canonical-ci-engineering team mailing list archive

Thread
Date

Re: cli authentication design decisions

To: Evan Dandrea <evan.dandrea@xxxxxxxxxxxxx>
From: Joe Talbott <joe.talbott@xxxxxxxxxxxxx>
Date: Thu, 28 Aug 2014 10:51:33 -0400
Cc: CI Team <canonical-ci-engineering@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CAOe9oG70eq86J1U7_awGPSpr_o1G1cA-cnidnSTOGYZcGZw80A@mail.gmail.com>
User-agent: Mutt/1.5.21 (2010-09-15)

On Thu, Aug 28, 2014 at 11:16:10AM +0100, Evan Dandrea wrote:
> Are we making sure that submission does not require a token? I would
> think that just updating metadata or cancelling tickets requires auth,
> no?
> 
> I ask because this would be a divergence from dput, where all you need
> is a signed package to make a successful submission (bogus submissions
> can be dumped asynchronously server-side). I'm assuming we can prevent
> spoofing by checking that the provided signature is from the key for
> the user specified in LP.

As we discussed in today's standup.  We'll not do authentication for the
CLI at this time and depend on signature key for ticket creation
authentication.

> 
> Does implementing the frontend submission service make any of this easier?
> 
> https://app.asana.com/0/14737058697498/

I don't see it making things easier right now with regard to
authentication and ticket creation.

Joe

References

cli authentication design decisions
From: Joe Talbott, 2014-08-27
Re: cli authentication design decisions
From: Evan Dandrea, 2014-08-28