Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Nest with Fedora: An Introduction to the FAS Replacement

Nest with Fedora: An Introduction to the FAS Replacement

Proposal to present the new Fedora AAA solution and its component parts. This talk will look at the reason FAS is being retired and when. The knock on effects this will have for users and developers. It will also talk about the technologies used to build this new solution including FreeIPA, the collaboration involved here and the challenges faced. We will also talk about the new API and how to use it.

https://pagure.io/flock/issue/246

Christian Heimes

August 07, 2020
Tweet

More Decks by Christian Heimes

Other Decks in Programming

Transcript

  1. An Introduction to the FAS
    Replacement
    Aurelien Bompard
    Developer for Fedora @ Red Hat
    Christian Heimes
    Developer for Fedora @ Red Hat
    Stephen Coady
    Developer for Fedora @ Red Hat

    View Slide

  2. A bit about us
    Aurelien – Fedora contributor since its creation, in the infra team since
    2012, tech lead on the AAA project.
    Christian – FreeIPA engineer since 2015, liaison between IPA and CPE
    team.
    Stephen – Joined the CPE team at Red Hat about 1 year ago. I have a
    node.js background but don’t hold that against me.

    View Slide

  3. Why does FAS need to be replaced?
    ● Based on the TurboGears framework
    ● Python 2 only
    ● Supported on RHEL6 only, which goes EOL this fall
    ● It’s hard to work on it, which causes higher maintenance and
    complicates improvements

    View Slide

  4. Why FreeIPA?
    In 2019 CPE team approached IPA team regarding new FAS solution.
    FreeIPA vs. $COMMERCIAL_SOLUTION
    ● Pros
    ○ Open Source
    ○ FreeIPA is extensible and flexible
    ○ FAS would be a great showcase for FreeIPA
    ○ FreeIPA already part of old FAS and supported by Ipsilon IdP
    ○ "Eat your own dog food"
    ● Cons
    ○ self-hosting
    ○ long-term maintenance cost

    View Slide

  5. How this will affect...
    ● FAS users
    ○ New UI to register, login and edit settings
    ○ Group membership requests are manual
    ○ Check your settings after the migration is done (fullnames…)
    ● Application developers
    ○ Your applications should migrate to the new API (REST/JSON)
    ○ API is authenticated via Kerberos, no admin accounts in the conf files
    ● System admins
    ○ Easier management of users/groups
    ○ More powerful feature set
    ○ Better CLI, API and scripting capabilities

    View Slide

  6. Roadmap
    Deploy to staging
    User data migration
    Aug 18th Oct 20th
    2x Testing phases complete
    Nov 3rd
    Deploy to prod
    FAS read only
    Nov 30th
    FAS turned off
    Get involved!

    View Slide

  7. Design Goals
    ● Self service
    ○ Users can register, edit their settings, change their password, enroll OTP tokens…
    ● Some operations are on-demand
    ○ Group creation & editing
    ○ Group join requests
    ● Much more power for admins thanks to FreeIPA
    ○ Web UI and CLI
    ○ Red Hat supported product
    ● Less dev maintenance work on the IdM side

    View Slide

  8. Technical Challenges
    ● The data migration from FAS to FreeIPA
    ● CentOS, OpenSUSE
    ● Duplicate accounts
    ● Incompatible properties between FAS and FreeIPA
    ● Applications currently using FAS

    View Slide

  9. Architecture

    View Slide

  10. ● FreeIPA: the data store
    ● FreeIPA-FAS: a FreeIPA plugin for Fedora-specific data
    ● Ipsilon: the authentication portal (OIDC)
    ● Noggin (and noggin-messages): the self-service user portal
    ● FASJSON (and fasjson-client): the REST/JSON API
    ● FAS2IPA: the migration script
    Applications

    View Slide

  11. Architecture
    Openshift
    Noggin
    FreeIPA
    Python API
    LDAP
    Applications
    FASJSON
    Client
    freeipa-fas
    FASJSON
    FASJSON
    Client CLI

    View Slide

  12. FASJSON
    ● REST API for applications to get data from FreeIPA
    ● Authentication via Kerberos (keytabs for apps)
    ● JSON responses
    ● Endpoints:
    ○ user, users
    ○ group, groups
    ○ search users
    ○ certificate signing
    ● Pagination
    ● OpenAPI spec & Swagger UI

