[jira] [Commented] (WHIMSY-54) Re-organise auth. by TLD?
[ https://issues.apache.org/jira/browse/WHIMSY-54?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15962198#comment-15962198 ] Sam Ruby commented on WHIMSY-54: And then there are more exceptions. Every committer can visit the roster tool, but what data you see and what data you can modify depends on which groups you belong to. > Re-organise auth. by TLD? > - > > Key: WHIMSY-54 > URL: https://issues.apache.org/jira/browse/WHIMSY-54 > Project: Whimsy > Issue Type: Improvement >Reporter: Sebb > > Various parts of Whimsy require auth. > At present this is done per app, which results in quite a complicated scheme. > Also the auth conf is held in puppet whereas the app is in the Whimsy repo, > so it's tricky to relate them. > When adding a new app, the puppet config has to be updated as well. > This can easily be overlooked. > Maybe we should just use auth at the top level directory? > This might require some apps to be moved, but would be much simpler to > maintain going forward. > The following levels are used currently: > None > ASF Committers > ASF Members and Incubator PMC > ASF Members and Officers > ASF Members > ASF Secretarial Team > This suggests the following directories as a minimum: > committers > incubator > officers > members > secretary -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (WHIMSY-54) Re-organise auth. by TLD?
[ https://issues.apache.org/jira/browse/WHIMSY-54?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15962117#comment-15962117 ] Sam Ruby commented on WHIMSY-54: The commits you saw were not successful; but I'm certainly experimenting along those lines. I believe I have working on my machine asf-secretary and root, but I won't know for sure until it is deployed as I don't have a test id (and certainly not one as root). Not yet explored: dissimilar ldap configurations. For example, member is a list of memberUids, but pmc-chair is a list of members (full dn's). This poses two challenges: finding a way to represent this cleanly in the YAML and making it work. Both appear to be solvable. There remains one notable exception: if a committer is invited to a board meeting, they have access to the agenda even if they are neither a member or pmc-chair. > Re-organise auth. by TLD? > - > > Key: WHIMSY-54 > URL: https://issues.apache.org/jira/browse/WHIMSY-54 > Project: Whimsy > Issue Type: Improvement >Reporter: Sebb > > Various parts of Whimsy require auth. > At present this is done per app, which results in quite a complicated scheme. > Also the auth conf is held in puppet whereas the app is in the Whimsy repo, > so it's tricky to relate them. > When adding a new app, the puppet config has to be updated as well. > This can easily be overlooked. > Maybe we should just use auth at the top level directory? > This might require some apps to be moved, but would be much simpler to > maintain going forward. > The following levels are used currently: > None > ASF Committers > ASF Members and Incubator PMC > ASF Members and Officers > ASF Members > ASF Secretarial Team > This suggests the following directories as a minimum: > committers > incubator > officers > members > secretary -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (WHIMSY-54) Re-organise auth. by TLD?
[ https://issues.apache.org/jira/browse/WHIMSY-54?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15962107#comment-15962107 ] Sebb commented on WHIMSY-54: It looks as though HTTPD does support alternate LDAP auth - as per recent changes to the secretary tree. So long as there is an LDAP group for each of the qualifying classes of logins, it may now be possible to delegate all auth to the HTTPD server? > Re-organise auth. by TLD? > - > > Key: WHIMSY-54 > URL: https://issues.apache.org/jira/browse/WHIMSY-54 > Project: Whimsy > Issue Type: Improvement >Reporter: Sebb > > Various parts of Whimsy require auth. > At present this is done per app, which results in quite a complicated scheme. > Also the auth conf is held in puppet whereas the app is in the Whimsy repo, > so it's tricky to relate them. > When adding a new app, the puppet config has to be updated as well. > This can easily be overlooked. > Maybe we should just use auth at the top level directory? > This might require some apps to be moved, but would be much simpler to > maintain going forward. > The following levels are used currently: > None > ASF Committers > ASF Members and Incubator PMC > ASF Members and Officers > ASF Members > ASF Secretarial Team > This suggests the following directories as a minimum: > committers > incubator > officers > members > secretary -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (WHIMSY-54) Re-organise auth. by TLD?
