Review & edit IPA external authentication user story #3015

asteflova · 2024-05-13T16:17:49Z

A follow-up on #2938

The goal is to cover the IPA user story from beginning to end and make sure it's easy to read and follow.

UPDATE: To summarize the changes:

The assembly introduction now lists the available login methods
Where possible, the docs link to RHEL Identity Management docs for FreeIPA procedures. (FreeIPA does not have a documentation set that would mirror the IdM content; but we could search for corresponding FreeIPA resources upstream, like blog posts and developer docs. But probably not in this PR.)
The old FreeIPA procedures were re-implemented as examples of the simplest(ish) way to achieve the goal (see the Example boxes).
The assembly now also includes login procedures because they are useful for verification.
A lot of editing, shortening, streamlining, and fine-tuning.
I am okay with my commits getting squashed when you merge this PR.
I am familiar with the contributing guidelines.

Please cherry-pick my commits into:

Foreman 3.11/Katello 4.13
Foreman 3.10/Katello 4.12
Foreman 3.9/Katello 4.11 (Satellite 6.15; orcharhino 6.8)
Foreman 3.8/Katello 4.10
Foreman 3.7/Katello 4.9 (Satellite 6.14)
Foreman 3.6/Katello 4.8
Foreman 3.5/Katello 4.7 (Satellite 6.13; orcharhino 6.6/6.7)
Foreman 3.4/Katello 4.6 (EL8 only)
Foreman 3.3/Katello 4.5 on EL7 & EL8 (Satellite 6.12 on EL8 only; orcharhino 6.4/6.5 on EL8 only)
We do not accept PRs for Foreman older than 3.3.

github-actions · 2024-05-13T16:20:24Z

The PR preview for 1a0342d is available at theforeman-foreman-documentation-preview-pr-3015.surge.sh

The following output files are affected by this PR:

show diff

show diff as HTML

asteflova · 2024-05-20T11:57:08Z

@domiborges will do a peer review to provide the FreeIPA/Identity Management's docs team perspective.

guides/common/attributes-satellite.adoc

guides/common/modules/proc_enrolling-project-server-in-freeipa-domain.adoc

guides/common/modules/proc_configuring-host-based-authentication-control.adoc

guides/common/modules/proc_configuring-freeipa-authentication-on-server.adoc

guides/common/modules/proc_configuring-host-based-authentication-control.adoc

guides/common/modules/proc_enrolling-project-server-in-freeipa-domain.adoc

guides/common/modules/proc_configuring-freeipa-authentication-on-server.adoc

guides/common/modules/proc_configuring-host-based-authentication-control.adoc

guides/common/modules/proc_configuring-the-hammer-cli-to-use-freeipa-user-authentication.adoc

guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-project-hammer-cli.adoc

...dules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-Mozilla-Firefox.adoc

guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-project-hammer-cli.adoc

asteflova · 2024-07-26T20:03:00Z

Thanks a lot @domiborges for your review!

I updated the PR description with a summary of the changes.

Based on https://github.com/theforeman/hammer-cli-foreman/blob/master/doc/configuration.md

asteflova · 2024-07-30T06:24:42Z

@domiborges We talked about the possibility to add links to FreeIPA docs upstream to make sure that even builds that don't include links to RH downstream docs point to some useful resources. I'm afraid I found only one such resource: see Additional resources in 5.2.3. Configuring host-based access control for FreeIPA users logging in to orcharhino (this is the html build for orcharhino for which all links to RH docs are excluded).

The problem is that the FreeIPA upstream documentation is no longer maintained and upstream users are being redirected to RH docs. So I think that finding good upstream-only resources will be tricky. Domi, let me know if you can think of any other useful links to add; otherwise, I'll leave things as they are now, which means:

The Satellite d/s build includes RH d/s links as usual
The orcharhino d/s build doesn't include any RH d/s links and one FreeIPA-only u/s link
Upstream builds include both RH d/s links and the FreeIPA-only u/s link

maximiliankolb

many minor suggestions; some questions. I only had a quick look at the diff; I am no expert with FreeIPA/IDM.

