www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tony Stevenson" <pct...@apache.org>
Subject Centralised authentication/authorisation
Date Thu, 20 Nov 2008 17:54:25 GMT

For some time now I been making some tongue in cheek comments stating that
the ASF should look at using some form of centralised authentication
and/or authorisation.

We, the infra team, currently manage the access to services such as:

* Subversion
* Shell access to people.apache.org
* Bugzilla
* Confluence
* JIRA
* cwiki

This means that folks who have access to any or all of these systems will
have an individual accounts for each service.  This seems daft with over
2000 committers now, with this number rising each week this will become
more difficult to reliably sustain.

So what I want to do now, is formally propose that we consider deploying the
services of LDAP directory services.  This can be used for not only
centralised authentication/authorisation but also for:

* Storing copies of committers public keys.
* Storing a copy of users' associated ICLA
* Contact information at least for all members, but possibly committers too.

A few people have helped start gathering requirements, and ideas here ->

https://svn.eu.apache.org/repos/asf/infrastructure/trunk/projects/ldap-project/

That folder is currently available for all committers to look over.  But
not write too.

The current docs are by no means complete, and I am looking for other
folks to help me get them to a state so that we can present the idea and
kick the project off. There are some technical requirements that are
non-negotiable, for instance:

* Multi site master (For HA)
* Intra site replication (To maintain said HA)
* No direct internet access to LDAP (obvious, but, security)

There are some other ideas in the documentation in subversion, like karma
attribution amongst others.

Clearly most of the wish list items will require a custom user schema to
be used to store the relevant information.

I am happy to run with this, but I am looking for input from folks willing
to either help and/or get involved.


Cheers,
Tony

-- 


-----------------------------------------
Tony Stevenson
tony@pc-tony.com  //  pctony@apache.org
http://www.pc-tony.com/

1024D/51047D66 ECAF DC55 C608 5E82 0B5E  3359 C9C7 924E 5104 7D66
-----------------------------------------


Mime
View raw message