- Status: accepted
- Deciders: durandom
- Date: 2021-04-26
Technical Story:
The Operate First environments will span multiple data centers and multiple regions. A central authentication system helps identfiying users and system operators without maintaining seperate user registries. This ADR is related to platform systems, such as OpenShift, ArgoCD or ACM - for application workloads refer to 0010-common-auth-for-applications. Authentication is also essential for auditing. User management of the applications should be unified so the same user can access all the systems with a single set of credentials. The username should be unique, but also utilized across systems. The accepted solution should provide SSO, so the user can cary over the identity across different systems.
- For the same user a single user identity is provided to all applications.
- All users are able to authenticate using the same credentials
- Identity provider is responsible for user privacy
- Ease of acquiring an account
- Publishing data in legal boundaries without worrying about PII
- University Authentication
- GitHub
Chosen option: "3. GitHub", because most users already have a GitHub account.
- The only link to direct user personal data is the GitHub account name
- Users have to take care of setting privacy options in GitHub
- Gitops actions, such as commits, are directly attributable to system accounts
- Reaching out to users via mail is harder, because we don't maintain a directory of mail addresses
- Good, because we also target university research and students usually have a university login
- Bad, because universities have a strict privacy setup and must not leak any student data
- Good, because we have email addresses to reach out to users
- Bad, because we store email addresses in logs
- Good, because users already have a GitHub account - our platform for gitops
- Good, because users take care of setting privacy
- Bad, because we don't have email addresses to reach out to users