infra/tickets
23
7
Fork 0
Code Issues 75 Projects Wiki Activity Actions

mini-initiative proposal: skeleton for bridge from fasjson groups to discourse #10952

New issue
Closed
opened 2022-10-21 20:07:05 +00:00 by mattdm · 12 comments
mattdm commented 2022-10-21 20:07:05 +00:00
Copy link

Background

This is a follow-up to https://pagure.io/fedora-infrastructure/issue/9580, inspired by my discovery of the Communishift Authorization Operator, which is very similar to (at least part of) what I want.

As Kevin notes at the end of that ticket, upstream doesn't seem to be going in a helpful-for-our-use-case direction with this, so a little system to keep things in sync seems best to me.

Summary

I want to one-way sync FAS group membership information to Discourse (specifically, https://discussion.fedoraproject.org/). If a user is added to or removed from a group in FAS, and that user has a Discourse account and there is a Discourse group of the same name, the Discourse user should be added to (or removed from) the corresponding Discourse group.

As a bonus, this can solve another problem: if an account is locked, disabled, or deleted from FAS, the Discourse account should also be locked.

Not even pseudocode

Here's what I envision:

  1. A webhook Fedora Message Bus topic about group membership change is received (see below), giving us the username to check
  2. fasjson: validate that the account is active and in good standing
  3. fasjson: get list of groups for the user
  4. discourse api: disable the account if it should be disabled
  5. discourse api: get list of all groups
  6. take intersection of the fas and discourse groups (groups will be manually created on Discussion, so only groups that exist will be synced)
  7. discourse api: get list of groups user belongs to
  8. discourse api: remove the user from groups that are in 7 (discourse) but not 6 (fas)
  9. discourse api: add the user to any group that is in 6 (fas) but not 7 (discourse)

But wait! Before you think "that's too many steps for a mini-initiative!" —

I can do the Discourse part!

I am familiar with the Discourse API. But I'm not with fasjson. It doesn't look complicated, but then I realized there's a whole bunch of yak-shaving to do around getting a keytab and setting it up so that's available and authenticated and running in infrastructure. And it looks like you have already shaved that yak! — that is, all of these things are very close to what Communishift Authorization Operator already does.

So,

What would really help me:

  1. Steps 1-3 running somewhere -- maybe as a toddler. That should pass either "this account should be disabled" or the resulting grouplist to....
  2. A stub that does nothing. (This will be quicker for me with python, but I can do this in whatever language you prefer.)
  3. A place to put a secret available to that stub (an API key — I can either provide the key, or you can provide a way for me to add it securely)
  4. Something where when I push to a git repo on a deploy branch (or whatever), that commit gets deployed, replacing the stub (or my previous version).
  5. And access to logs would be a nice bonus

Because most of this is what Communishift Authorization Operator already does, I really hope that this will not be a lot of effort.

Triggering

I had originally imagined this would trigger on webhooks from discourse. We could still do that, but I think it makes more sense to listen to Fedora Message Bus messages for group changes (https://fedmsg2.readthedocs.io/en/latest/topics.html#fas).

However, there is something I don't understand -- there is fas.group.member.remove, but no fas.group.member.add. (There are .sponsor and .approve, though.) Hopefully you know what's going on here.

We'd also want to trigger on the account being deactivated or disabled — fas.user.update, I guess.

These could trigger different paths in my part of the code (remove, add, disable) but that has more risk of getting out of sync. I think it's better to just send user and grouplist and be done.

In case a message gets lost or out of sync, there probably should also be some occasional out-of-band double-check.

The connection to the discourse part

This could all live in the same codebase (maybe all running as one toddler), or the first part (the fas listener) could make a remote call of some sort -- a JSON http POST with the username and a list of groups. (And some auth token!). Maybe something running in OpenShift? I can work with whatever you think makes sense.

The actual code should be pretty simple, and I'll make sure to comment it well so that anyone else can, in the future, fix any issues or make updates.

