules. Or do both. ;) Assuming the VM is in puppet the firewall rules should be a few lines of config. -- Cheers, Tony --- http://www.pc-tony.com GPG - 3072D/2543E323 ---
Re: [DISCUSS] Syncope for ASF identity management
> Agree: we'll need to ask other people that want to get involved to > subscribe infra@ as well, no problems. > I'd like to keep dev@syncope in CC for any discussion on the topic, > though. > We might use some fancy [Syncope-PoC] subject prefix as well. > As already briefly discussed via HipChat, I must admit I am not very > confident with Puppet - but we are actually doing two different things: > > (1) implement what we call a IAM project, that is work on a Syncope > overlay - e.g. an actual Maven project whose sources need to be > versioned, which in turn requires a dev env, and will produce some > artifacts (WAR files actually) > (2) implement provisioning to ASF infrastructure of such WAR files > into Tomcat, with DBMS support > > About the latter, it seems it is possible to have Jenkins pushing them > to bintray for deployment, and that .deb packaging is desirable - again, > no problems. > > One of the objectives is clearly, once the actual development is over, > easily being able to move it to production, with few likes in puppet. > +1 to all of that. -- Many thanks, -- Tony
Re: [DISCUSS] Syncope for ASF identity management
On Wed, 9 Dec 2015, at 01:46 PM, Francesco Chicchiriccò wrote: > On 09/12/2015 14:33, Tony Stevenson wrote: > > On Wed, 9 Dec 2015, at 12:52 PM, Francesco Chicchiriccò wrote: > >> On 09/12/2015 13:16, Tony Stevenson wrote: > >>> Francesco, > >>> > >>> As I said in HipChat, I'd love to be able to say that we can do this. > >>> But the fact is right now infra are tied up for at least 6 months. > >>> > >>> I think the best way to gain any traction on this is for the Syncope PMC > >>> to stand up a PoC that replaces 1 (or more) of the components used. > >> As anticipated via HipChat, this is actually the deep sense of my > >> proposal, e.g. the direct engagement of Syncope PMC - not only, > >> actually, but anyone interested - for supporting the infra team. > >> > >> A PoC sounds like a straight, concrete and limited way to start > >> approaching IdM at ASF with Syncope. > >> > >>> i.e. these might include: > >>> > >>>- https://id.apache.org (The end-user part of it) > >>>- acreq - The user account request workflow > >>>- Identity Management as a whole. > >>>- PMC karma management > >>> > >>> I will be more than happy to help guide the PMC, and give you an ASF VM > >>> on which you can stand up your PoC, and guide you on the business logic > >>> already in place for any of these tools. > >> That's good - IMO we need: > >> > >>1. a place where to ask for information, provide feedback, etc. (shall > >> we keep crossposting infra@ and dev@syncope?) > > Keep infra@ in the loop. If we start crossing into anything sensitive > > we will move that part of the thread to a more sensible location. > > Understand: what about JIRA notifications (see below)? > JIRA notifications are a harder one, but the current set go to infra@ - so you will see them if you are sub'd to the list. > >>2. VM > > Open a JIRA issue for this, and one can be provisioned for you. > > Fine. > > >>3. SCM > > Ideally you'd work by submitting patches against the > > infrastructure-puppet repo for the deployment and config. > > Not sure: a Syncope deployment is an actual Maven project which > produces one or two WAR files to be deployed on a supported Java EE > container (Tomcat is fine), which requires a dedicated DBMS (PostgreSQL > or MySQL are fine, naturally). > > So I'd say we eventually need to patch infrastructure-puppet for > deploying Syncope, but we still require a git-wip repo for the actual > project sources (which will depend of official Syncope artifacts but > also embed all the configuration, business logic, ...). > Infra have a hard rule that all deployments must be managed snd configured via puppet. if the only way to configure these things is via a UI, then we must find a way to back it up. but we will not deploy anything in production without it being 100% reproducible, (assume we have the DB dump too). This allows us to move services as required, and guarantee we can bring it up again if needed. > >>4. (possibly) some issue tracker (not necessarily JIRA, something > >> simpler would fit the job as well) > > JIRA is the infra preference as in we use that today. I'd just use the > > JIRA project and move on. Less hassle. > > Fine: wouldn't it be better to feature a dedicated mailing list for > notifications? Even fosslists.org as Daniel suggested in HipChat. For now, no, I dont think so. We do not have a dedicated list for the huge MM3 PoC we are doing. > > >>5. (nice to have) some wiki (not necessarily Confluence, something > >> simpler would fit the job as well) > > Again, you can use the infra space on cwiki. > -- Many thanks, -- Tony
Re: [DISCUSS] Syncope for ASF identity management
On Wed, 9 Dec 2015, at 12:52 PM, Francesco Chicchiriccò wrote: > On 09/12/2015 13:16, Tony Stevenson wrote: > > Francesco, > > > > As I said in HipChat, I'd love to be able to say that we can do this. > > But the fact is right now infra are tied up for at least 6 months. > > > > I think the best way to gain any traction on this is for the Syncope PMC > > to stand up a PoC that replaces 1 (or more) of the components used. > > As anticipated via HipChat, this is actually the deep sense of my > proposal, e.g. the direct engagement of Syncope PMC - not only, > actually, but anyone interested - for supporting the infra team. > > A PoC sounds like a straight, concrete and limited way to start > approaching IdM at ASF with Syncope. > > > i.e. these might include: > > > > - https://id.apache.org (The end-user part of it) > > - acreq - The user account request workflow > > - Identity Management as a whole. > > - PMC karma management > > > > I will be more than happy to help guide the PMC, and