[ https://issues.apache.org/jira/browse/WHIMSY-54?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15952817#comment-15952817 ] Sebb commented on WHIMSY-54: I cannot find instances of the problem; I think I must have based my understanding on an early version of Whimsy which was done differently? In any case, I agree it now just needs better documentation. > Re-organise auth. by TLD? > - > > Key: WHIMSY-54 > URL: https://issues.apache.org/jira/browse/WHIMSY-54 > Project: Whimsy > Issue Type: Improvement >Reporter: Sebb > > Various parts of Whimsy require auth. > At present this is done per app, which results in quite a complicated scheme. > Also the auth conf is held in puppet whereas the app is in the Whimsy repo, > so it's tricky to relate them. > When adding a new app, the puppet config has to be updated as well. > This can easily be overlooked. > Maybe we should just use auth at the top level directory? > This might require some apps to be moved, but would be much simpler to > maintain going forward. > The following levels are used currently: > None > ASF Committers > ASF Members and Incubator PMC > ASF Members and Officers > ASF Members > ASF Secretarial Team > This suggests the following directories as a minimum: > committers > incubator > officers > members > secretary -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (WHIMSY-54) Re-organise auth. by TLD?
[ https://issues.apache.org/jira/browse/WHIMSY-54?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15951929#comment-15951929 ] Sam Ruby commented on WHIMSY-54: I'm confused. HTTPD does the initial auth, and HTTPD is configured via puppet, hence the configuration in infrastructure_puppet. Some apps have additional authentication requirements. For example, the board agenda tool: it is accessible by both officers and members - something that isn't directly supported by HTTPD. So the board agenda too is configured to require committers on HTTPD, and the board agenda tool will apply additional filters. In fact, the board agenda tool will allow access by invited guests that aren't officers or members; inclusion in the roll call is sufficient to provide access. Other portions of the URL space (for example, the board/minutes) are open to all. Perhaps this could be documented better? > Re-organise auth. by TLD? > - > > Key: WHIMSY-54 > URL: https://issues.apache.org/jira/browse/WHIMSY-54 > Project: Whimsy > Issue Type: Improvement >Reporter: Sebb > > Various parts of Whimsy require auth. > At present this is done per app, which results in quite a complicated scheme. > Also the auth conf is held in puppet whereas the app is in the Whimsy repo, > so it's tricky to relate them. > When adding a new app, the puppet config has to be updated as well. > This can easily be overlooked. > Maybe we should just use auth at the top level directory? > This might require some apps to be moved, but would be much simpler to > maintain going forward. > The following levels are used currently: > None > ASF Committers > ASF Members and Incubator PMC > ASF Members and Officers > ASF Members > ASF Secretarial Team > This suggests the following directories as a minimum: > committers > incubator > officers > members > secretary -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (WHIMSY-54) Re-organise auth. by TLD?
[ https://issues.apache.org/jira/browse/WHIMSY-54?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15951866#comment-15951866 ] Sebb commented on WHIMSY-54: I suspect the part about the auth credentials can be ignored for now. However I think it would be worth investigating if the auth handling can be simplified. It may be possible to rearrange the installation directories of the code on the server to allow HTTPD to do the auth. I think the existing external URLs can then be mapped accordingly so they don't change. > Re-organise auth. by TLD? > - > > Key: WHIMSY-54 > URL: https://issues.apache.org/jira/browse/WHIMSY-54 > Project: Whimsy > Issue Type: Improvement >Reporter: Sebb > > Various parts of Whimsy require auth. > At present this is done per app, which results in quite a complicated scheme. > Also the auth conf is held in puppet whereas the app is in the Whimsy repo, > so it's tricky to relate them. > When adding a new app, the puppet config has to be updated as well. > This can easily be overlooked. > Maybe we should just use auth at the top level directory? > This might require some apps to be moved, but would be much simpler to > maintain going forward. > The following levels are used currently: > None > ASF Committers > ASF Members and Incubator PMC > ASF Members and Officers > ASF Members > ASF Secretarial Team > This suggests the following directories as a minimum: > committers > incubator > officers > members > secretary -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (WHIMSY-54) Re-organise auth. by TLD?
[ https://issues.apache.org/jira/browse/WHIMSY-54?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15951630#comment-15951630 ] Shane Curcuru commented on WHIMSY-54: - Is there any further action on this issue (i.e. is there a specific action item, other than more clearly documenting where auth is controlled), or can we close it? > Re-organise auth. by TLD? > - > > Key: WHIMSY-54 > URL: https://issues.apache.org/jira/browse/WHIMSY-54 > Project: Whimsy > Issue Type: Improvement >Reporter: Sebb > > Various parts of Whimsy require auth. > At present this is done per app, which results in quite a complicated scheme. > Also the auth conf is held in puppet whereas the app is in the Whimsy repo, > so it's tricky to relate them. > When adding a new app, the puppet config has to be updated as well. > This can easily be overlooked. > Maybe we should just use auth at the top level directory? > This might require some apps to be moved, but would be much simpler to > maintain going forward. > The following levels are used currently: > None > ASF Committers > ASF Members and Incubator PMC > ASF Members and Officers > ASF Members > ASF Secretarial Team > This suggests the following directories as a minimum: > committers > incubator > officers > members > secretary -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (WHIMSY-54) Re-organise auth. by TLD?
