#10239 Fedora packager sponsors - Kerberos service principal
Closed: Fixed 2 years ago by frostyx. Opened 2 years ago by frostyx.

I created and maintain the site with Fedora packager sponsors
https://docs.pagure.org/fedora-sponsors/

It is a static site deployed on docs.pagure.org. Although it is a static site, it needs to be periodically rebuilt to display new sponsors or their settings. This can be done daily, or even weekly, both is fine.

Here is my deployment script
https://gist.github.com/FrostyX/13fdf75cdab40087087f0f22bb45fef7

I would like to run this via Cron at frostyx@fedorapeople.org but the problem is that it requires running fkinit first.

Describe what you would like us to do:

@mbooth mentioned "Kerberos service principals", which I assume, are basically application passwords, that can be generated and used instead of personal credentials. Can you please create something like this for me? Or anything else that would help my situation.

When do you need this to be done by? (YYYY/MM/DD)

When it fits your schedule


Metadata Update from @zlopez:
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: low-gain, medium-trouble, ops

2 years ago

So, thats not going to be an option here. Fedorapeople is a shared server and we do not want people to store private credentials there. :(

So, lets think of alternatives...

What are the requirements here? You need to build the site and push it to the repo? what exactly are the credentials needed for?

So, thats not going to be an option here. Fedorapeople is a shared server and we do not want people to store private credentials there. :(

So, lets think of alternatives...

Alright :-)

What are the requirements here?

Very simple. I have a script that I want to be executed weekly. It doesn't really matter to me what server is going to run it.

You need to build the site and push it to the repo?

Indeed, the script pushes things to ssh://git@pagure.io/docs/fedora-sponsors.git. That shouldn't be a problem, I can AFAIK generate some application key for that.

what exactly are the credentials needed for?

This tracebacks if you don't do fkinit first.

from fasjson_client import Client 
Client("https://fasjson.fedoraproject.org/")

For the record, in fasjson_client version 1.0.1 (F35+) it is possible to specify auth=False when initializing the Client.
https://github.com/fedora-infra/fasjson-client/pull/85
But it is meant only for testing purposes and it doesn't work for me on the production instance, so I guess this won't be an option.

What about using @fedorathirdparty user for this? Purpose of this user is to give read-only access to the accounts system from scripts. Password for this user is widely-known, to all packagers, QA and sysadmins who know where to find it. You can create a Kerberos keytab from password using ktutil.

Yes, I suppose that could work, but fedorapeople shouldn't be used here. It's not meant for building things, just sharing them.

What about using @fedorathirdparty user for this?

@mizdebsk sent me detailed instructions on how to set up the @fedorathirdparty user, and it worked perfectly, thank you very much.

but fedorapeople shouldn't be used here

No problem. I configured a cronjob on my personal server. It is not exclusive, so in case of a bus factor scenario, anybody can configure their own cronjob anywhere else. In case you ever decided that you want me to move the cronjob to some more official place, just let me know.

I wrote short information about the deployment here
https://github.com/FrostyX/fedora-sponsors#deployment-automation

Metadata Update from @frostyx:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Login to comment on this ticket.

Metadata
Boards 1
ops Status: Backlog