Okay, but, why?

We're finally getting Enterprise hosting, which will let us combine the Ask and Discussion instances. Having group information will allow us to link permissions for posting in certain areas to group membership, allow teams to polls of just their team, allow teams to get notifications, and so much more. We could also make it so Fedora contributors in certain groups get automatically put to "not a newbie" level (which avoids some frustrations with limits on image uploads, etc.). This will be important as more teams move from mailing lists.

Note: I've edited this a bit since first filed!

Background ------------------ This is a follow-up to https://pagure.io/fedora-infrastructure/issue/9580, inspired by my discovery of the [Communishift Authorization Operator](https://pagure.io/cpe/communishift), which is very similar to (at least part of) what I want. As Kevin notes at the end of that ticket, upstream doesn't seem to be going in a helpful-for-our-use-case direction with this, so a little system to keep things in sync seems best to me. Summary -------------- I want to one-way sync FAS group membership information to Discourse (specifically, https://discussion.fedoraproject.org/). If a user is added to or removed from a group in FAS, and that user has a Discourse account and there is a Discourse group of the same name, the Discourse user should be added to (or removed from) the corresponding Discourse group. As a bonus, this can solve another problem: if an account is locked, disabled, or deleted from FAS, the Discourse account should also be locked. Not even pseudocode ----------- Here's what I envision: 1. A ~~webhook~~ Fedora Message Bus topic about group membership change is received (see below), giving us the username to check 2. fasjson: validate that the account is active and in good standing 3. fasjson: get list of groups for the user 4. discourse api: disable the account if it should be disabled 5. discourse api: get list of all groups 6. take intersection of the fas and discourse groups (groups will be manually created on Discussion, so only groups that exist will be synced) 7. discourse api: get list of groups user belongs to 8. discourse api: remove the user from groups that are in 7 (discourse) but not 6 (fas) 9. discourse api: add the user to any group that is in 6 (fas) but not 7 (discourse) But wait! Before you think "that's too many steps for a mini-initiative!" — I can do the Discourse part! -------- I am familiar with the [Discourse API](https://docs.discourse.org/). But I'm not with fasjson. It doesn't look complicated, but then I realized there's a whole bunch of yak-shaving to do around getting a keytab and setting it up so that's available and authenticated and running in infrastructure. And it looks like you have already shaved that yak! — that is, all of these things are very close to what Communishift Authorization Operator already does. So, What would really help me: ----------------- 1. Steps 1-3 running somewhere -- maybe as a [toddler](https://pagure.io/fedora-infra/toddlers). That should pass either "this account should be disabled" or the resulting grouplist to.... 2. A stub that does nothing. (This will be quicker for me with python, but I can do this in whatever language you prefer.) 3. A place to put a secret available to that stub (an API key — I can either provide the key, or you can provide a way for me to add it securely) 4. Something where when I push to a git repo on a deploy branch (or whatever), that commit gets deployed, replacing the stub (or my previous version). 5. And access to logs would be a nice bonus Because most of this is what Communishift Authorization Operator already does, I really hope that this will not be a lot of effort. Triggering -------- I had originally imagined this would trigger on webhooks from discourse. We could still do that, but I think it makes more sense to listen to Fedora Message Bus messages for group changes (https://fedmsg2.readthedocs.io/en/latest/topics.html#fas). However, there is something I don't understand -- there is `fas.group.member.remove`, but no `fas.group.member.add`. (There are `.sponsor` and `.approve`, though.) Hopefully you know what's going on here. We'd also want to trigger on the account being deactivated or disabled — `fas.user.update`, I guess. These could trigger different paths in my part of the code (remove, add, disable) but that has more risk of getting out of sync. I think it's better to just send user and grouplist and be done. In case a message gets lost or out of sync, there probably should also be some occasional out-of-band double-check. The connection to the discourse part ------------ This could all live in the same codebase (maybe all running as one toddler), or the first part (the fas listener) could make a remote call of some sort -- a JSON http POST with the username and a list of groups. (And some auth token!). Maybe something running in OpenShift? I can work with whatever you think makes sense. The actual code should be pretty simple, and I'll make sure to comment it well so that anyone else can, in the future, fix any issues or make updates. Okay, but, why? ------------- We're finally getting Enterprise hosting, which will let us combine the Ask and Discussion instances. Having group information will allow us to link permissions for posting in certain areas to group membership, allow teams to polls of just their team, allow teams to get notifications, and so much more. We could also make it so Fedora contributors in certain groups get automatically put to "not a newbie" level (which avoids some frustrations with limits on image uploads, etc.). This will be important as more teams move from mailing lists. ------ Note: I've edited this a bit since first filed!
zlopez commented 2022-10-24 08:50:40 +00:00
Owner
Copy link

