+ *** xref:initiatives/AAA Project Requirements.adoc[AAA replacement]

+ There are 25 people on this consolidated team. The breakdown looks like this:

+   ** 2 dedicated system administrators

+   ** 8 dedicated developers

+   ** 1 Intern

+   ** 3 doing both development and system administration

+ * We also have a Product Owner working across both platforms and an Agile Practitioner coaching our team.

+  

+ 

+  +

+ 

+ [width="100%",cols="100%",]

+ |=======================================================================

+ a|

+  +

+ 

+ [cols=",",]

+ |=======================================================================

+ |PRD ID |PRD-002

+ 

+ |Platform |CentOS and Fedora

+ 

+ |Target Release Version |Apr. 2020

+ 

+ |JIRA Epic

+ |https://projects.engineering.redhat.com/secure/RapidBoard.jspa?rapidView=3796&view=planning.nodetail[AAA

+ Board]

+ 

+ |Priority |#2

+ 

+ |Document status a|

+ image:/plugins/servlet/status-macro/placeholder?=&0=&colour=Grey&title=Initial+draft[image,width=88,height=18]

+ 

+ |Feature Driver |Aoife Moloney

+ 

+ |CPE Tech Lead | +

+ 

+ |CPE Manager |__ +

+ __lgriffin

+ 

+ |Stakeholder Name |Leigh Griffin, Matthew Miller

+ 

+ |Public Tracker Link |TBD

+ |=======================================================================

+ 

+  +

+ 

+ ==== Document States

+ 

+ * [.status-macro .aui-lozenge .aui-lozenge-complete .conf-macro .output-inline]#WORKING

+ DRAFT#; this indicates that the document is being worked on currently,

+ but the initial draft has not been released.

+ * [.status-macro .aui-lozenge .conf-macro .output-inline]#INITIAL

+ DRAFT#; this indicates that an initial draft of the document has been

+ released for consumption to a wider audience.

+ * [.status-macro .aui-lozenge .aui-lozenge-current .conf-macro .output-inline]#UNDER

+ REVIEW#; this indicates that the document is released for review

+ comments.

+ * [.status-macro .aui-lozenge .aui-lozenge-success .conf-macro .output-inline]#PRIORITIZATION#;

+ this indicates that the review has been completed and development can

+ commence on this.

+ * [.status-macro .aui-lozenge .aui-lozenge-success .aui-lozenge-subtle .conf-macro .output-inline]#IN

+ DEVELOPMENT#; this indicates that the document is currently in the

+ Development phase.

+ * [.status-macro .aui-lozenge .aui-lozenge-error .aui-lozenge-subtle .conf-macro .output-inline]#RELEASED#;

+ this indicates that the requirements which were in scope were developed

+ tested and released as part of the product.

+ * [.status-macro .aui-lozenge .aui-lozenge-complete .aui-lozenge-subtle .conf-macro .output-inline]#PARKED#;

+ this specification is currently parked. There is no ongoing work on it.

+ 

+ |=======================================================================

+ 

+ == image:/plugins/servlet/roadmap/image/placeholder?hash=482873289b2db89c70cb8dbd021cefe8&width=1000&height=300&timeline=true[image]

+ 

+  +

+ 

+ == This requirements document assumes we are engaging with FreeIPA in the creation of the AAA replacement.

+ 

+ ==  +

+ image:/plugins/servlet/confluence/placeholder/macro?definition=e2FuY2hvcjpHZW5lcmFsIFJlcXVpcmVtZW50fQ&locale=en_GB&version=2[image]General Requirement

+ 

+ * The project must be in full working order by November 2020

+ * Fedora infra & systems must be running up to date software

+ applications

+ * People from the community must be able to create an account and manage

+ it

+ * AAA solution needs to continue to support other protocols for

+ authentication that includes those used by both Fedora & CentOS

+ * The portal needs to support x509 authentication

+ * Extra additional attributes must be available for users that are not

+ part of standard LDAP schema

+ * The solution provided by FreeIPA will provide group admins to add and

+ remove users to a group, and users don’t have to apply for membership to

+ a group

+ * Ipsilon needs to be able to interact with the AAA solution

+ 

+  +

+ 

+ == image:/plugins/servlet/confluence/placeholder/macro?definition=e2FuY2hvcjpHb2Fsc30&locale=en_GB&version=2[image]Goals

