Figuring out auth


(Tanner Filip) #1

Hey all,

We need to figure out some sort of auth system that doesn’t suck. Basically, the requirements that I can think of are:

  • Hooks into Jira (ideally only for admin users)
    • We’re currently in an awkward place with Jira auth, aiui.
  • Hooks into Jenkins
  • Able to use http auth with nginx
    • Plan to use this for Consul, etc.

And a few not requirements, but things I would like:

  • VictorOps SSO (not rolled out yet, but should be in January) (Want)
  • Cross-server authentication (Really want)
  • IAM integration (Not sure if it’s possible, but if it is, really want)

Thoughts? I’m currently thinking something LDAP-compliant is probably the best plan, but open to suggestions.


(Tom Farrow) #2

The AWS Active Directory thing I sent you seems like a good option.
Community Ops isn’t really in a good place to be reinventing the wheel, or even putting together a wheel, when it comes to auth. If we can just use AWS’s thing, with an LDAP gateway of some sort, that may be ideal.
Otherwise, I’d go for some other directory like Crowd.
You know, as for Jira, why don’t we setup a directory (like AWS AD) and let anybody create an account with that directory by default, JIRA could act as our user management for all of our infrastructure.
Sent from Outlook Mobile


(Tanner Filip) #3

I think DS is the best option, unless we wanted to do something like JumpCloud. I’m not sure about the idea of letting everyone sign up, because frankly, they don’t need to have an account to access all this stuff. I’d prefer to have us manually create the accounts, at least now.


(Tanner Filip) #4

You know, JumpCloud just might be cheaper right now. I don’t know if that’ll be the case in the future, but for 1-10 users they’re free, past that it’s $10/mo ($7/mo if paid annually). DS is $38/mo for a small, which does up to 50 users.


(Tom Farrow) #5

So at 14 users we’d be paying more.
We definitely have a use case for more than 14 users
Sent from Outlook Mobile


(Tanner Filip) #6

You’re right. 11 users doesn’t give us much room to expand. I’ve been playing around a bit with DS but not enough to have formed any opinions on it. Will do more playing tomorrow probably.


#7

Are they equal besides cost? Cost shouldn’t be the primary factor for discussion, Not until functionality has been thoroughly considered.


(Tanner Filip) #8

JumpCloud would probably be a lot easier to set up.


(David Weir) #9

What about drop box or box. Com as I am guessing jump cloud is for pc
backup

I use Dropbox and one drive my self


(Tanner Filip) #10

No, it’s directory services. They accomplish totally different things.


(David Weir) #11

Can we not just use qauth 2 or try active directory or open ldap


(Tanner Filip) #12

I’m not sure what Qauth is, and OpenLDAP isn’t my first choice, because
I don’t know a lot about LDAP, but that’s what I’m currently trying.

David Weir wrote:


(Tanner Filip) #13

At this point I’m thinking Crowd may be our best bet.