www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <minf...@sharp.fm>
Subject Re: Centralised authentication/authorisation
Date Mon, 15 Dec 2008 13:31:31 GMT
Tony Stevenson wrote:

> Cool, but we have not yet agreed upon what we are going to be working 
> towards.  That comes next :-)

I would argue that agreeing what we are working towards would come first :)

> Exactly, and even when it does (possibly) exist there is still no need 
> for authentication, AFAICS.

We use authnz across the ASF, from bugzilla, to jira, to various 
continuous integration servers. Facing a similar problem myself (many 
apps, in different architectures, all trying to maintain their own 
authnz databases, and with inconsistent support for LDAP), it prompted 
me to introduce mod_session and mod_auth_form to httpd, and have httpd 
worry about authnz, and have the underlying apps take for granted that 
authnz has already happened.

While I could wave my hands in the air and try to explain it, it is far 
easier for me to just deploy a test version of it to show people. 
Consider it as the very first user of the LDAP service. :)

>> At this point we have the danger of just talking about it for ages and 
>> ages, and never getting anything done.
> if we talk about it now, and then someone chimes up just after 
> deployment that they wanted it do x,y, and z, we can tell them that they 
> had their opportunity to take part on this ML.

One important thing: any LDAP infrastructure will be a living breathing 
thing. Requirements will change over time, and people will chime in with 
suggestions for how the LDAP database could be extended or improved.

No part of the design should be "closed" or "cast in stone", and at no 
point should anybody be told "you had your opportunity to take part but 
you didn't".

>> Let's start by getting a basic server running, and populate it with 
>> some basic information, not accessible to the public.
> That won't happen until we all agree on all the fundamental basics 
> first.  There is absolutely no hurry to get this done.  I was pushing on 
> ahead with this, much like you seem to want too, but it wont help us. 
> Not in the long run.

People aren't willing to pipe up with objections until they have 
something concrete to object to.

 From what I can see, the basics are pretty covered:

- We need a server, and we have one in the form of ADS.

- We need a basic schema, and considering the desire is just authnz at 
this point, the schemas that already exist should do nicely.

Is there anything else we need to cover?

> I will be one of those admins. I'm not sure any requirement exists from 
> those of us that will administer this, to have it do anything other that 
>  access control.

Having spoken to a number of people in the long time during which the 
LDAP ball has been kicked around at the ASF, there is definitely a 
desire to store more than just access control in LDAP.

While I as you do see no need to do this now, we certainly do not want 
to close any doors or make it more difficult to do this in future.


View raw message