+ 

+ * FreeIPA API and LDAP data is only available to authorized users

+ * Users must be able to create, manage and disable their own account

+ * Members of the system can be organized by groups

+ * Different permissions are available per group (sponsors of groups,

+ etc)

+ * A current user will be automatically migrated to the new service*

+ * Retire the old FAS account system +

+  +

+ The below goal is under discussion with the indented goal having a

+ dependency on the outcome of the first

+ * _Unification of CentOS & Fedora accounts under one authorization &

+ authentication service - this goal is currently under discussion with

+ CPE management & CentOS Council_

+ ** The new AAA solution is deployed in both Fedora & CentOS

+ infrastructure

+ 

+  +

+ 

+ == image:/plugins/servlet/confluence/placeholder/macro?definition=e2FuY2hvcjpCYWNrZ3JvdW5kIGFuZCBzdHJhdGVnaWMgZml0fQ&locale=en_GB&version=2[image]Background and strategic fit

+ 

+ The original FAS application was used as the main authorization system

+ by all contributors to gain access to Fedora infrastructure & systems.

+ The original code was written in Python and now has a number of security

+ issues. It is also only compatible with RHEL 6 or earlier, which is due

+ to EOL in November 2020. The current application is unusable on RHEL7, 8

+ and future releases and will also no longer function after this date.

+ 

+ It is important to the CPE team to have a solution in place as there is

+ a need for an authentication service to exist on entry to both Fedora

+ and CentOS infrastructure and systems for security purposes.

+ 

+ By having this service available in both infrastructures will also unify

+ CentOS & Fedora, making it easier for each community member to

+ contribute to either Fedora or CentOS using the same account.

+ 

+  +

+ 

+ == image:/plugins/servlet/confluence/placeholder/macro?definition=e2FuY2hvcjpBc3N1bXB0aW9uc30&locale=en_GB&version=2[image]Assumptions

+ 

+ * The solution will adhere to privacy policies and will be cleared by RH

+ legal

+ * Read only API access to the system is running in container and

+ isolated from the main server (this may be a technical requirement also)

+ * Specific functionalities or features that are part of this plugin are

+ not maintained by CPE, they are maintained by FreeIPA

+ * Schema extension will be maintained by FreeIPA

+ * CPE will write, run and maintain the web portal

+ * CPE can escalate issues to FreeIPA for support and receive a timely

+ resolution

+ * We will be using Ipsilon throughout the development of this solution

+ 

+ == image:/plugins/servlet/confluence/placeholder/macro?definition=e2FuY2hvcjpSaXNrc30&locale=en_GB&version=2[image] Risks

+ 

+ _*This section will be added to as risks are identified during the

+ technical scoping sessions*_

+ 

+  +

+ 

+ == image:/plugins/servlet/confluence/placeholder/macro?definition=e2FuY2hvcjpVc2VyIGludGVyYWN0aW9uIC0gQ29tbXVuaXR5IEZhY2luZ30&locale=en_GB&version=2[image]User Experience

+ 

+ When designing the solution, we need to keep in mind the different types

+ of users the portal will service and what their expectations will be

+ when using:

+ 

+ _*This section of the spec will be filled in a later refinement session

+ once development has begun*_

+ 

+ *Types of Users:*

+ 

+ * *Administrator (users of the system)*

+ ** Expectations:

+ 

+ * +

+ *

+ 

+ * +

+ *

+ 

+ * *Community*

+ ** Expectations:

+ 

+  +

+ 

+  +

+ 

+ * *Group sponsor*

+ ** Expectations:

+ 

+  +

+ 

+  +

+ 

+ * *SIG Member*

+ ** Expectations:

+ 

+  +

+ 

+ == image:/plugins/servlet/confluence/placeholder/macro?definition=e2FuY2hvcjpDb25zaWRlcmF0aW9uc30&locale=en_GB&version=2[image]Considerations

