simpler options than OAuth/OpenID for login

[luto]

It's clear to see that using the FAS is perfect to handle logins on https://release-monitoring.org/. Most of the people using that instance are fedora people anyway. For self hosted instances this introduces an external dependency. Acquiring the necessary tokens also makes the setup more complicated than it needs to be.

Do you plan on enabling a simple login process with local users, either from the database or alternatively using just a text file? Would you consider a PR to add this?

[jeremycline]

I'm open having local users, although we also have adding GitHub OAuth (#485) and fixing Google OAuth (#437) on the roadmap. At the moment, what's in master authentication-wise is somewhat different than https://release-monitoring.org/ has, and needs a but more work before it's release-ready (#485 (comment)), so it might be a turbulent time to also add local users. On the other hand, it might be worth considering it since we need to do some database modeling for users anyway.

[ncoghlan]

I'd personally advise against adding local user authentication support directly to Anitya itself, since it would make Anitya responsible for secure password management and all the complexity that comes with that (password resets, etc). Any such code would also inevitably end up being under-tested, since release-monitoring.org wouldn't be using it.

However, it would be good to have a documented way of running a simple OAuth2 server up locally so folks can more readily use their own identity provider, rather than relying on a third party one like FAS.

Ipsilon generally expects to be run in combination with a full IdM server like FreeIPA, so it's probably too complex to be suitable for that usage model.

Instead, an approach that may make more sense might be to use the example auth server from flask-oauthlib: https://flask-oauthlib.readthedocs.io/en/latest/oauth2.html

Since Anitya is only relying on the authentication flows and handling role-based access control itself, the OAuth2 server it talks to doesn't need to provide the full feature set offered by something like Ipsilon or Keycloak.

[pypingou]

Ipsilon generally expects to be run in combination with a full IdM server like FreeIPA, so it's probably too complex to be suitable for that usage model.

Well you can pick what Ipsilon relies on in the backend, it can be LDAP, with FreeIPA or not, but it can also be something much more simple such as system accounts (actual accounts on the server) or htpasswd used by apache or even a file with username/password. So you can make it as complex or as simple as you wish.

[ncoghlan]

If there's a simple devel mode for Ipsilon (e.g. sqlite backed), than that would be ideal. However, if that's possible, it isn't clearly documented anywhere a Google search can find it.

[pypingou]

@puiterwijk can likely give more info, but Ipsilon is really quite flexible on what it can do.

[odra]

I know this thread is a bit old, but is adding keycloak support and option?

[Zlopez]

We are already using python-social-auth, but I can look at the keycloak.

[odra]

Just a bit of context: I was looking into using this for an internal team so I kinda of needed to a custom/internal login mechanism which led me to ask about keycloak - it can be an alternative of providing custom login mechanisms without making anitya responsible for that kind of tech.

[Zlopez]

Look at the python-social-auth, maybe this will be enough for you.

[odra]

@Zlopez I can work in a PR if there is interest (I kind of need it anyway)

[Zlopez]

This is always welcomed. If you want to invest your time in this I will be glad to review it.

[odra]

Hello, I am getting this error in social auth (in the callback url):

psycopg2.ProgrammingError: relation "social_auth_usersocialauth" does not exist
--
  | LINE 2: FROM social_auth_usersocialauth

It seems that the social tables were not created, do you know if there is a way to force its creation?

[Zlopez]

Did you ran the alembic migrations?

I recommend to use Vagrant for development environment, it will do everything for you.

[odra]

Ah right, I didn't I just created the app and rolled with it :)

Will give it a try and post the results

[odra]

still got the same error - I am trying to deploy it on openshift (fresh installation) so I don't need to import the db data into posgre

I tried running the command and specifying the alembic.ini file path in the init function from the utilities module but it didn't change anything

[Zlopez]

If you are trying to deploy this on openshift you could actually look at our roles for deploying in fedora infrastructure. Unfortunately the DB is handled separately. But still you could look - https://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/openshift-apps/release-monitoring?id=60f89dbe30a3ad24f7168d60f571d3658910b982

There should be actually some script for creating database - https://github.com/release-monitoring/anitya/blob/master/createdb.py

[odra]

I am using the createdb.py but it doesn't create the social tables :(

Thanks for the links, I will take a look at the openshift templates 👍