search

threefoldtech / 0-hub

Threefold Images Hub
https://hub.grid.tf
Apache License 2.0
1 stars 1 forks source link

threebot: authentication for virtual users #72

Closed maxux closed 8 months ago

maxux commented 8 months ago

Since the beginning, we rely on itsyou.online for GitHub Actions tokens because this authentication methods supports multiple accounts being controlled from a single token, with approved authorization itsyou.online backend side. One main feature that we use a lot from that is the ability to do actions on behalf someone else authorized.

Using threefold token (3bot token), you can only do action for your own account and can't authorize delegation.

All of that working fine so far... until latest Actions builds...

Using legacy itsyou.online token
Refreshing hub token
Checking logged in username (expected: tf-autobuilder)
zflist: authentication: 502 Bad Gateway

zflist: hub: hub authentication failed

Well... itsyou.online is deprecated for months (if not years) now... so we need to have an alternative, we can't continue rely on this dead webservice.

Right now, usage of threefold token assume that accounts ends with .3bot so virtual accounts like tf-zos can't link out-of-box to a 3bot account.

In order to supports threefold tokens as authorized tokens for theses virtual users and to apply minimal changes to the hub to avoid introducing some new untested concepts, I suggest this:

This would enable GitHub Actions to use new tokens implementation and discard itsyou.online without the need of renaming current users and creating lot of new 3bot accounts.

I need to double check if nothing else is required and if this could covers all API endpoints to be sure we don't miss something.

maxux commented 8 months ago

After investigation, this mapping should works. I'm working on it. I created a new dedicated threebot account to manage legacy repositories. I'm testing implementation to ensure we can manage the multiple repositories from a single token account.

maxux commented 8 months ago

Porting https://github.com/threefoldtech/0-hub-gw to support new token

maxux commented 8 months ago

Updating production hub to support virtual users now

maxux commented 8 months ago

Updating https://github.com/threefoldtech/0-flist/blob/development-v2/.github/workflows/zflist-publish to smoothly supports new token without massive changes for end user

maxux commented 8 months ago

Everything is updated, first productions tests seems okay, will open new issue if needed.