You may have seen the emails from Aoife about the work the Community Platform Engineering (CPE) team is doing around authentication tooling, and what that might mean for CentOS. Here’s a brief explainer for what’s happening.
The authentication software we use for SIGs (FAS or Fedora Account System) and a few other bits around the project will be EOL fairly soon. This is a 10+ year old, difficult to maintain software project with bugs that can’t be effectively addressed with its old code. The CPE team is writing a replacement for FAS that uses more of the standard distribution components, largely built around FreeIPA. This new tooling is intended to be an upgrade for use by anyone, but particularly Fedora and CentOS to replace both uses of FAS currently. There are a number of feature improvements and standardizations included in the new software, but in the end users shouldn’t notice any real impact in operation.
As we engaged with stakeholders including SIG chairs, the CentOS QA team, and other prominent community members, one issue became quickly apparent. We have many SIG contributors who push their work into both CentOS and Fedora, as well as Fedora’s EPEL repository. Having to work with separate auth systems makes it more difficult with automation, testing, and other parts of the contributor workflow. Because of this chance to improve the lives of our current and incoming contributors, our intention with the new authentication rewrite is for the CentOS and Fedora projects to share a single, unified authentication system. This would allow members of our communities who contribute in multiple places to do so via a single account, while having negligible impact on users who don’t. Group management, permissions, etc. will still be the purview of each project to manage as they see fit.
Fixing this gap between the auth systems the CPE team uses also solves some problems for the team itself. Sharing this system also encourages more cross-team work, which benefits both projects and communities (more hands). These communities are already sharing some resources, such as Fedora making use of the CentOS CI system. This work paves the way for easier resource sharing and management, which will cut down on the amount of duplicative work done across both infrastructures.
Over the next few months as the CPE team works toward its October implementation goal, you’ll see additional communication and messaging about the project. That doesn’t mean you need to wait to get involved though. If you’re interested in how we’re designing the auth, or want to participate in the development, please have a look at the git repository and see where you can help!