give you an ASF VM > > on which you can stand up your PoC, and guide you on the business logic > > already in place for any of these tools. > > That's good - IMO we need: > > 1. a place where to ask for information, provide feedback, etc. (shall > we keep crossposting infra@ and dev@syncope?) Keep infra@ in the loop. If we start crossing into anything sensitive we will move that part of the thread to a more sensible location. > 2. VM Open a JIRA issue for this, and one can be provisioned for you. > 3. SCM Ideally you'd work by submitting patches against the infrastructure-puppet repo for the deployment and config. > 4. (possibly) some issue tracker (not necessarily JIRA, something > simpler would fit the job as well) JIRA is the infra preference as in we use that today. I'd just use the JIRA project and move on. Less hassle. > 5. (nice to have) some wiki (not necessarily Confluence, something > simpler would fit the job as well) Again, you can use the infra space on cwiki. > > For a long time we have tried to manage identity, or some cut-down > > version of it, solely via LDAP. Then we added id.apache.org, and then > > acreq was added. They were all really disjointed efforts. If we can > > bring all this under one roof, and make it usable I think it will be a > > win. > > > > The idea of a PoC is to be able to demonstrate that Syncope could > > basically be dropped in, and replace one of these components. > > > > We'd also want some decent handover and/or training from the Syncope > > community. I'm not sure we'd accept it if the community wanted to > > support it on it's own, because the sad fact is people move on, and we > > would be left with a critical piece of the jigsaw remaining unsupported. > > Agree on this last point as well: I'd suggest to identify someone from > the infra team which could follow activities, provide inputs, etc since > the beginning.
Re: [DISCUSS] Syncope for ASF identity management
Francesco, As I said in HipChat, I'd love to be able to say that we can do this. But the fact is right now infra are tied up for at least 6 months. I think the best way to gain any traction on this is for the Syncope PMC to stand up a PoC that replaces 1 (or more) of the components used. i.e. these might include: - https://id.apache.org (The end-user part of it) - acreq - The user account request workflow - Identity Management as a whole. - PMC karma management I will be more than happy to help guide the PMC, and give you an ASF VM on which you can stand up your PoC, and guide you on the business logic already in place for any of these tools. For a long time we have tried to manage identity, or some cut-down version of it, solely via LDAP. Then we added id.apache.org, and then acreq was added. They were all really disjointed efforts. If we can bring all this under one roof, and make it usable I think it will be a win. The idea of a PoC is to be able to demonstrate that Syncope could basically be dropped in, and replace one of these components. We'd also want some decent handover and/or training from the Syncope community. I'm not sure we'd accept it if the community wanted to support it on it's own, because the sad fact is people move on, and we would be left with a critical piece of the jigsaw remaining unsupported. Cheers, Tony On Wed, 9 Dec 2015, at 12:06 PM, Francesco Chicchiriccò wrote: > [Re-sending to infra@ after quick chat with infra] > > Howdy Infra, > following a discussion [1] we had on Syncope PMC list, I would like to > start a thread around possible usage of Apache Syncope for managing > identity flows within the ASF infrastructure. > > Let me start with a real-life sample: I have recently been asked to join > CXF as committer (good to me!). > > I know from [2] that, since I already own an ASF id, someone from CXF > PMC had to run a perl script on people.apache.org in order to add myself > to the LDAP commiter group for CXF. > > If instead this was my first invitation, someone had to prior request > for an account [3] (note the different link for PMC chairs and PMC > members) and trigger a (manual) approval process which ensures at least > the availability of the chosen ASF id and the presence of a valid ICLA > which can be "reconciled" with such request. > > Once in, someone with enough karma still needs to grant me proper access > to JIRA and Confluence (and / or more applications). > > If I'd like to change my password and manage my own details (including > SSH and GPG) I can log into [4]. > > Naturally, I have omitted several parts of the process, especially the > ones related to becoming PMC [5] or ASF member, which are even more > involved. > > As Syncope PMC, we believe it is worth to explore the possibility of > using Syncope for driving the processes summarized above, and more. > I see this as a win-win situation: Infra will benefit from introducing a > proper tool for the job, and Syncope will get more visibility both > within the foundation and externally (think to some post(s) by Infra > describing this work). > > In the past I have exchanged some e-mails with Tony Stevenson about this > topic, and it seemed to me he was interested on the topic, even though > at a certain point we did not follow up. > > Should you be interested, we are available to discuss in order to > identify together the required steps, and also to provide material help, > if required. > > Looking forward for your reply. > Regards. > > [1] > https://mail-search.apache.org/members/private-arch/syncope-private/201511.mbox/%3c565c09a3.7070...@apache.org%3E > [2] https://www.apache.org/dev/pmc.html#karma > [3] https://id.apache.org/acreq/ > [4] https://id.apache.org/ > [5] https://www.apache.org/dev/pmc.html#newpmc > > -- > Francesco Chicchiriccò > > Tirasa - Open Source Excellence > http://www.tirasa.net/ > > Involved at The Apache Software Foundation: > member, Syncope PMC chair, Cocoon PMC, Olingo PMC, CXF committer > http://home.apache.org/~ilgrosso/ > > -- Many thanks, -- Tony
