| |
@@ -0,0 +1,285 @@
|
| |
+
|
| |
+
|
| |
+ +
|
| |
+
|
| |
+ [width="100%",cols="100%",]
|
| |
+ |=======================================================================
|
| |
+ a|
|
| |
+ +
|
| |
+
|
| |
+ [cols=",",]
|
| |
+ |=======================================================================
|
| |
+ |PRD ID |PRD-002
|
| |
+
|
| |
+ |Platform |CentOS and Fedora
|
| |
+
|
| |
+ |Target Release Version |Apr. 2020
|
| |
+
|
| |
+ |JIRA Epic
|
| |
+ |https://projects.engineering.redhat.com/secure/RapidBoard.jspa?rapidView=3796&view=planning.nodetail[AAA
|
| |
+ Board]
|
| |
+
|
| |
+ |Priority |#2
|
| |
+
|
| |
+ |Document status a|
|
| |
+ image:/plugins/servlet/status-macro/placeholder?=&0=&colour=Grey&title=Initial+draft[image,width=88,height=18]
|
| |
+
|
| |
+ |Feature Driver |Aoife Moloney
|
| |
+
|
| |
+ |CPE Tech Lead | +
|
| |
+
|
| |
+ |CPE Manager |__ +
|
| |
+ __lgriffin
|
| |
+
|
| |
+ |Stakeholder Name |Leigh Griffin, Matthew Miller
|
| |
+
|
| |
+ |Public Tracker Link |TBD
|
| |
+ |=======================================================================
|
| |
+
|
| |
+ +
|
| |
+
|
| |
+ ==== Document States
|
| |
+
|
| |
+ * [.status-macro .aui-lozenge .aui-lozenge-complete .conf-macro .output-inline]#WORKING
|
| |
+ DRAFT#; this indicates that the document is being worked on currently,
|
| |
+ but the initial draft has not been released.
|
| |
+ * [.status-macro .aui-lozenge .conf-macro .output-inline]#INITIAL
|
| |
+ DRAFT#; this indicates that an initial draft of the document has been
|
| |
+ released for consumption to a wider audience.
|
| |
+ * [.status-macro .aui-lozenge .aui-lozenge-current .conf-macro .output-inline]#UNDER
|
| |
+ REVIEW#; this indicates that the document is released for review
|
| |
+ comments.
|
| |
+ * [.status-macro .aui-lozenge .aui-lozenge-success .conf-macro .output-inline]#PRIORITIZATION#;
|
| |
+ this indicates that the review has been completed and development can
|
| |
+ commence on this.
|
| |
+ * [.status-macro .aui-lozenge .aui-lozenge-success .aui-lozenge-subtle .conf-macro .output-inline]#IN
|
| |
+ DEVELOPMENT#; this indicates that the document is currently in the
|
| |
+ Development phase.
|
| |
+ * [.status-macro .aui-lozenge .aui-lozenge-error .aui-lozenge-subtle .conf-macro .output-inline]#RELEASED#;
|
| |
+ this indicates that the requirements which were in scope were developed
|
| |
+ tested and released as part of the product.
|
| |
+ * [.status-macro .aui-lozenge .aui-lozenge-complete .aui-lozenge-subtle .conf-macro .output-inline]#PARKED#;
|
| |
+ this specification is currently parked. There is no ongoing work on it.
|
| |
+
|
| |
+ |=======================================================================
|
| |
+
|
| |
+ == image:/plugins/servlet/roadmap/image/placeholder?hash=482873289b2db89c70cb8dbd021cefe8&width=1000&height=300&timeline=true[image]
|
| |
+
|
| |
+ +
|
| |
+
|
| |
+ == This requirements document assumes we are engaging with FreeIPA in the creation of the AAA replacement.
