[almighty] Almighty Build Service and Private repositories

Michael Kleinhenz kleinhenz at redhat.com
Thu Oct 27 10:24:37 UTC 2016 

FYI: Added the results to the build document and the sequence diagram
in question.

On Thu, Oct 27, 2016 at 11:56 AM, Michael Kleinhenz
<kleinhenz at redhat.com> wrote:
> I think using ssh keys is different from a compliance perspective. We
> are creating a key pair on our system, telling the user to allow the
> key GitHub access by putting the pubkey into GitHub. Then we are
> giving the seckey to the 3rd party build provider. Thats like someone
> creates door keys *by himself* and gives them to a 3rd party. The
> other way around would be different: I think it is critical when
> GitHub would have created the key and we distribute them to 3rd
> parties. While technically the same, it is fundamentally different in
> policy terms.
>
> So I think this would work as long as we clearly notify the user that
> we're giving the seckey to the connected build providers.
>
> -- Michael
>
> On Wed, Oct 26, 2016 at 5:40 PM, Max Rydahl Andersen
> <manderse at redhat.com> wrote:
>> Hi Tomas,
>>
>> Just some questions about terminology.
>>
>>> My recommendation is that we will start with supporting ssh keys first
>>> as well and have the interface open to add other types of
>>> authentication methods.
>>>
>>> Github generally offers these methods[3]:
>>> 1. HTTPS cloning with OAuth tokens
>>>    - probably too broad because you can access all repositories user
>>> has access to
>>>    - doesn't need ssh protocol (some repositories can be only
>>> accessible through https, but that's rare)
>>>
>>> 2. Deploy keys
>>>    - Allow you to have special ssh key just for one repository (or more
>>> if you want)
>>>    - only for repository source code
>>>
>>> 3. Machine users
>>>    - Regular account, using ssh key
>>>    - You have to create them manually
>>
>>
>> Which of the three above is what Github call access tokens ?
>> (https://github.com/blog/1509-personal-api-tokens and
>> https://help.github.com/articles/creating-an-access-token-for-command-line-use/)
>>
>> Is that what you call OAuth tokens ?
>>
>> And around Deploy keys - I couldn't find a way to limit access to specific
>> repositories.
>> Got a link/screenshot where that happens ?
>>
>> /max
>> http://about.me/maxandersen
>
>
>
> --
> Michael Kleinhenz
> Principal Software Engineer
>
> Red Hat Deutschland GmbH
> Werner-von-Siemens-Ring 14
> 85630 Grasbrunn
> Germany
>
> RED HAT | TRIED. TESTED. TRUSTED.
> Red Hat GmbH, www.de.redhat.com,
> Registered seat: Grasbrunn, Commercial register: Amtsgericht München,
> HRB 153243,
> Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham,
> Michael O'Neill



-- 
Michael Kleinhenz
Principal Software Engineer

Red Hat Deutschland GmbH
Werner-von-Siemens-Ring 14
85630 Grasbrunn
Germany

RED HAT | TRIED. TESTED. TRUSTED.
Red Hat GmbH, www.de.redhat.com,
Registered seat: Grasbrunn, Commercial register: Amtsgericht München,
HRB 153243,
Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham,
Michael O'Neill

More information about the almighty-public mailing list