[almighty] Almighty Build Service and Private repositories

Michael Kleinhenz kleinhenz at redhat.com
Thu Oct 27 09:56:38 UTC 2016 

I think using ssh keys is different from a compliance perspective. We
are creating a key pair on our system, telling the user to allow the
key GitHub access by putting the pubkey into GitHub. Then we are
giving the seckey to the 3rd party build provider. Thats like someone
creates door keys *by himself* and gives them to a 3rd party. The
other way around would be different: I think it is critical when
GitHub would have created the key and we distribute them to 3rd
parties. While technically the same, it is fundamentally different in
policy terms.

So I think this would work as long as we clearly notify the user that
we're giving the seckey to the connected build providers.

-- Michael

On Wed, Oct 26, 2016 at 5:40 PM, Max Rydahl Andersen
<manderse at redhat.com> wrote:
> Hi Tomas,
>
> Just some questions about terminology.
>
>> My recommendation is that we will start with supporting ssh keys first
>> as well and have the interface open to add other types of
>> authentication methods.
>>
>> Github generally offers these methods[3]:
>> 1. HTTPS cloning with OAuth tokens
>>    - probably too broad because you can access all repositories user
>> has access to
>>    - doesn't need ssh protocol (some repositories can be only
>> accessible through https, but that's rare)
>>
>> 2. Deploy keys
>>    - Allow you to have special ssh key just for one repository (or more
>> if you want)
>>    - only for repository source code
>>
>> 3. Machine users
>>    - Regular account, using ssh key
>>    - You have to create them manually
>
>
> Which of the three above is what Github call access tokens ?
> (https://github.com/blog/1509-personal-api-tokens and
> https://help.github.com/articles/creating-an-access-token-for-command-line-use/)
>
> Is that what you call OAuth tokens ?
>
> And around Deploy keys - I couldn't find a way to limit access to specific
> repositories.
> Got a link/screenshot where that happens ?
>
> /max
> http://about.me/maxandersen



-- 
Michael Kleinhenz
Principal Software Engineer

Red Hat Deutschland GmbH
Werner-von-Siemens-Ring 14
85630 Grasbrunn
Germany

RED HAT | TRIED. TESTED. TRUSTED.
Red Hat GmbH, www.de.redhat.com,
Registered seat: Grasbrunn, Commercial register: Amtsgericht München,
HRB 153243,
Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham,
Michael O'Neill

More information about the almighty-public mailing list