|
| |
+
|
| |
+ == +
|
| |
+ image:/plugins/servlet/confluence/placeholder/macro?definition=e2FuY2hvcjpHZW5lcmFsIFJlcXVpcmVtZW50fQ&locale=en_GB&version=2[image]General Requirement
|
| |
+
|
| |
+ * The project must be in full working order by November 2020
|
| |
+ * Fedora infra & systems must be running up to date software
|
| |
+ applications
|
| |
+ * People from the community must be able to create an account and manage
|
| |
+ it
|
| |
+ * AAA solution needs to continue to support other protocols for
|
| |
+ authentication that includes those used by both Fedora & CentOS
|
| |
+ * The portal needs to support x509 authentication
|
| |
+ * Extra additional attributes must be available for users that are not
|
| |
+ part of standard LDAP schema
|
| |
+ * The solution provided by FreeIPA will provide group admins to add and
|
| |
+ remove users to a group, and users don’t have to apply for membership to
|
| |
+ a group
|
| |
+ * Ipsilon needs to be able to interact with the AAA solution
|
| |
+
|
| |
+ +
|
| |
+
|
| |
+ == image:/plugins/servlet/confluence/placeholder/macro?definition=e2FuY2hvcjpHb2Fsc30&locale=en_GB&version=2[image]Goals
|
| |
+
|
| |
+ * FreeIPA API and LDAP data is only available to authorized users
|
| |
+ * Users must be able to create, manage and disable their own account
|
| |
+ * Members of the system can be organized by groups
|
| |
+ * Different permissions are available per group (sponsors of groups,
|
| |
+ etc)
|
| |
+ * A current user will be automatically migrated to the new service*
|
| |
+ * Retire the old FAS account system +
|
| |
+ +
|
| |
+ The below goal is under discussion with the indented goal having a
|
| |
+ dependency on the outcome of the first
|
| |
+ * _Unification of CentOS & Fedora accounts under one authorization &
|
| |
+ authentication service - this goal is currently under discussion with
|
| |
+ CPE management & CentOS Council_
|
| |
+ ** The new AAA solution is deployed in both Fedora & CentOS
|
| |
+ infrastructure
|
| |
+
|
| |
+ +
|
| |
+
|
| |
+ == image:/plugins/servlet/confluence/placeholder/macro?definition=e2FuY2hvcjpCYWNrZ3JvdW5kIGFuZCBzdHJhdGVnaWMgZml0fQ&locale=en_GB&version=2[image]Background and strategic fit
|
| |
+
|
| |
+ The original FAS application was used as the main authorization system
|
| |
+ by all contributors to gain access to Fedora infrastructure & systems.
|
| |
+ The original code was written in Python and now has a number of security
|
| |
+ issues. It is also only compatible with RHEL 6 or earlier, which is due
|
| |
+ to EOL in November 2020. The current application is unusable on RHEL7, 8
|
| |
+ and future releases and will also no longer function after this date.
|
| |
+
|
| |
+ It is important to the CPE team to have a solution in place as there is
|
| |
+ a need for an authentication service to exist on entry to both Fedora
|
| |
+ and CentOS infrastructure and systems for security purposes.
|
| |
+
|
| |
+ By having this service available in both infrastructures will also unify
|
| |
+ CentOS & Fedora, making it easier for each community member to
|
| |
+ contribute to either Fedora or CentOS using the same account.
|
| |
+
|
| |
+ +
|
| |
+
|
| |
+ == image:/plugins/servlet/confluence/placeholder/macro?definition=e2FuY2hvcjpBc3N1bXB0aW9uc30&locale=en_GB&version=2[image]Assumptions
|
| |
+
|
| |
+ * The solution will adhere to privacy policies and will be cleared by RH
|
| |
+ legal
|
| |
+ * Read only API access to the system is running in container and
|
| |
+ isolated from the main server (this may be a technical requirement also)
|
| |
+ * Specific functionalities or features that are part of this plugin are
|
| |
+ not maintained by CPE, they are maintained by FreeIPA
|
| |
+ * Schema extension will be maintained by FreeIPA
|
| |
+ * CPE will write, run and maintain the web portal
|
| |
+ * CPE can escalate issues to FreeIPA for support and receive a timely
|
| |
+ resolution
|
| |
+ * We will be using Ipsilon throughout the development of this solution
|
| |
+
|
| |
+ == image:/plugins/servlet/confluence/placeholder/macro?definition=e2FuY2hvcjpSaXNrc30&locale=en_GB&version=2[image] Risks
|
| |
+
|
| |
+ _*This section will be added to as risks are identified during the
|
| |
+ technical scoping sessions*_
|
| |
+
|
| |
+ +
|
| |
+
|
| |
+ == image:/plugins/servlet/confluence/placeholder/macro?definition=e2FuY2hvcjpVc2VyIGludGVyYWN0aW9uIC0gQ29tbXVuaXR5IEZhY2luZ30&locale=en_GB&version=2[image]User Experience
|
| |
+
|
| |
+ When designing the solution, we need to keep in mind the different types
|
| |
+ of users the portal will service and what their expectations will be
|
| |
+ when using:
|
| |
+
|
| |
+ _*This section of the spec will be filled in a later refinement session
|
| |
+ once development has begun*_
|
| |
