diff options
author | Vincent Ambo <mail@tazj.in> | 2022-05-28T16·20+0200 |
---|---|---|
committer | tazjin <tazjin@tvl.su> | 2022-05-28T18·00+0000 |
commit | c1bddf191f0f4ca9d14d254a29dfaaa0c49149b5 (patch) | |
tree | 4f1ca31bfb75e0e305abd3a174102f2572c8f2ee /ops/deploy-whitby | |
parent | 121fb136485e2f3fb5a6ed04bb3607a4dcaa8368 (diff) |
feat(web/panettone): Implement OAuth2-based authentication r/4180
Instead of directly connecting to LDAP and attempting to bind usernames/password, authenticate users through an OAuth2 flow to Keycloak. This has the advantage of reusing the same SSO we already have for Gerrit, Buildkite, ... However, much of panettone's functionality makes assumptions about LDAP being used. As a result there are some warts introduced by this (for now): * Since LDAP DNs are used as primary keys for users, we have to construct fake DNs based on LDAP usernames It might be sensible to migrate this to the UUIDs used by Keycloak eventually. * LDAP is part of the serving path for issues (for fetching user information), however panettone no longer has a way to fetch arbitrary user information unless it is persisted in its database. To work around this, we construct a "fake" user based only on its DN (i.e. only the username is going to be "correct") and use that to serve issues. * Email notifications no longer work (panettone can not access email addresses) Some of these need to be worked around by persisting some of that information in the panettone database instead, as we don't want to give the service the ability to access arbitrary user information anymore. We can probably do this with the user settings feature that already exists and populate it on launch, but as of this commit email and displayName functionality is simply broken. Change-Id: Id32bf5e09d67f0f1e883024c6e013eb342f03b05 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5772 Reviewed-by: grfn <grfn@gws.fyi> Tested-by: BuildkiteCI
Diffstat (limited to 'ops/deploy-whitby')
0 files changed, 0 insertions, 0 deletions