Every Fedora contributor is familiar with FAS (the Fedora Account System), and has used it to create and manage their Fedora Contributor Account. The current “FAS2” system was first deployed in 2008, and has managed Fedora users and groups for over 13 years.
The FAS2 software, however, is showing it’s age. It has proved increasingly hard for the Fedora Infrastructure team to support and maintain.
Enter Fedora Accounts
Fedora Accounts is the new place for creating and maintaining your Fedora contributor account. When it goes live in the end of March 2021, it will be available at accounts.fedoraproject.org.
You can test out the new system today on the staging instance, which is available at admin.stg.fedoraproject.org/accounts.
A whole new system
It is important to note that the new Fedora Accounts is not just a new user interface on the old FAS2 system. Fedora Accounts uses FreeIPA on the backend, with the new custom freeipa-fas plugin applied to add extra functionality for Fedora Accounts.
The new web frontend is powered by a new piece of software named Noggin, which provides a tailored UI for creating and managing your Fedora contributor account, and interfaces directly with the FreeIPA backend.
Changes from FAS2
As Fedora Accounts is an entirely new system, there are some changes in how users interact with the system.
Group Sponsors
FAS2 had group administrators that gave permissions to those users to add new administrators, add new group members, and edit the finer details of the group.
The new FreeIPA-based Fedora Accounts replaces group administrators with Sponsors who have permissions to just add new group members.
Changing Group Details
Changes to group details (like group description or contact information), or changes to the sponsors of a group are no longer self-service, and require filing a fedora-infra request.
Note for current Group Administrators in FAS2: Review your group’s details in FAS2 now and ensuring they are correct before the import into the new system. This will streamline the process and save you from filing a ticket later on.
Joining Groups
Previously, FAS2 had the ability for users to apply for groups, and a group administrator needed to approve these requests. However, many groups have specific joining procedures involving interacting with the group via other channels (like email or IRC). In the new Fedora Accounts, a group sponsor adds new members to the group; there is no additional process required in the accounts system.
Note for current Group Administrators in FAS2: Review your group’s join process to omit the group application step. Instead, inform new contributors whom or where to contact to gain group membership.
Two-factor authentication with TOTP
The new system also provides the ability for all users to enable two-factor authentication on their Fedora contributor account using TOTP. This allows you to use an authentication application such as FreeOTP to generate a one-time password when logging in. The Fedora Accounts documentation contains more information on enabling this new feature.
Note: If you are a member of a Sysadmin group, you must enable two-factor authentication to retain membership.
Try out Fedora Accounts
The new Fedora Accounts is slated for production release by the end of March 2021. You can try it out now in staging at admin.stg.fedoraproject.org/accounts. Note that while your account from FAS will be imported into the staging instance, your password will not be. Use the Reset Password feature in the UI to reset your password on staging for testing it out.
Also for further reading, see the documentation already available on the Fedora Documentation site.
This is really exciting! I’d love to try it out but the stg site isn’t recognizing my credentials.
Yeah as I understand it passwords weren’t imported into the staging site so you have to use “reset password” to try it. (I don’t think that will propagate forward… not 100% sure though.)
Thanks for the tip, I actually just did that thus the deletion of my post haha. Worked though, I’m in! This is really cool
When the new accounts system goes live, will it import the passwords, or will everyone have to reset theirs?
If you have logged into FAS in the last ~2 years it should be there already as we already use IPA for some services in production so they are synced
Will TOTP the only method for two-factor authentication in FAS or will there be others? Why was it chosen?
TOTP is the default method for FreeOTP or Google Authenticator. FreeIPA supports HOTP, too. I’m not sure if Noggin allows you to set up an HOTP token, though. FIDO / WebAuthn is not supported by FreeIPA yet.
It would be nice to see an update to freeota. It’s not been updated in almost a decade now. Particularly, as more things start using 2fa, it would be nice to have organization and category features, as well as some kind of encrypted backup.