#5843 set some passwords in private.git
Closed: Fixed 6 years ago Opened 7 years ago by msuchy.

Hi,
we are setting up Module Build Service (MBS) for Copr and we need to set up few private parts in private.git, which will be used by our playbooks in ansible.git.

Please create these variables:

{{ copr_mbs_client_secret }} - this should be client secret for id.fedoraproject.org (alternatively you can tell me in which variable this secret is already stored and we can use that one).
{{ copr_mbs_secret_key }} - any random string


Please note that since the COPR MBS setup would be different from mbs.fedoraproject.org, you will need your own client secret and cannot reuse theirs.
Also, MBS is going to add a way to configure the used scopes per installation, so please wait for that to be merged and get yhour own scopes registered, to keep mbs.fp.o and COPR-MBS tokens separate.

Thank you @puiterwijk,

Please note that since the COPR MBS setup would be different from mbs.fedoraproject.org, you will need your own client secret and cannot reuse theirs.

Sure, we've expected that. But still we need to create copr_mbs_client_secret variable in private.git

please wait for that to be merged and get yhour own scopes registered

The ticket is closed now, can you please briefly let us know how can we "get our scopes registered"?

Also, I can see OIDC_REQUIRED_SCOPE in MBS config so I guess once we have it registered, we just set this constant.

Metadata Update from @kevin:
- Issue tagged with: authentication

7 years ago

Do you have an OIDC scope to use registered yet?
If you can just register your scopes on the wiki, and request it here, I will create it at the same time.

I'd really not like you to start with the mbs.fedoraproject.org scopes, and prefer that you start out with your own.

Hello @puiterwijk, I am sorry for the delay. We've reconsidered our goals and I've implemented a way, how to submit module builds into MBS without authentication - because our users will submit the build into copr-frontend (this part requires authentication, but uses standard tokens to copr API), and then only frontend will communicate to the MBS. We trust this communication path so we don't need the authentication even there. It could be added in the future, but let's skip it for now. Please see the - https://pagure.io/fm-orchestrator/pull-request/461 for more details.

This means we don't need to set up copr_mbs_client_secret anymore and we don't need to set up OIDC scopes as we discussed. From the original description, we need only copr_mbs_secret_key.

Also, can I ask you to create a private variable copr_mbs_cli_token for us? It should be a string of 30 characters. Small letters only. e.g. wythdwozlhncackikunnkgbyfcwjis

Thank you,
and my apologies for the inaccurate original description

These secrets have been generated and configured.
Let us know if you need anything else.

Metadata Update from @puiterwijk:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

6 years ago

Login to comment on this ticket.

Metadata