[ https://issues.apache.org/jira/browse/WHIMSY-54?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15203332#comment-15203332 ] Sam Ruby commented on WHIMSY-54: This seems to be multiple independent topics? For the first, you are proposing URLs like: /committers/roster/committer/ /officers/board/agenda/ If so, -0. I would, however, support those directories being added where not currently present. As to the second topic, it isn't clear to me what server you are talking about? This isn't a single application, the server is Apache httpd, which serves both CGI and Passenger/rack applications. Many applications use a common library, however: whimsy/asf. The library can do more to encapsulate access checks. It is worth noting that applications that perform updates (e.g. roster, secretary/public_names, board/agenda) need to have access to the full credentials. > Re-organise auth. by TLD? > - > > Key: WHIMSY-54 > URL: https://issues.apache.org/jira/browse/WHIMSY-54 > Project: Whimsy > Issue Type: Improvement >Reporter: Sebb > > Various parts of Whimsy require auth. > At present this is done per app, which results in quite a complicated scheme. > Also the auth conf is held in puppet whereas the app is in the Whimsy repo, > so it's tricky to relate them. > When adding a new app, the puppet config has to be updated as well. > This can easily be overlooked. > Maybe we should just use auth at the top level directory? > This might require some apps to be moved, but would be much simpler to > maintain going forward. > The following levels are used currently: > None > ASF Committers > ASF Members and Incubator PMC > ASF Members and Officers > ASF Members > ASF Secretarial Team > This suggests the following directories as a minimum: > committers > incubator > officers > members > secretary -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WHIMSY-54) Re-organise auth. by TLD?
[ https://issues.apache.org/jira/browse/WHIMSY-54?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15203295#comment-15203295 ] Sebb commented on WHIMSY-54: http://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html#exposed It looks as though this is already done through AUTHENTICATE_UID and AUTHORIZE_UID > Re-organise auth. by TLD? > - > > Key: WHIMSY-54 > URL: https://issues.apache.org/jira/browse/WHIMSY-54 > Project: Whimsy > Issue Type: Improvement >Reporter: Sebb > > Various parts of Whimsy require auth. > At present this is done per app, which results in quite a complicated scheme. > Also the auth conf is held in puppet whereas the app is in the Whimsy repo, > so it's tricky to relate them. > When adding a new app, the puppet config has to be updated as well. > This can easily be overlooked. > Maybe we should just use auth at the top level directory? > This might require some apps to be moved, but would be much simpler to > maintain going forward. > The following levels are used currently: > None > ASF Committers > ASF Members and Incubator PMC > ASF Members and Officers > ASF Members > ASF Secretarial Team > This suggests the following directories as a minimum: > committers > incubator > officers > members > secretary -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WHIMSY-54) Re-organise auth. by TLD?
[ https://issues.apache.org/jira/browse/WHIMSY-54?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15203293#comment-15203293 ] Sebb commented on WHIMSY-54: It should be possible to have the server save the authenticated user id in a variable. For example, HTTP_X_AUTHENTICATED_USER is used by reporter.a.o This would be safer than saving the auth credentials, and can be used to implement additional karma checks if necessary for a particular app. > Re-organise auth. by TLD? > - > > Key: WHIMSY-54 > URL: https://issues.apache.org/jira/browse/WHIMSY-54 > Project: Whimsy > Issue Type: Improvement >Reporter: Sebb > > Various parts of Whimsy require auth. > At present this is done per app, which results in quite a complicated scheme. > Also the auth conf is held in puppet whereas the app is in the Whimsy repo, > so it's tricky to relate them. > When adding a new app, the puppet config has to be updated as well. > This can easily be overlooked. > Maybe we should just use auth at the top level directory? > This might require some apps to be moved, but would be much simpler to > maintain going forward. > The following levels are used currently: > None > ASF Committers > ASF Members and Incubator PMC > ASF Members and Officers > ASF Members > ASF Secretarial Team > This suggests the following directories as a minimum: > committers > incubator > officers > members > secretary -- This message was sent by Atlassian JIRA (v6.3.4#6332)