Metadata Update from @zlopez:

  • Issue priority set to: Waiting on Assignee (was: Needs Review)
  • Issue tagged with: dev, high-gain, high-trouble, mini-initiative
**Metadata Update from @zlopez**: - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: dev, high-gain, high-trouble, mini-initiative
mattdm commented 2022-11-22 15:19:29 +00:00
Author
Copy link

Hey, so, I've tried to make this as not-high-trouble-at-all as possible:

  1. basically a duplicate of something just implemented
  2. can fit into the existing "toddlers" framework rather than being some new service
  3. clearly spec'ing out whta i
  4. leave the part that is out of existing Fedora Account system / fasjson expertise to me"

Is there anything else I can do for y'all, or do differently, to possibly get this down to "medium-trouble" at least? What are the next steps?

Hey, so, I've tried to make this as not-high-trouble-at-all as possible: 1. basically a duplicate of something just implemented 2. can fit into the existing "toddlers" framework rather than being some new service 3. clearly spec'ing out whta i 4. leave the part that is out of existing Fedora Account system / fasjson expertise to me" Is there anything else I can do for y'all, or do differently, to possibly get this down to "medium-trouble" at least? What are the next steps?
dkirwan commented 2022-12-22 06:00:28 +00:00
Member
Copy link

This is looking very similar to what we did with the communishiftauthorization operator.

@mattdm would you be able to provide an API key on the Discourse side, that has enough CRUD permissions for users and groups that we can start testing against?

This is looking very similar to what we did with the communishiftauthorization operator. @mattdm would you be able to provide an API key on the Discourse side, that has enough CRUD permissions for users and groups that we can start testing against?
kevin commented 2023-02-20 21:11:16 +00:00
Owner
Copy link

Just confirming here that you are working on this now @dkirwan ? :)

Just confirming here that you are working on this now @dkirwan ? :)
zlopez commented 2023-02-28 13:30:36 +00:00
Owner
Copy link

This is being worked on by @dkirwan and @lenkaseg.

This is being worked on by @dkirwan and @lenkaseg.
zlopez commented 2023-02-28 13:30:51 +00:00
Owner
Copy link

Metadata Update from @zlopez:

  • Issue assigned to dkirwan
**Metadata Update from @zlopez**: - Issue assigned to dkirwan
dkirwan commented 2023-04-12 10:27:51 +00:00
Member
Copy link

Hi all, we are pretty close to being feature complete, we do need to test this operator running in staging with something resembling a production load.

