From Fedora Project Wiki
(Change submitted to FESCo)
No edit summary
Line 1: Line 1:
= Authselect: Move State Files to /etc =
= Authselect: Require explicit opt-out =


== Summary ==
== Summary ==


Authselect will move several files that are currently stored at /var/lib/authselect to /etc/authselect/.state. This does not affect configuration backup, that will be kept at /var/lib/authselect/backups.
Any user changes to a configuration generated by authselect will be overwritten by subsequent call to authselect. Users that do not want to use authselect to manage their nsswitch and PAM configuration can opt-out by calling `authselect opt-out` or removing `/etc/authselect/authselect.conf`. It will also make authselect work on CoreOS and other rpm-ostree systems.
 
The files that will be moved are:
* /var/lib/authselect/dconf-db -> /etc/authselect/.state/dconf-db
* /var/lib/authselect/dconf-locks /etc/authselect/.state/dconf-locks
* /var/lib/authselect/fingerprint-auth /etc/authselect/.state/fingerprint-auth
* /var/lib/authselect/nsswitch.conf /etc/authselect/.state/nsswitch.conf
* /var/lib/authselect/password-auth /etc/authselect/.state/password-auth
* /var/lib/authselect/postlogin /etc/authselect/.state/postlogin
* /var/lib/authselect/smartcard-auth /etc/authselect/.state/smartcard-auth
* /var/lib/authselect/system-auth /etc/authselect/.state/system-auth


== Owner ==
== Owner ==
Line 42: Line 32:
== Detailed Description ==
== Detailed Description ==


These files are used by authselect to detect changes to the system nsswitch and PAM configurations when the configuration is updated with an updated profile using 'authselect apply-changes'.
Authselect is trying hard to avoid overwriting any potential user changes to the configuration that were not done through the authselect tool. If the content of the configuration has changed without authselect, any subsequent call to authselect refuses to overwrite the changes unless `--force` parameter is given to the tool. This is to prevent destruction of any user configuration.
 
This behavior allows a "mixed" configuration where the original configuration was created by authselect and then modified by user. Authselect essentially stopped managing those files, but the files were still symbolic links to `/etc/authselect` directory. The way how this is implemented also breaks authselect on ostree systems ([https://bugzilla.redhat.com/show_bug.cgi?id=2034360 BZ#2034360]). Also, it is always quite difficult to explain this behavior to users and it seems to create more confusion then what is the benefit.
 
This behavior was important in the past to allow smooth and non-breaking transition to authselect. Fedora 36 encourages users to switch to authselect (if they haven't done that already), see [[Changes/Make_Authselect_Mandatory]]. This behavior is therefore no longer needed and we want to eliminate this mixed configuration and let users either use authselect or not, but nothing in between.


Unfortunately, the current location conflicts with ostree model where /var is not writable during rpm transaction and this currently blocks compose of ostree systems (see [https://bugzilla.redhat.com/show_bug.cgi?id=2034360 BZ#2034360]). At the same time /usr is read-only on client side of ostree-enabled installations therefore the files can not be moved there since it would break authselect on the client side.
The behavior will change to:


Storing these files under /etc/authselect will make authselect work on both server and client side of ostree systems.
* if `/etc/authselect/authselect.conf` '''exists''' and is valid then all `authselect` calls write the new configuration
** authselect will overwrite user changes if there are any and '''will not''' require user's confirmation through `--force` parameter
** content of the files is no longer checked, therefore the files under `/var/lib/authselect` are no longer needed (this will make authselect work on ostree systems)
* if `/etc/authselect/authselect.conf` '''does not exist''' or is corrupted, then `authselect` will require `--force` parameter
* those users that don't want to have their configuration managed by `authselect` can call `authselect opt-out`
** this will convert authselect configuration to non-authselect configuration (convert symbolic links to regular files and remove authselect.conf)
* the result is that users would either use `authselect` or not, nothing in between


== Feedback ==
== Feedback ==
This change is accepted by ostree system maintainers, see [https://bugzilla.redhat.com/show_bug.cgi?id=2034360 BZ#2034360].


== Benefit to Fedora ==
== Benefit to Fedora ==


This makes authselect more compatible with ostree model.
* The system configuration will be clear - it is either managed by authselect or not
* This makes authselect compatible with ostree model.
* The new behavior is more simple and similar to what users already know (for example how /etc/resolv.conf is managed)


== Scope ==
== Scope ==
* Proposal owners: Build authselect with --statedir=/etc/authselect/.state and move files from /var/lib/authselect to the new location. Spec file changes only.
* Proposal owners: Implement these changes.


