Figuring out auth

tanner · December 31, 2015, 4:29am

Hey all,

We need to figure out some sort of auth system that doesn’t suck. Basically, the requirements that I can think of are:

Hooks into Jira (ideally only for admin users)
- We’re currently in an awkward place with Jira auth, aiui.
Hooks into Jenkins
Able to use http auth with nginx
- Plan to use this for Consul, etc.

And a few not requirements, but things I would like:

VictorOps SSO (not rolled out yet, but should be in January) (Want)
Cross-server authentication (Really want)
IAM integration (Not sure if it’s possible, but if it is, really want)

Thoughts? I’m currently thinking something LDAP-compliant is probably the best plan, but open to suggestions.

tad · December 31, 2015, 11:57am

The AWS Active Directory thing I sent you seems like a good option.
Community Ops isn’t really in a good place to be reinventing the wheel, or even putting together a wheel, when it comes to auth. If we can just use AWS’s thing, with an LDAP gateway of some sort, that may be ideal.
Otherwise, I’d go for some other directory like Crowd.
You know, as for Jira, why don’t we setup a directory (like AWS AD) and let anybody create an account with that directory by default, JIRA could act as our user management for all of our infrastructure.
Sent from Outlook Mobile

tanner · December 31, 2015, 5:46pm

I think DS is the best option, unless we wanted to do something like JumpCloud. I’m not sure about the idea of letting everyone sign up, because frankly, they don’t need to have an account to access all this stuff. I’d prefer to have us manually create the accounts, at least now.

tanner · January 1, 2016, 2:24am

You know, JumpCloud just might be cheaper right now. I don’t know if that’ll be the case in the future, but for 1-10 users they’re free, past that it’s $10/mo ($7/mo if paid annually). DS is $38/mo for a small, which does up to 50 users.

tad · January 1, 2016, 2:59am

So at 14 users we’d be paying more.
We definitely have a use case for more than 14 users
Sent from Outlook Mobile

tanner · January 1, 2016, 6:41am

You’re right. 11 users doesn’t give us much room to expand. I’ve been playing around a bit with DS but not enough to have formed any opinions on it. Will do more playing tomorrow probably.

Kensie · January 1, 2016, 11:41pm

Are they equal besides cost? Cost shouldn’t be the primary factor for discussion, Not until functionality has been thoroughly considered.

tanner · January 1, 2016, 11:46pm

JumpCloud would probably be a lot easier to set up.

satdav · January 1, 2016, 11:59pm

What about drop box or box. Com as I am guessing jump cloud is for pc
backup

I use Dropbox and one drive my self

tanner · January 2, 2016, 12:01am

No, it’s directory services. They accomplish totally different things.

satdav · January 2, 2016, 12:09am

Can we not just use qauth 2 or try active directory or open ldap

tanner · January 2, 2016, 12:19am

I’m not sure what Qauth is, and OpenLDAP isn’t my first choice, because
I don’t know a lot about LDAP, but that’s what I’m currently trying.

David Weir wrote:

tanner · January 5, 2016, 3:02am

At this point I’m thinking Crowd may be our best bet.