+
|
| |
+ *Types of Users:*
|
| |
+
|
| |
+ * *Administrator (users of the system)*
|
| |
+ ** Expectations:
|
| |
+
|
| |
+ * +
|
| |
+ *
|
| |
+
|
| |
+ * +
|
| |
+ *
|
| |
+
|
| |
+ * *Community*
|
| |
+ ** Expectations:
|
| |
+
|
| |
+ +
|
| |
+
|
| |
+ +
|
| |
+
|
| |
+ * *Group sponsor*
|
| |
+ ** Expectations:
|
| |
+
|
| |
+ +
|
| |
+
|
| |
+ +
|
| |
+
|
| |
+ * *SIG Member*
|
| |
+ ** Expectations:
|
| |
+
|
| |
+ +
|
| |
+
|
| |
+ == image:/plugins/servlet/confluence/placeholder/macro?definition=e2FuY2hvcjpDb25zaWRlcmF0aW9uc30&locale=en_GB&version=2[image]Considerations
|
| |
+
|
| |
+ * Other impacted applications recorded, ie is there applications that we
|
| |
+ need to make code changes to, etc
|
| |
+ * We may need to consider how much work will be involved in
|
| |
+ decommissioning the current FAS Client once the new solution is
|
| |
+ available
|
| |
+ * We will need to identify our best way to communicate changes and
|
| |
+ developments to the community, ie through council, inc in weekly
|
| |
+ updates, blog postings
|
| |
+ * We will need to define how we are going to move current users of the
|
| |
+ FAS Client to the new solution
|
| |
+ ** We can sync attributes directly from FAS, but we cannot sync
|
| |
+ passwords so we need to address this challenge
|
| |
+ * Password reset conditions need to adhere to GDPR policies +
|
| |
+ +
|
| |
+
|
| |
+ +
|
| |
+
|
| |
+ == image:/plugins/servlet/confluence/placeholder/macro?definition=e2FuY2hvcjpEb2N1bWVudGF0aW9uIFJlcXVpcmVkfQ&locale=en_GB&version=2[image]Documentation Required
|
| |
+
|
| |
+ User manual for team
|
| |
+
|
| |
+ Upstream manuals
|
| |
+
|
| |
+ Ansible playbook to automate the deployment and make changes
|
| |
+
|
| |
+ https://projects.engineering.redhat.com/secure/RapidBoard.jspa?rapidView=3629[AAA
|
| |
+ Kanban Board]
|
| |
+
|
| |
+ https://docs.google.com/document/d/152-q1UIy8P8dHkZwIyQgEiQLX-fUFGmsNzbzb7WtstQ/edit#heading=h.9ca8vv41aj9o[Technical
|
| |
+ Spec]
|
| |
+
|
| |
+ https://drive.google.com/drive/folders/1GWxXIp9RAbB0BlrXkgv3UyeMfPDblgln[Requirements
|
| |
+ Proposal Folder]
|
| |
+
|
| |
+ +
|
| |
+
|
| |
+ == image:/plugins/servlet/confluence/placeholder/macro?definition=e2FuY2hvcjpEZXRhaWxlZCBSZXF1aXJlbWVudHN9&locale=en_GB&version=2[image]Detailed Requirements
|
| |
+
|
| |
+ The table below represents the detailed requirements which are in scope.
|
| |
+
|
| |
+ [width="99%",cols="3%,25%,21%,12%,39%",options="header",]
|
| |
+ |=======================================================================
|
| |
+ |# |Title |User Story/Description |JIRA Epic Link |Notes
|
| |
+ |1 |New User Workflow |As a new user, |TBF |TBF
|
| |
+
|
| |
+ |2 |Existing User Workflow |As a current user, | + | +
|
| |
+
|
| |
+ |3 |Incremental Deployment |As a developer, what is the minimum product
|
| |
+ I can release in Staging/Production for testing and feedback | + | +
|
| |
+
|
| |
+ | + | + | + | + | +
|
| |
+ |=======================================================================
|
| |
+
|
| |
+ == +
|
| |
+ image:/plugins/servlet/confluence/placeholder/macro?definition=e2FuY2hvcjpRdWVzdGlvbnN9&locale=en_GB&version=2[image]Questions
|
| |
+
|
| |
+ Below is a list of questions to be addressed as a result of this
|
| |
+ requirements document:
|
| |
+
|
| |
+ +
|
| |
+
|
| |
+ [width="99%",cols="49%,38%,8%,5%",]
|
| |
+ |=======================================================================
|
| |
+ |*Questions* |*Status/Answers* |*Time Stamp* |*Initials*
|
| |
+
|
| |
+ |Should the API be based on an SSSD |Yes, but in future development | +
|
| |
+ | +
|
| |
+
|
| |
+ |Is the portal going to be built using keycloak? |Not at this time | +
|
| |
+ | +
|
| |
+
|
| |
+ |Should we use staged approaches for deployment and testing? |Yes | +
|
| |
+ | +
|
| |
+
|
| |
+ |What are the stages we will deploy in? |Under Review with Team
|
| |
+ |2019-12-03 |AM, CV
|
| |
+
|
| |
+ |Do we need to migrate FreeIPA servers to RHEL 8 in order to benefit
|
| |
+ from FreeIPA’s solution for CPE? |Yes or we may need/like to backport
|
| |
+ their solution | + | +
|
| |
+
|
| |
+ |Should we unify CentOS & Fedora under this solution |This is currently
|
| |
+ being discussed at a higher level and a decision is pending | + | +
|
| |
+ |=======================================================================
|
| |
+
|
| |
+ == image:/plugins/servlet/confluence/placeholder/macro?definition=e2FuY2hvcjpPdXQgb2YgU2NvcGV9&locale=en_GB&version=2[image]Out of Scope
|
| |
+
|
| |
+ * Using Keycloak for the solution is currently out of scope for this
|
| |
+ project due to the aggressive timeline in place for the solution to be
|
| |
+ working by. +
|
| |
+ +
|
| |
+
|
| |
+
|
| |
Please don't use filenames with spaces, swap them with underscores or minuses.