* Other developers: N/A (not needed for this Change)<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Other developers: N/A (not needed for this Change)<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
Line 74: Line 74:
== Upgrade/compatibility impact ==
== Upgrade/compatibility impact ==


No impact. Files will be moved automatically during update and everything will keep working as prior.
No impact.


== How To Test ==
== How To Test ==


1. Authselect keeps working as expected after the upgrade
# Authselect keeps working as expected after the upgrade
# Any user change is overwritten when authselect is called if the configuration is managed by authselect (`/etc/authselect/authselect.conf` exist and is valid)


== User Experience ==
== User Experience ==


This change is only under the hood, it does not affect user experience.
Users that do not want to use authselect must explicitly opt-out by calling `authselect opt-out`. It is more clear how the authselect tool operates.


== Dependencies ==
== Dependencies ==
Line 99: Line 100:
== Release Notes ==
== Release Notes ==


Authselect state files moved from /var/lib/authselect to /etc/authselect/.state.
Users that do not want use authselect to manage their nsswitch and PAM configuration must explicitly opt-out by calling `authselect opt-out`

Revision as of 14:51, 31 January 2022

Authselect: Require explicit opt-out

Summary

Any user changes to a configuration generated by authselect will be overwritten by subsequent call to authselect. Users that do not want to use authselect to manage their nsswitch and PAM configuration can opt-out by calling authselect opt-out or removing /etc/authselect/authselect.conf. It will also make authselect work on CoreOS and other rpm-ostree systems.

Owner


Current status

  • Targeted release: Fedora Linux 36
  • Last updated: 2022-01-31
  • devel thread
  • FESCo issue: #2741
  • Tracker bug: <will be assigned by the Wrangler>
  • Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

Authselect is trying hard to avoid overwriting any potential user changes to the configuration that were not done through the authselect tool. If the content of the configuration has changed without authselect, any subsequent call to authselect refuses to overwrite the changes unless --force parameter is given to the tool. This is to prevent destruction of any user configuration.

This behavior allows a "mixed" configuration where the original configuration was created by authselect and then modified by user. Authselect essentially stopped managing those files, but the files were still symbolic links to /etc/authselect directory. The way how this is implemented also breaks authselect on ostree systems (BZ#2034360). Also, it is always quite difficult to explain this behavior to users and it seems to create more confusion then what is the benefit.

This behavior was important in the past to allow smooth and non-breaking transition to authselect. Fedora 36 encourages users to switch to authselect (if they haven't done that already), see Changes/Make_Authselect_Mandatory. This behavior is therefore no longer needed and we want to eliminate this mixed configuration and let users either use authselect or not, but nothing in between.

The behavior will change to:

  • if /etc/authselect/authselect.conf exists and is valid then all authselect calls write the new configuration
    • authselect will overwrite user changes if there are any and will not require user's confirmation through --force parameter
    • content of the files is no longer checked, therefore the files under /var/lib/authselect are no longer needed (this will make authselect work on ostree systems)
  • if /etc/authselect/authselect.conf does not exist or is corrupted, then authselect will require --force parameter
  • those users that don't want to have their configuration managed by authselect can call authselect opt-out
    • this will convert authselect configuration to non-authselect configuration (convert symbolic links to regular files and remove authselect.conf)
  • the result is that users would either use authselect or not, nothing in between

Feedback

Benefit to Fedora

  • The system configuration will be clear - it is either managed by authselect or not
  • This makes authselect compatible with ostree model.
  • The new behavior is more simple and similar to what users already know (for example how /etc/resolv.conf is managed)

Scope

  • Proposal owners: Implement these changes.
  • Other developers: N/A (not needed for this Change)
  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Objectives: N/A

Upgrade/compatibility impact

No impact.

How To Test

  1. Authselect keeps working as expected after the upgrade
  2. Any user change is overwritten when authselect is called if the configuration is managed by authselect (/etc/authselect/authselect.conf exist and is valid)

User Experience

Users that do not want to use authselect must explicitly opt-out by calling authselect opt-out. It is more clear how the authselect tool operates.

Dependencies

No dependencies.

Contingency Plan

  • Contingency mechanism: N/A (not a System Wide Change)
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? N/A (not a System Wide Change), Yes/No

Documentation

N/A (not a System Wide Change)

Release Notes

Users that do not want use authselect to manage their nsswitch and PAM configuration must explicitly opt-out by calling authselect opt-out

Retrieved from "https://fedoraproject.org/w/index.php?title=Changes/Authselect_Require_explicit_opt-out&oldid=635581"