--- tags: AAA, Noggin, Fedora, CentOS, Migration --- # AAA/Noggin Migration bits brainstorming ## Done bits * Noggin user account self-service app coded, deployed in stg * FAS extensions for IPA coded and deployed in stg (*are we there yet in prod?*) * `fas2ipa` migration script coded * User documentation (link?) - this needs to be defined a little better, what do we have, what do we still need * Basic FAQ on Noggin vs FAS * Much more stuff, but cant think of them right now! ## In-flight bits * Ansible: prepare for shell access and sudo via IPA host groups (for hosts in the VPN), remove old FAS config for stg env ([**IN REVIEW**](https://pagure.io/fedora-infra/ansible/pull-request/374)) * Completely disable ssh password login ([**IN REVIEW**](https://pagure.io/fedora-infra/ansible/pull-request/377)) * Migrate users from FAS/prod (Fedora, CentOS) to IPA/stg (ongoing until FAS/stg is switched off/read-only) * Write a script to capture new account changes since the last run of the migration script * Final config of critical apps in stg * Email aliases configured on bastion * [2FA for sudo](https://github.com/fedora-infra/aaa-tracker/issues/35) ## Missing Bits * Noggin/prod user account self-service app deployed * this needs to have a new URL from the current FAS so that this can be kept running on read only. This is a PROD task * Migrate users from FAS/prod (Fedora, CentOS) to IPA/prod (probably done a couple of times with ever smaller set of changed users until prod FAS instances are switched off/read-only) * PROD Task * Ansible: remove FAS compat cruft for prod env when the new way of things works * This is addressed by on of the IN REVIEW tasks above - clean up task * Make FAS read only (Potentially disable access on the db level for all except the users table) * PROD * Email infra/devel list (fedora) requesting testing in stg (re-enable new account creation in stg too) * Email devel list (CentOS) with changes they should/can expect with the migration to Noggin & date of migration * Users with email conflicts emailed requesting they pick one * Add user installation documentation to repo https://github.com/fedora-infra/noggin/blob/0e3be29de02a1ba7aaf247493c5adf7d08e5f64b/docs/installation.rst * Identify project closeout date and prep final comms * Add Noggin to CPE app sheet ## Open Questions/Edge Cases * Decide how to proceed with user with the same nick on CentOS and on Fedora, but are different people * What about accounts with the same email address in 2 accounts? * What do we mean when we say create a migration plan for prod? * Do we need a list of apps again? * Do we need an outage period? (yes) * Anything else? ## To-Do Immediately (priority) * x2 reviews in in flight section to be done * 2FA authentication for sys-admin groups * Write script to monitor changes on accounts from its last run * Check with Stphen if he did all apps in CPE - both critical and not for codebase changes and then deploy then to stg to see if they work * Run a stg-wide ansible playbook to check that all the apps have the right settings * Emails - lots of emails! * Send one to the infra/devel list (fedora) requesting testing in stg * Users with email conflicts emailed requesting they pick one (AB will get the list to AM) * Move end-user documentation to docs.fpo * Security Rewview * Add security headers https://github.com/fedora-infra/noggin/issues/333 * Add justification lines to https://github.com/fedora-infra/noggin/issues/335 * Review default config https://github.com/fedora-infra/noggin/issues/334 * Get installation docs from dkirwan, review and post them to Noggin repo * Add user documentation to CentOS docs site * ~~Automate the docs rebuild - it was doing this, so there might be a bug~~ * Create a checklist for the migration to prod to follow ## Email Draft to Users with different emails for CentOS & Fedora Hi there! As part of the AAA/Noggin project which will replace FAS, the CPE team has developed a script to migrate user data from the legacy FAS server to its successor. When we ran this script, your username was detected to be registered to both Fedora and CentOS with different emails for each. As we are merging the authentication systems of both projects into one, we would ask that if you own both accounts you make sure the same email address is used in both accounts. When we go live in March, if the two accounts do not have the same email address we will not be able to merge them. In that situation the Fedora account will take precedence over the CentOS account and if you had the CentOS account, you'll need to create a new one and the old one will be discarded. Please make these changes as soon as possible. Once you have done that, you can open a ticket at https://pagure.io/centos-infra and if the email address matches in both the old and new systems, we will be able to add you back to the groups you were in. So again please, if you own accounts with the same username in both Fedora and CentOS, make sure they use the same email address by March. Please let us know if you need more information, Thanks in advance for your help, Best regards, .... xxx ❤❤❤