+ 

+ * Other impacted applications recorded, ie is there applications that we

+ need to make code changes to, etc

+ * We may need to consider how much work will be involved in

+ decommissioning the current FAS Client once the new solution is

+ available

+ * We will need to identify our best way to communicate changes and

+ developments to the community, ie through council, inc in weekly

+ updates, blog postings

+ * We will need to define how we are going to move current users of the

+ FAS Client to the new solution

+ ** We can sync attributes directly from FAS, but we cannot sync

+ passwords so we need to address this challenge

+ * Password reset conditions need to adhere to GDPR policies +

+  +

+ 

+  +

+ 

+ == image:/plugins/servlet/confluence/placeholder/macro?definition=e2FuY2hvcjpEb2N1bWVudGF0aW9uIFJlcXVpcmVkfQ&locale=en_GB&version=2[image]Documentation Required

+ 

+ User manual for team

+ 

+ Upstream manuals

+ 

+ Ansible playbook to automate the deployment and make changes

+ 

+ https://projects.engineering.redhat.com/secure/RapidBoard.jspa?rapidView=3629[AAA

+ Kanban Board]

+ 

+ https://docs.google.com/document/d/152-q1UIy8P8dHkZwIyQgEiQLX-fUFGmsNzbzb7WtstQ/edit#heading=h.9ca8vv41aj9o[Technical

+ Spec]

+ 

+ https://drive.google.com/drive/folders/1GWxXIp9RAbB0BlrXkgv3UyeMfPDblgln[Requirements

+ Proposal Folder]

+ 

+  +

+ 

+ == image:/plugins/servlet/confluence/placeholder/macro?definition=e2FuY2hvcjpEZXRhaWxlZCBSZXF1aXJlbWVudHN9&locale=en_GB&version=2[image]Detailed Requirements

+ 

+ The table below represents the detailed requirements which are in scope.

+ 

+ [width="99%",cols="3%,25%,21%,12%,39%",options="header",]

+ |=======================================================================

+ |# |Title |User Story/Description |JIRA Epic Link |Notes

+ |1 |New User Workflow |As a new user, |TBF |TBF

+ 

+ |2 |Existing User Workflow |As a current user, | + | +

+ 

+ |3 |Incremental Deployment |As a developer, what is the minimum product

+ I can release in Staging/Production for testing and feedback | + | +

+ 

+ | + | + | + | + | +

+ |=======================================================================

+ 

+ ==  +

+ image:/plugins/servlet/confluence/placeholder/macro?definition=e2FuY2hvcjpRdWVzdGlvbnN9&locale=en_GB&version=2[image]Questions

+ 

+ Below is a list of questions to be addressed as a result of this

+ requirements document:

+ 

+  +

+ 

+ [width="99%",cols="49%,38%,8%,5%",]

+ |=======================================================================

+ |*Questions* |*Status/Answers* |*Time Stamp* |*Initials*

+ 

+ |Should the API be based on an SSSD |Yes, but in future development | +

+ | +

+ 

+ |Is the portal going to be built using keycloak? |Not at this time | +

+ | +

+ 

+ |Should we use staged approaches for deployment and testing? |Yes | +

+ | +

+ 

+ |What are the stages we will deploy in? |Under Review with Team

+ |2019-12-03 |AM, CV

+ 

+ |Do we need to migrate FreeIPA servers to RHEL 8 in order to benefit

+ from FreeIPA’s solution for CPE? |Yes or we may need/like to backport

+ their solution | + | +

+ 

+ |Should we unify CentOS & Fedora under this solution |This is currently

+ being discussed at a higher level and a decision is pending | + | +

+ |=======================================================================

+ 

+ == image:/plugins/servlet/confluence/placeholder/macro?definition=e2FuY2hvcjpPdXQgb2YgU2NvcGV9&locale=en_GB&version=2[image]Out of Scope

+ 

+ * Using Keycloak for the solution is currently out of scope for this

+ project due to the aggressive timeline in place for the solution to be

+ working by. +

+  +

+ 

+