[almighty] Almighty Build Service and Private repositories

Max Rydahl Andersen manderse at redhat.com
Thu Oct 27 10:29:53 UTC 2016 

On 27 Oct 2016, at 12:24, Michael Kleinhenz wrote:

> FYI: Added the results to the build document and the sequence diagram
> in question.

Got a link ?
/max

>
> On Thu, Oct 27, 2016 at 11:56 AM, Michael Kleinhenz
> <kleinhenz at redhat.com> wrote:
>> I think using ssh keys is different from a compliance perspective. We
>> are creating a key pair on our system, telling the user to allow the
>> key GitHub access by putting the pubkey into GitHub. Then we are
>> giving the seckey to the 3rd party build provider. Thats like someone
>> creates door keys *by himself* and gives them to a 3rd party. The
>> other way around would be different: I think it is critical when
>> GitHub would have created the key and we distribute them to 3rd
>> parties. While technically the same, it is fundamentally different in
>> policy terms.
>>
>> So I think this would work as long as we clearly notify the user that
>> we're giving the seckey to the connected build providers.
>>
>> -- Michael
>>
>> On Wed, Oct 26, 2016 at 5:40 PM, Max Rydahl Andersen
>> <manderse at redhat.com> wrote:
>>> Hi Tomas,
>>>
>>> Just some questions about terminology.
>>>
>>>> My recommendation is that we will start with supporting ssh keys 
>>>> first
>>>> as well and have the interface open to add other types of
>>>> authentication methods.
>>>>
>>>> Github generally offers these methods[3]:
>>>> 1. HTTPS cloning with OAuth tokens
>>>>    - probably too broad because you can access all repositories 
>>>> user
>>>> has access to
>>>>    - doesn't need ssh protocol (some repositories can be only
>>>> accessible through https, but that's rare)
>>>>
>>>> 2. Deploy keys
>>>>    - Allow you to have special ssh key just for one repository (or 
>>>> more
>>>> if you want)
>>>>    - only for repository source code
>>>>
>>>> 3. Machine users
>>>>    - Regular account, using ssh key
>>>>    - You have to create them manually
>>>
>>>
>>> Which of the three above is what Github call access tokens ?
>>> (https://github.com/blog/1509-personal-api-tokens and
>>> https://help.github.com/articles/creating-an-access-token-for-command-line-use/)
>>>
>>> Is that what you call OAuth tokens ?
>>>
>>> And around Deploy keys - I couldn't find a way to limit access to 
>>> specific
>>> repositories.
>>> Got a link/screenshot where that happens ?
>>>
>>> /max
>>> http://about.me/maxandersen
>>
>>
>>
>> --
>> Michael Kleinhenz
>> Principal Software Engineer
>>
>> Red Hat Deutschland GmbH
>> Werner-von-Siemens-Ring 14
>> 85630 Grasbrunn
>> Germany
>>
>> RED HAT | TRIED. TESTED. TRUSTED.
>> Red Hat GmbH, www.de.redhat.com,
>> Registered seat: Grasbrunn, Commercial register: Amtsgericht 
>> München,
>> HRB 153243,
>> Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham,
>> Michael O'Neill
>
> -- 
> Michael Kleinhenz
> Principal Software Engineer
>
> Red Hat Deutschland GmbH
> Werner-von-Siemens-Ring 14
> 85630 Grasbrunn
> Germany
>
> RED HAT | TRIED. TESTED. TRUSTED.
> Red Hat GmbH, www.de.redhat.com,
> Registered seat: Grasbrunn, Commercial register: Amtsgericht München,
> HRB 153243,
> Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham,
> Michael O'Neill


/max
http://about.me/maxandersen

More information about the almighty-public mailing list