We want to add the staging discourse to staging ipa/noggin/ipsilon and while we have the required information to update the openidc.staging.static in the ansible-private repo, it looks like we are missing a plugin on the Discourse side to handle oauth2. If possible, can @lenkaseg and I @dkirwan be added as administrators on the production Discourse instance? We'd like to examine the configuration on Discourse side, and figure out which plugins might be required to be installed on the staging side.

ping @mattdm

Hi all, we are pretty close to being feature complete, we do need to test this operator running in staging with something resembling a production load. We want to add the staging discourse to staging ipa/noggin/ipsilon and while we have the required information to update the `openidc.staging.static` in the ansible-private repo, it looks like we are missing a plugin on the Discourse side to handle oauth2. If possible, can @lenkaseg and I @dkirwan be added as administrators on the production Discourse instance? We'd like to examine the configuration on Discourse side, and figure out which plugins might be required to be installed on the staging side. ping @mattdm
dkirwan commented 2023-04-14 08:07:01 +00:00
Member
Copy link

Hi all,

We've installed the latest version of fas2discourse operator on our staging OpenShift and configured it to point at the staging Discourse instance:
https://fedoraproject.staged-by-discourse.com.

This instance is now hooked into staging IPA/Noggin and Ipsilon. So community members can login and create their user accounts on this staging Discourse.

Think we are ready to do some proper testing now. Start making the groups that we want, and invite users in these groups to login and see if they are correctly given access.

Sync time set is currently set to run every 20 minutes, this can be lowered to 5 minutes or maybe even 2 minutes but we run the risk of hitting Discourse rate limiting if we are making large updates and go any lower.

Hi all, We've installed the latest version of `fas2discourse operator` on our staging OpenShift and configured it to point at the staging Discourse instance: `https://fedoraproject.staged-by-discourse.com`. This instance is now hooked into staging IPA/Noggin and Ipsilon. So community members can login and create their user accounts on this staging Discourse. Think we are ready to do some proper testing now. Start making the groups that we want, and invite users in these groups to login and see if they are correctly given access. Sync time set is currently set to run every `20 minutes`, this can be lowered to 5 minutes or maybe even 2 minutes but we run the risk of hitting Discourse rate limiting if we are making large updates and go any lower.
dkirwan commented 2023-04-25 13:14:55 +00:00
Member
Copy link

https://pagure.io/infra-docs-fpo/pull-request/203# PR for the fas2discourse operator SOPs, reviewing in team before merging.

That was the final step btw, the operator appears to be working as expected in staging!

The groups in staging now match what is in production, and what is in IPA/Noggin/FAS

Hoping to deploy to production soon, with a version that is running with functionality for adding/removing users from groups disabled, but logging proposed changes will debug for a few days before enabling full functionality and calling this ticket complete.

https://pagure.io/infra-docs-fpo/pull-request/203# PR for the fas2discourse operator SOPs, reviewing in team before merging. That was the final step btw, the operator appears to be working as expected in staging! The groups in staging now match what is in production, and what is in IPA/Noggin/FAS Hoping to deploy to production soon, with a version that is running with functionality for adding/removing users from groups disabled, but logging proposed changes will debug for a few days before enabling full functionality and calling this ticket complete.
dkirwan commented 2023-05-02 10:48:15 +00:00
Member
Copy link

We've pushed this into production this morning. Just to be aware, FAS/IPA/Noggin is the single source of truth, so please make sure that we add users to groups there, rather than in the Discourse side.

We've pushed this into production this morning. Just to be aware, FAS/IPA/Noggin is the single source of truth, so please make sure that we add users to groups there, rather than in the Discourse side.
dkirwan commented 2023-05-03 15:16:57 +00:00
Member
Copy link

Closing as complete, to raise bugs against this service please open a ticket at: https://pagure.io/cpe/fas2discourse/issues

Closing as complete, to raise bugs against this service please open a ticket at: https://pagure.io/cpe/fas2discourse/issues
dkirwan commented 2023-05-03 15:16:58 +00:00
Member
Copy link

Metadata Update from @dkirwan:

