<Entei[m]>
davidlt: the authorisation system doesn't seem to take into account anything but the SSL certificate. I created added a user named riscv through koji cli, and then created a user account named riscv on the PC.
<Entei[m]>
Created the certificate for the riscv user, and I can ping the server. Even nicely says I don't have permissions to create tag.
<Entei[m]>
But for experimental purposes, I just copied the kojiadmin certificate into riscv user account as client.crt. Now my riscv user has admin privileges even without granting it any permission whatsoever.
<davidlt[m]>
As I said before certificate is all you need to access the Koji system.
<davidlt[m]>
What user is mapped to that certificate is based on Common Name entry in it.
<davidlt[m]>
The account name on the "PC" has no relevance here.
<davidlt[m]>
It's what listed in CN=<name> matters.
<Entei[m]>
<davidlt[m]> "What user is mapped to that..." <- Oh so the mapping is just for authorisation, not authentication. I can authorise as long as the name in database and the certificate are same, but what role I have in infra depends on what I certificate I received.
<davidlt[m]>
No
<davidlt[m]>
Permissions are stored in the database for that user.
<davidlt[m]>
The certificate is just basically: hey, I am user XYZ to Koji.
<davidlt[m]>
As long as Koji can validate the certificate it will says: yes, you are CN=XYZ user.
<Entei[m]>
Oh right. I am dumb. You just said the username on computer doesn;t matter. I am making the same mistake.
<Entei[m]>
So the only way to isolate roles would be to tell users don't share your SSL certificate with others.
<davidlt[m]>
Yes, which is a common sense in general :)
<davidlt[m]>
I mean, I hope folks don't share their password around, or YubiKeys or something :)
<davidlt[m]>
Or even key cards to enter buildings.
<davidlt[m]>
If you want multi-factor auth, place a password on the certificate when creating it.
<davidlt[m]>
In that case certificate alone is not enough.
<Entei[m]>
davidlt[m]: Yep, was thinking the same. I created certificates with `--nodes`
<davidlt[m]>
Or just don't user TLS certificates and setup Kerberos infra (which tends to be annoying).
somlo has joined #fedora-riscv
davidlt has joined #fedora-riscv
<davidlt[m]>
FYI if you have Fedora/RISCV Koji account don't use rawhide or/and f39 targets yet. Branching is still WIP.
davidlt has quit [Quit: Leaving]
dtometzki__ has joined #fedora-riscv
<dtometzki__>
hello together anyone know a way to delver the new licheepi to germany ?
<Entei[m]>
davidlt: Hey, I am doing a trial. Created another account, generated certificates for it and gave it admin permission through koji cli.
<Entei[m]>
I have selinux disabled btw.
<Entei[m]>
The account is able to ping server and create tags, but when I add a package to a tag, with `koji add-pkg`, it seemingly gets stuck.
<davidlt[m]>
It? Stuck? Define both.
<leah2>
dtometzki__: ordering on aliexpress should work, no?
lorbus has joined #fedora-riscv
AutiBoyRobotics[ has joined #fedora-riscv
somlo[m] has joined #fedora-riscv
sxa[m] has joined #fedora-riscv
hiredman[m] has joined #fedora-riscv
brianmcarey[m] has joined #fedora-riscv
mhroncok has joined #fedora-riscv
ol has joined #fedora-riscv
Eighth_Doctor has joined #fedora-riscv
thefossguy has joined #fedora-riscv
mochaaP[m] has joined #fedora-riscv
gotmax23 has joined #fedora-riscv
zbyszek[m] has joined #fedora-riscv
cwt[m] has joined #fedora-riscv
alexsaezm has joined #fedora-riscv
davide has joined #fedora-riscv
JeffGustafson[m] has joined #fedora-riscv
<davidlt[m]>
kernel v6.4.7 was tagged.
<davidlt[m]>
I don't think there is anything riscv specific in it.
<davidlt[m]>
GCC 13.2 also got released.
jednorozec has quit [Ping timeout: 260 seconds]
masami has joined #fedora-riscv
masami has quit [Quit: Leaving]
<Entei[m]>
<davidlt[m]> "It? Stuck? Define both." <- My shell is hung up
<davidlt[m]>
Check the logs?
jednorozec has joined #fedora-riscv
zsun has joined #fedora-riscv
sajcho has joined #fedora-riscv
<sajcho>
davidlt[m]: Please review the build result of gcc-13.2.0 https://dpaste.com/8GM5AGDWQ. I'm sorry it's not riscv64 but I'm talking about basic configuration.
sajcho has quit [Ping timeout: 246 seconds]
zsun has quit [Quit: Leaving.]
mochaaP[m] has quit [Quit: You have been kicked for being idle]