www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Upayavira ...@odoko.co.uk>
Subject Re: Centralised authentication/authorisation
Date Thu, 27 Nov 2008 12:00:07 GMT
On Thu, 2008-11-27 at 12:41 +0200, Graham Leggett wrote:
> Upayavira wrote:
> > The biggest issue that I do not yet see resolved is that of username
> > namespaces. 
> > 
> > Currently, we have a 'committer' namespace, names are allocated, by
> > root, based upon requests from the new committer, when their Apache
> > account is created.
> > 
> > If we go to an LDAP setup that covers non-committers too, then we have
> > to expand our namespace handing to cover names that non-committers might
> > choose.
> > 
> > And, we need to work out a way to handle the transition from
> > non-committer to committer, in the (likely) case that that involves a
> > change in username.
> > 
> > Otherwise, we could get folks snapping up all the best names in the
> > @apache.org namespace in the hope that they may one day become a
> > committer, rather than having a name selected for them at the point at
> > which their account is created.
> I generally approach this by using an email address as the account 
> identifier.
> When at some future date a user warrants committership, they get a uid 
> attribute added as appropriate.

This starts to get us closer. SVN would of course authenticate against
the UID, but that is fine, as it is only relevant to committers.
Likewise shell access on people.apache.org.

Jira, Confluence, Bugzilla should all be able to accept an email address
as their unique ID. Moin however will not accept an email address
(alphanumeric only), so we'd need to work something else out there
(simply strip @ and . from the email address??)


View raw message