Please let us know if you are using OpenID authentication with LAVA. Newer versions of django will make it impossible to support django-openid-auth in Debian unstable and testing. The version of django-openid-auth in Jessie can continue to be used, so we would like to know how many users want to continue with this support.
OpenID as a protocol has been dying for some time and Linaro has moved over to LDAP, which is fine if LDAP is already available.
The time pressure for this change is coming from the schedule to get the latest django and the latest lava packages into Ubuntu Xenial 16.04LTS which means that support needs to be implemented in the 2015.12 or 2016.1 LAVA releases. This is why this is quickly following the trusty change. We have been aware of the issues with django-openid-auth for some time, it was only when we had completed the move of the Cambridge lab to LDAP that changes involving django-openid-auth could be considered.
If you are using OpenID authentication (e.g. using Launchpad or Google OpenID), please let us know.
If you would like to see some other forms of authentication supported, also let us know. We can investigate Python Social Auth (http://psa.matiasaguirre.net/), if there is interest.
If we don't hear from users who want django-openid-auth support for use on Debian Jessie, we will drop django-openid-auth support from all lava builds. This will leave LDAP and local Django accounts in 2015.12.
If anyone has experience of other django authentication modules, also let us know.
+++ Neil Williams [2015-12-01 16:52 +0000]:
Please let us know if you are using OpenID authentication with LAVA.
I use OpenID whenever I get the chance as one of the few ID protocols where I get some control, and don't just have to handover auth to one of the dubious web mega-corps, so I am in favour of it being an option. I've not used lava much recently (so am rather vague on the details without checking), but I might have to use it again soon.
I think I was logging in via launchpad, which I think means I was/am indeed using openID for the webUI? I also recall something about feeding a key into gnome-keyring for command-line access - is that all old hat now?
Wookey
On Tue, 1 Dec 2015 17:35:10 +0000 Wookey wookey@wookware.org wrote:
+++ Neil Williams [2015-12-01 16:52 +0000]:
Please let us know if you are using OpenID authentication with LAVA.
I use OpenID whenever I get the chance as one of the few ID protocols where I get some control, and don't just have to handover auth to one of the dubious web mega-corps, so I am in favour of it being an option.
If you fancy helping with https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806352 .... :-)
Sadly, there isn't a sane way of combining different authentication methods on a single instance as it massively complicates the admin burden of ensuring that the correct users have the correct group permissions. So when production switched from OpenID and Launchpad to LDAP run by Linaro internally, it was a switch - not an addition. It moved the authentication entirely within Linaro instead of going out to Launchpad.
I've not used lava much recently (so am rather vague on the details without checking), but I might have to use it again soon.
As far as any instance maintained by the Linaro Lab team is concerned, all logins are now using LDAP internally within Linaro and OpenId has been disabled already. The two authentication mechanisms are mutually incompatible as there is no assurance of matching one user to the one account when logging in using the other. This made the admin burden of ensuring that the correct users have the correct access to relevant devices infeasibly complex.
I think I was logging in via launchpad, which I think means I was/am indeed using openID for the webUI?
If you're thinking of validation.linaro.org, you probably did log in using Launchpad as the admin records show that you haven't logged in for some time - quite likely before production did the switch to LDAP. However, your next login will need to use LDAP.
I also recall something about feeding a key into gnome-keyring for command-line access - is that all old hat now?
No, that is the lava-tool interface (which can be replaced by simple xmlrpc scripts if you want to avoid python-keyring).
-
Neil Williams -
Neil Williams -
Wookey