  • Issue close_status updated to: Fixed
  • Issue status updated to: Closed (was: Open)
**Metadata Update from @dkirwan**: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
No results found.
Labels
Clear labels   
announcement

   
anubis

Issues related to anubis

  
authentication

Authentication related issues

  
aws

Issues related to Amazon Web Services

  
backlog

Tasks that will take longer then ~4 hours to do

  
blocked

Issue is blocked

  
bodhi

Issues with Bodhi

  
ci

Continuous Integration

  
cloud

Items in FedoraInfraCloud or COmmunishift

  
communishift

issues/questions about os.edorainfracloud.org ( Community OpenShift)

  
copr

COPR system (run by other team)

  
database

Issues related to databases

  
day-to-day

These are small self contained tasks that are part of normal operations, but are async from sprint planning.

  
dc-move

Items related to datacenter move

  
deprecated

Tools which Infrastructure may not be able to fix

  
dev

Tasks requiring some dev work

  
discourse

outsourced tool

  
dns

Changes or problems with DNS

  
downloads

rsync,dl.fp.o,AWS,torrents

  
easyfix

   
epel

Issues relating to epel

  
firmitas

   
forgejo_migration

Request migration to the new forge

  
Gain
High
task that gets us a lot / is important / makes many people happy

  
Gain
Low
tasks that gets us little / isn't very important / makes only 1 person or few happy

  
Gain
Medium
task that gets us some / is somewhat important / makes some people happy

  
gitlab

   
greenwave

Issues with greenwave

  
hardware

Problem is with Fedora Infrastructure Owned/Leased Hardware

  
help wanted

   
high-trouble

task that is complex/long/difficult

  
koji

Issues with the build system

  
koschei

Items needing Koschei team

  
lists

issues with lists

  
low-trouble

task that is easy/short

  
medium-trouble

task that is medium complex / difficult

  
mirrorlists

Way to tell systems where downloads are

  
monitoring

   
Needs investigation

   
odcs

On Demand Compose Service issues

  
OpenShift

Issues with OpenShift

  
ops

ops problem now...

  
outage

   
packager_workflow_blocker

Blocks the packager workflow

  
pagure

Issues with pagure.io

  
permissions

Items which need permissions set in outside tools

  
Priority
Needs Review
Priority of Needs Review

  
Priority
Next Meeting
Priority of Next Meeting

  
Priority
🔥 URGENT 🔥
Priority of 🔥 URGENT 🔥

  
Priority
Waiting on Assignee
Priority of Waiting on Assignee

  
Priority
Waiting on External
Priority of Waiting on External

  
Priority
Waiting on Reporter
Priority of Waiting on Reporter

  
rabbitmq

issues with the message broker

  
release-monitoring

release-monitoring.org (Anitya)

  
releng

For problems which should be in the releng ticket system

  
request-for-resources

   
s390x

The secondary architecture hardware and problems related with it

  
security

   
SMTP

Email issues outside of lists (DMARC, SPF, aliases)

  
sprint-0

   
sprint-1

   
src.fp.o

Issues related to src.fedoraproject.org

  
staging

Issues in staging

  
unfreeze

Patches to be applied after freeze is lifted

  
waiverdb

Issues with waiverdb

  
websites-general

General items with a website focus

  
wiki

Issues with the Wiki

  
Backlog Status
Needs Review
Work items that have been created or updated but need review, refinement, or approval before they can be considered ready for sprint planning.

  
Backlog Status
Ready
Work items that have been reviewed, refined, and are ready to be committed to a sprint. These items have clear requirements and can be worked on immediately when capacity is available.

  
chore

Work that needs to be done but doesn't add new functionality or fix bugs. Maintenance tasks that keep the system running smoothly and the codebase clean.

  
documentation

Work focused on creating, updating, or improving documentation for users, developers, or system administrators.

  
points
01
A task that is simple, small, and has very little uncertainty. It should be easy enough for any team member to pick up and complete quickly, without a lot of discussion or research.

  
points
02
This is a task that is slightly more complex or larger than a "1." It might involve two or three simple steps, but the outcome is still very clear and there's little uncertainty.

  
points
03
Medium-sized task with some noticeable complexity. It might require a bit more thought or collaboration. The steps are well-defined, but it's not a trivial change.

  
points
05
A significant piece of work. It has more complexity and a higher degree of uncertainty than smaller tasks. It might require some research, a design discussion, or collaboration across multiple teams.

  
points
08
Complex task with a lot of uncertainty. It's often the largest size that a team will consider for a single sprint. It likely requires a detailed breakdown and multiple team members to complete.

  
points
13
Any task that feels like it's a "13" or more is considered an Epic. These are too large and uncertain to be worked on in a single sprint and should be broken down.