guides/common/assembly_accessing-server.adoc

...mmon/assembly_configuring-a-freeipa-server-as-an-external-identity-provider-for-project.adoc

...n/modules/con_configuring-a-freeipa-server-as-an-external-identity-provider-for-project.adoc

...mon/modules/con_configuring-an-ldap-server-as-an-external-identity-provider-for-project.adoc

guides/common/modules/proc_configuring-the-freeipa-authentication-source-on-projectserver.adoc

guides/common/modules/proc_enrolling-project-server-in-freeipa-domain.adoc

Co-authored-by: Maximilian Kolb <mail@maximilian-kolb.de>

asteflova

Thanks for the review @maximiliankolb

You noticed quite a few blank lines that should be removed and inconsistencies between headings/IDs/file names. If you don't mind pointing out every single one like this, great! :) But if doing it doesn't exactly spark joy for you, you can also just let me know that I should check the whole PR myself to fix them.

guides/common/assembly_accessing-server.adoc

...mmon/assembly_configuring-a-freeipa-server-as-an-external-identity-provider-for-project.adoc

...n/modules/con_configuring-a-freeipa-server-as-an-external-identity-provider-for-project.adoc

...mon/modules/con_configuring-an-ldap-server-as-an-external-identity-provider-for-project.adoc

guides/common/modules/proc_configuring-hammer-cli-to-accept-freeipa-credentials.adoc

...ules/proc_configuring-host-based-access-control-for-freeipa-users-logging-in-to-foreman.adoc

guides/common/modules/proc_configuring-the-freeipa-authentication-source-on-projectserver.adoc

asteflova · 2024-07-30T08:36:47Z

many minor suggestions; some questions. I only had a quick look at the diff; I am no expert with FreeIPA/IDM.

Myself and @domiborges have covered the FreeIPA/IdM part. What is needed now is a style check to make sure we can merge it. I'm updating the labels to clarify that.

...mon/modules/con_configuring-freeipa-server-as-an-external-identity-provider-for-project.adoc

guides/common/modules/proc_configuring-hammer-cli-to-accept-freeipa-credentials.adoc

...ules/proc_configuring-host-based-access-control-for-freeipa-users-logging-in-to-project.adoc

guides/common/modules/proc_enrolling-projectserver-in-freeipa-domain.adoc

...ules/proc_configuring-host-based-access-control-for-freeipa-users-logging-in-to-project.adoc

...modules/proc_logging-in-to-the-projectwebui-with-freeipa-credentials-in-mozilla-firefox.adoc

...s/common/modules/proc_logging-in-to-the-projectwebui-with-freeipa-credentials-in-chrome.adoc

Co-authored-by: Maximilian Kolb <mail@maximilian-kolb.de>

asteflova · 2024-08-05T06:49:12Z

Based on a conversation with @maximiliankolb and on having resolved all open threads, I'm going to go ahead and merge.

* Redefine FreeIPA attributes for RH d/s * Review and edit the FreeIPA external authentication story * Review and clarify configuring Hammer for FreeIPA Based on https://github.com/theforeman/hammer-cli-foreman/blob/master/doc/configuration.md * Drop warning about restart after satellite-maintain --------- Co-authored-by: Maximilian Kolb <mail@maximilian-kolb.de> (cherry picked from commit e65c2fb)

asteflova · 2024-08-05T06:59:04Z

Merged to "master" and cherry-picked:

5a2f7e8..a4b868f 3.11 -> 3.11

pr-processor bot added the Not yet reviewed label May 13, 2024

asteflova force-pushed the ext_auth_ipa_story branch from 4cf889e to 60dc5a0 Compare May 14, 2024 19:48

asteflova mentioned this pull request Jul 10, 2024

Realm procedure has redundant steps #3116

Open

asteflova force-pushed the ext_auth_ipa_story branch 2 times, most recently from a25c267 to d89fb74 Compare July 22, 2024 12:16

domiborges reviewed Jul 22, 2024

View reviewed changes

guides/common/attributes-satellite.adoc Outdated Show resolved Hide resolved

asteflova commented Jul 22, 2024

View reviewed changes