Wiki -> https://fedoraproject.org/wiki/Changes/SSSDRemoveFilesProvider

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.


== Summary ==
Remove SSSD “files provider” feature that allows handling of local users.

== Owner ==
* Name: [[User:atikhonov| Alexey Tikhonov]], [[User:pbrezina| Pavel Březina]]
* Email: atikh...@redhat.com, pbrez...@redhat.com


== Detailed Description ==
SSSD ability to handle local users (/etc/passwd and /etc/group) using
“id_provider=files” was previously deprecated and future removal
announced both 
[https://sssd.io/release-notes/sssd-2.9.0.html#general-information
upstream] and in
[https://docs.fedoraproject.org/en-US/fedora/latest/release-notes/sysadmin/Security/#_the_sssd_files_provider_has_been_deprecated
Fedora 38 RNs].<br>
[https://fedoraproject.org/wiki/Changes/FlexibleLocalUserCache
FlexibleLocalUserCache] change disabled this feature by default even
earlier. The reason for this movement is that benefits of the feature
appeared to be negligible, while confusion and overhead it creates is
considerable.<br>
Practically, there are only two use cases that currently justify usage
of “files provider”:
* smart card authentication of local users;
* session recording for local users.
For both cases “proxy provider” is a viable substitute, so “files
provider” can be dropped. SSSD maintainers will provide a document on
[https://sssd.io/ sssd.io] describing how to switch (where it’s really
needed!)

== Feedback ==
So far we received no pushback (and practically no feedback at all)
with regards to previous deprecation notices and removal
announcements.

== Benefit to Fedora ==
Alignment with upstream development that plans to remove corresponding
code completely. Cleaner/simpler OS configuration (/etc/nsswitch.conf
and authselect profiles).

== Scope ==
* Proposal owners:
** SSSD package will be built without `--with-files-provider`
./configure option; document describing usage of 'proxy provider' in
aforementioned cases will be provided;
** authselect
*** New “local” profile to handle local users without SSSD will be
introduced. This profile will be based on “minimal”, but it may gain
more features.
*** “minimal” profile will be removed and replaced by “local”.
*** “Local” profile will be now the default profile
*** ‘sssd’ profile will lose `with-files-domain` and
`with-files-access-provider` options, and will gain `--with-tlog`
option.

* Other developers:
** cockpit session recording: configuration of session recording with
local users was switched to ‘proxy-provider’, change will be made to
execute authselect –with-tlog;
** shadow-utils: package will be built with `--without-sssd`
configuration option set.

* Release engineering: [https://pagure.io/releng/issue/11765 #11765]
(proposed composes definition
[https://pagure.io/fork/atikhonov/fedora-comps/c/7e7a8e23dc884ec65059494d71768bed63f98de2?branch=sssd-updates
change])

* Policies and guidelines: N/A (not needed for this Change)

* Trademark approval: N/A (not needed for this Change)


* Alignment with Community Initiatives: N/A


== Upgrade/compatibility impact ==
Since the feature was turned off by default since Fedora 35
([https://fedoraproject.org/wiki/Changes/FlexibleLocalUserCache
FlexibleLocalUserCache]), this change won’t have any noticeable impact
on the vast majority of the user base.<br>
Those who were configuring it explicitly and for a good reason, will
have to update SSSD configuration manually to use ‘proxy provider’
instead of ‘files provider’.

== How To Test ==
General regression testing.

== User Experience ==
N/A

== Dependencies ==
sssd, authselect, cockpit-session-recording, shadow-utils

== Contingency Plan ==
* Contingency mechanism: revert SSSD spec file changes
* Contingency deadline: Fedora 40 beta freeze
* Blocks release? No


== Documentation ==
Release notes only.

== Release Notes ==
Previously deprecated SSSD “files provider” feature that allows
handling of local users was removed. This doesn’t affect default
configuration where local users are handled by glibc module
(‘libnss_files.so.2’) In case of specific configuration that requires
SSSD to handle local users (like, for example, smart card
authentication of local users) switch to ‘proxy provider’ instead.







-- 

Aoife Moloney

Fedora Operations Architect

Fedora Project

Matrix: @amoloney:fedora.im

IRC: amoloney
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to