  
Priority
High
This is for work that is critical and needs to be addressed in the next sprint. It's often for urgent bugs, important features, or a major piece of technical debt that is blocking other work.

  
Priority
Low
This is for work that is good to do but not urgent. It's a candidate for being worked on when there's extra time or when it rises in importance. It can stay in the backlog for a longer period.

  
Priority
Medium
This is for important work that should be done soon, but isn't as urgent as a high-priority item. It will likely be considered for the next 1-2 sprints.

  
Sprint Status
Blocked
Work items that cannot progress due to external dependencies, blockers, or issues that need resolution.

  
Sprint Status
Done
Work items that have been completed, reviewed, and integrated. No further work is needed within the current sprint.

  
Sprint Status
In Progress
Work items currently being worked on by a team member. Active development, research, or implementation is happening.

  
Sprint Status
Review
Work items that are complete but need review, testing, or approval before being marked as done.

  
Sprint Status
To Do
Work items that are committed to the sprint but haven't been started yet. These items are ready to be picked up by team members.

  
Technical Debt

Work that addresses shortcuts, workarounds, or suboptimal implementations that were done previously to meet deadlines. These items improve code quality, maintainability, or performance without adding new features.

  
Work Item
Bug
Issues where the system is not working as intended or designed. Bugs represent deviations from expected behavior.

  
Work Item
Epic
Large initiatives that are broken down into multiple smaller work items (user stories, tasks, bugs). Epics represent significant features or projects that span multiple sprints.

  
Work Item
Spike
Time-boxed research, investigation, or proof-of-concept work to reduce uncertainty or explore solutions. Spikes help inform future development decisions.

  
Work Item
Task
Used to break down larger user stories into smaller, manageable implementation pieces. They focus on the specific technical steps needed to deliver the user story's value.

  
Work Item
User Story
User-facing features or functionality that can be framed from a user perspective, describing what someone wants to accomplish and why.

No labels
announcement
anubis
authentication
aws
backlog
blocked
bodhi
ci
cloud
communishift
copr
database
day-to-day
dc-move
deprecated
dev
discourse
dns
downloads
easyfix
epel
firmitas
forgejo_migration
Gain
High
Gain
Low
Gain
Medium
gitlab
greenwave
hardware
help wanted
high-trouble
koji
koschei
lists
low-trouble
medium-trouble
mirrorlists
monitoring
Needs investigation
odcs
OpenShift
ops
outage
packager_workflow_blocker
pagure
permissions
Priority
Needs Review
Priority
Next Meeting
Priority
🔥 URGENT 🔥
Priority
Waiting on Assignee
Priority
Waiting on External
Priority
Waiting on Reporter
rabbitmq
release-monitoring
releng
request-for-resources
s390x
security
SMTP
sprint-0
sprint-1
src.fp.o
staging
unfreeze
waiverdb
websites-general
wiki
Backlog Status
Needs Review
Backlog Status
Ready
chore
documentation
points
01
points
02
points
03
points
05
points
08
points
13
Priority
High
Priority
Low
Priority
Medium
Sprint Status
Blocked
Sprint Status
Done
Sprint Status
In Progress
Sprint Status
Review
Sprint Status
To Do
Technical Debt
Work Item
Bug
Work Item
Epic
Work Item
Spike
Work Item
Task
Work Item
User Story
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
4 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
infra/tickets#10952
No description provided.