canonical-ci-engineering team mailing list archive

Thread
Date

Re: cli authentication design decisions

To: Francis Ginther <francis.ginther@xxxxxxxxxxxxx>
From: Joe Talbott <joe.talbott@xxxxxxxxxxxxx>
Date: Wed, 27 Aug 2014 16:12:07 -0400
Cc: CI Team <canonical-ci-engineering@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CAB2r3jLtfgP867Dwfa9FM6FuiPHX9WOaRhrjcqDud4BbJd-d8w@mail.gmail.com>
User-agent: Mutt/1.5.21 (2010-09-15)

On Wed, Aug 27, 2014 at 01:50:16PM -0500, Francis Ginther wrote:
> I agree that browser based makes the most sense. As a first pass, we should
> be able to make progress with something very simple: provide a token that
> users can copy and paste, download a credentials file or do some
> javascripty thing to save it.
> 
> I assuming these CLI tokens would be set to never expire. Do we have a way
> to revoke them? Do we need one?

I assume the same regarding never expiring.  We can revoke them via the
admin interface if we choose to expose that.  It should be fairly
straight forward to allow tokens to be revoked via a gui but we'd then
need to have a concept of admin users in the ticket system as well.  I
don't foresee a lot of revocations so I'm in favor of exposing the admin
interface for revocation of tokens.

Joe
> 
> Francis
> 
> 
> On Wed, Aug 27, 2014 at 10:49 AM, Joe Talbott <joe.talbott@xxxxxxxxxxxxx>
> wrote:
> 
> > All,
> >
> > Siva and I have been working on getting authentication working in the
> > UCI Engine and the cli in particular.  There are a few methods for
> > authorizing an access token via oauth2 for an insecure client.  Most
> > notably browser based and password based[1].  I'm thinking that we don't
> > want to mess with user passwords and would take that option off the
> > table.  This leads me to think we could add an access_token end-point on
> > the ticket-system (accessible via the webui-apache proxy) that simply
> > does the standard web server based authentication we're currently doing
> > for the webui and prints out the access token for the user to store in
> > their keyring.  I'm not sure if/how we can automate this further.  Does
> > anyone have ideas, suggestions, complaints, or other comments?
> >
> > Thanks,
> > Joe
> >
> >
> > [1]
> > http://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified#browser-based-apps
> >
> > --
> > Mailing list: https://launchpad.net/~canonical-ci-engineering
> > Post to     : canonical-ci-engineering@xxxxxxxxxxxxxxxxxxx
> > Unsubscribe : https://launchpad.net/~canonical-ci-engineering
> > More help   : https://help.launchpad.net/ListHelp
> >
> 
> 
> 
> -- 
> Francis Ginther
> Canonical - Ubuntu Engineering - Continuous Integration Team

References

cli authentication design decisions
From: Joe Talbott, 2014-08-27
Re: cli authentication design decisions
From: Francis Ginther, 2014-08-27