<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<br>
Dne čtvrtek, 20. června 2013 18:16:51 UTC+2 Eric Helms napsal(a):
<blockquote class="gmail_quote" style="margin: 0;margin-left:
0.8ex;border-left: 1px #ccc solid;padding-left: 1ex;">
<div dir="ltr">Would you mind including as part of this
definitions of the terms used in the user stories?<br>
</div>
</blockquote>
<div><br>
Sure:<br>
* request - http/https request<br>
* secret - (similar to token or ticket or key) client ask Signo
to generate one foer her and it is used to sign the requests to
server. Server can ask Signo for the same secret assigned to your
name and check if the requst was signed by the secret (it compares
computed signature as can be seen on the diagram). User can have
more secrets <br>
* secret expiration - how long the secret remain valid (similar
to cookie expiration)<br>
Did I miss anything?<br>
<br>
</div>
<blockquote class="gmail_quote" style="margin: 0;margin-left:
0.8ex;border-left: 1px #ccc solid;padding-left: 1ex;">
<div dir="ltr">
<div><br>
<div class="gmail_quote">On Thu, Jun 20, 2013 at 12:07 PM,
Martin Bacovsky <span dir="ltr"><<a href="javascript:"
target="_blank" gdf-obfuscated-mailto="4VaIVJ6xEUAJ">mbac...@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">I'm
working with Marek on integration of Signo in CLI and API.
As we are building it from scratch we would like to invite
broader audience for discussion and to help us make it
right.<br>
<br>
We have prepared diagram [1] describing the expected
communication between all the participants.<br>
<br>
Here are user stories we put together with Marek and
Tomas:<br>
<br>
* As a CLI user I would like to use Signo for
authentication<br>
</blockquote>
<div> </div>
<div>Is a CLI user going to know (or care) what the backend
handling authorization is? Unless there are other options
for the user to select what service is handling
authentication, this seems like an unneeded user story.<br>
</div>
</div>
</div>
</div>
</blockquote>
<div><br>
Agree, I'll remove it <br>
</div>
<blockquote class="gmail_quote" style="margin: 0;margin-left:
0.8ex;border-left: 1px #ccc solid;padding-left: 1ex;">
<div dir="ltr">
<div>
<div class="gmail_quote">
<div>
</div>
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
* As a CLI user I would like to choose from multiple
secrets to sign my request<br>
* As a CLI user I would like to have set the last
requested secret as a default<br>
* As a CLI user I would like to set the default secret<br>
* As a CLI user I would like to see list of my secrets
with their expiration and issue dates<br>
* As a CLI user I would like to set expiration in the
request (e.g. longer for cron jobs)<br>
* As a CLI user I would like to limit scope of actions the
secret authorizes me to do<br>
</blockquote>
<div><br>
</div>
<div>If I am a CLI user, why would I want to limit what
actions I can perform on the CLI? Is this something an
"admin" would want to restrict for users of the system?</div>
</div>
</div>
</div>
</blockquote>
<div><br>
The idea behind it is that the secret allows the holder to do
things under my username. If I e.g. want to have a secret for my
cron job to sync some content I need the secret to be valid long
term and also would like to limit the holder to have just
necessary subset of my permissions. It is for security reasons.
But definitely low priority. I've seen similar feature on github,
where you can issue token for your script to access your data on
GH, but you can limit it to just some repos. <br>
</div>
<blockquote class="gmail_quote" style="margin: 0;margin-left:
0.8ex;border-left: 1px #ccc solid;padding-left: 1ex;">
<div dir="ltr">
<div>
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
* As a CLI user I would like to be able to disable the
secret<br>
* As a CLI user I would like to be able to remove expired
secrets<br>
* As a Signo user I would like to see all my secrets via
Web UI<br>
* As a Signo user I would like to disable particular
secret via Web UI<br>
* As a Signo user I would like to create secret via WebUI<br>
* As a CLI user I would like to use secret created in
WebUI (sync/store?)<br>
<br>
and last but not least is list of things we need to
brainstorm first:<br>
<br>
* In CLI how to handle attempt to auth a request with
invalid cert? (error/try to get new secret)<br>
* Shouldn't we disable passing passwords as a parameter on
commandline? What use cases it could brake? UX?<br>
* How to protect stored secrets on client?<br>
<br>
Comments (especially to unresolved topics) are highly
appreciated.<br>
<br>
Cheers,<br>
Martin<br>
<br>
<br>
[1] <a
href="https://github.com/mbacovsky/foreman_cli_draft/tree/master/signo_integration"
target="_blank">https://github.com/mbacovsky/f<wbr>oreman_cli_draft/tree/master/s<wbr>igno_integration</a><br>
<br>
______________________________<wbr>_________________<br>
katello-devel mailing list<br>
<a href="javascript:" target="_blank"
gdf-obfuscated-mailto="4VaIVJ6xEUAJ">katell...@redhat.com</a><br>
<a
href="https://www.redhat.com/mailman/listinfo/katello-devel"
target="_blank">https://www.redhat.com/mailman<wbr>/listinfo/katello-devel</a><br>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
</body>
</html>