    View Slide

  13. FASJSON Client
    ● An easier way to query FASJSON from Python
    ● Will check the kerberos authentication
    ● Call methods and get dictionaries or lists
    ● Pagination support
    ● Convenience method to get all users in one call
    ● CLI to generate CSRs and get them signed

    View Slide

  14. What is FreeIPA?

    View Slide

  15. What is FreeIPA?
    ● Open Source Identity Management solution
    ● LDAP backend, embeds PKI, Kerberos, OTP server, ...
    ● Web UI
    ● CLI tool
    ● JSON RPC API
    ● extensible via plugins (Python, JavaScript, LDAP schema, LDIF)
    ● Documentation:
    ○ https://www.freeipa.org/
    ○ Demo: https://ipa.demo1.freeipa.org/
    ○ dev blogs
    ○ online training course

    View Slide

  16. View Slide

  17. FreeIPA core components
    KDC
    LDAP
    PKI
    DNS
    CLI/
    UI
    MIT
    Kerberos
    Dogtag
    Bind
    389 DS
    Linux
    UNIX
    Admin
    AD int.
    Samba
    sssd
    cert-
    monger
    KDC
    Proxy

    View Slide

  18. Client OS integration
    ● identity
    ● authentication
    ● authorization (HBAC)
    ● 2FA authentication
    ● SSH public keys
    zero-config Kerberos over
    HTTPS (DNS URI record)
    SSSD PAM
    NSS
    sudo
    sshd
    SELinux
    automount
    PKI
    certmonger
    Enrolled client
    IdM Server
    LDAP +
    Kerberos
    JSON API
    Host
    Keytab

    View Slide

  19. What is LDAP?
    ● Not a “regular” (SQL) database
    ● hierarchical “address book” database
    ● standardized schema and protocol (RFCs)
    ● optimized for reading and replication
    ● extensible
    ● rich server-side access control (ACI)

    View Slide

  20. LDAP schema
    ● entries have DN, object classes, and attributes
    ● DN (unique identifier / path)
    uid=fasuser1,cn=users,cn=accounts,dc=fas,dc=example
    ● objectClasses (mandatory and optional attributes)
    ● user attributes
    ● operational / auto-generated attributes
    ● attribute types
    ○ single/multi-valued
    ○ text, int, date, binary, bool, DN, ...
    ○ DN (member “foreign key” reference, memberOf back reference)

    View Slide

  21. Multi-primary replication topology (master/master)
    idm-prg-1
    idm-prg-2
    idm-prg-3
    idm-ny-1
    idm-ny-2
    idm-ny-3
    Prague site New York site
    idm-tyo-1
    idm-tyo-2
    idm-tyo-3
    Tokyo site

    View Slide

  22. Role Based Access Control (RBAC)
    ● LDAP server performs access control
    ○ services impersonate user via credential delegation (Kerberos S4U2Proxy)
    ● RBAC
    ○ Permissions: "Add FAS Agreement ", "Delete FAS Agreement "
    ○ Privilege: "FAS Agreement Administrators"
    ○ Role: "FAS Agreement Administrator"
    ○ User, groups, services, hosts, host groups
    ● self-service
    ○ user can modify own IRC nick name
    ● delegation
    ○ membership managers of a group can add/remove members

    View Slide

  23. FreeIPA-FAS plugin
    ● Extended the user object with IRCNick, locale, GPG keys etc.
    ● Additional group attributes such as url, IRC channel, mailing list
    ● Group: User agreements
    ● Access Control Information (ACIs)
    ○ Users can modify their own attributes
    ○ Users can self-manage group membership
    ○ Read access to FAS user and group information
    ● New permissions, privileges, roles, indexes, unique values
    ● Web UI extension
    Code: https://github.com/fedora-infra/freeipa-fas/

    View Slide

  24. Demonstration

    View Slide

  25. Contributing
    ● Repos are on Github, with a similar structure
    ● Unit tests and linting with tox
    ● Vagrant for local development
    ● Developer documentation in Noggin’s docs
    ● Github Project (Kanban) to track progress

    View Slide

  26. When my project has 100% code coverage...

    View Slide

  27. Thanks for listening!
    https://github.com/fedora-infra/noggin
    https://github.com/fedora-infra/fasjson
    https://github.com/freeipa/freeipa
    Freenode @ #fedora-aaa

    View Slide