= Launchpad as an OpenID RP = Here are some notes on how we're going to change Launchpad to use login.launchpad.net (through OpenID) to authenticate users. Later we might change Launchpad to use whatever OpenID provider is specified by the user, but that's out of scope here. == Migration plan == There's a chance that the rollout happens after a user started the registration process but before it's finished. If that happens, once the roll out is finished the user will follow the link and try to complete the registration. At that time we need to either allow them to create a fully-functional account (i.e. one that works on login.launchpad.net as well) or tell them to start over on login.launchpad.net. If during the rollout we split the auth/main databases for real, we won't be able to create a fully-functional account (as we won't have access to the auth DB, used by login.lp.net), so we'll need to change the logintoken view to direct users to login.lp.net. However, if we do the real auth/main split on a subsequent rollout, we'd be able to create a fully-functional account with the existing code, not disrupting the user's experience. The same would happen with someone trying to reset their password. '''Cleanup unused (reset-password and new-account) login tokens between the two roll outs to avoid the problems above.''' == Notes on the main/auth split == The plan is to do the split but copy the EmailAddress and Account* tables over to the main db, later refactoring Launchpad to not use the Account* tables. When Launchpad gets a positive assertion for an identity URL it hasn't seen before, it will just create a new Person/Account using the given email address, name (if any) and identity URL. '''What to do about claiming of existing Person entries? We won't be able to do that in Launchpad because we'd need to set a password for the new account.''' I guess we'll have to ask them to register on login.lp.net first and when they get back to Launchpad we do the claiming automatically (in case they've registered with the email address linked to the existing Person), or later when they try claim the account while already logged in === Before the refactoring === We could revoke all write permissions on the AccountPassword table, as a safety net in case we leave behind any code that changes it === After the refactoring === === Things to consider before doing the split === Any code in Launchpad that changes the AccountPassword table is likely to represent a user being fooled into thinking their password was changed when in fact it was not -- remember the AccountPassword table copied to the main DB is not the one used when people login using login.lp.net. For that reason, we should do something about the following: Person.reactivate() must be changed to not set the password <
> Account.activate() also sets the password <
> Person.setPreferredEmail calls Account.activate() <
> Person.createPersonAndEmail creates an Account and gives a password to it <
> Person.password should be removed == Notes from stub == I think the process will be: * Set up the new official Ubuntu SSO database, including daily pg_dumps. * Replicate the ubuntu_sso [1], authdb [2] & lp_* [3] tables to it. * Disable half of the Ubuntu SSO appservers in the load balancer. Point them at the new database. * Make the Ubuntu SSO database the master for the ubuntu_sso tables, stop replicating authdb to the Ubuntu SSO database (making those tables standalone), and swap the online & offline appservers. (A few seconds outage - bring remaining appservers offline, run slonik script, bring new-config appservers online). * Test. We can still back out, but data changes during the test period will be lost. Acceptable. * Reconfigure the remaining Ubuntu SSO appservers and bring them online. * Tidy replication setup & bring a new replica of the Ubuntu SSO database online for failover. At this point, the Ubuntu SSO appservers will be connected to their new database and totally disconnected from Launchpad except for the lp_person, lp_teamparticipation and lp_personlocation tables which we will continue to replicate. The launchpad_prod_4 database on sweetcherry is only being accessed by Launchpad. We can perform a similar procedure as above to stop using it entirely, or wait until the next Launchpad rollout. Then the hardware can be returned (Ubuntu One hot spare I believe?) Also at this point, the Launchpad staging database becomes useless to ISD. On the up side, maintaining your own staging database will be pretty trivial and fast to refresh (just a pg_restore of the Ubuntu SSO production database should do the trick, with a little magic to strip the Slony-I crud). I'm not sure of the best time for this to occur. I suspect it is after login.launchpad.net has been disabled and replaced by login.ubuntu.com. This way we don't have to worry about inconsistencies between the Launchpad copies of the authdb tables and the Ubuntu SSO copies of the authdb tables. If this doesn't matter, we can do the switch any time. We can spare some Launchpad hardware for a fail over database if you don't have a server available, using Slony-I for replication. If you want to use something different (such as pgpool-II for synchronous replication & automatic fail over) we can incorporate that into the above process but that should be on your own hardware. Or you can make any changes later at your leisure. I'll still need to be involved in database updates while you are using Slony-I due to the way we are replicating the lp_* tables. [1] The Django tables created for the new Ubuntu SSO service ISD is writing. [2] The Launchpad account tables - Account, AccountPassword, OpenID*, EmailAddress [3] lp_person, lp_teamparticipation & lp_personlocation, replicated from the Launchpad database. These tables are mirrors of the Person, TeamParticipation & PersonLocation tables in the launchpad database. == Salgado's reply == Given that users might start a registration/password-reset in launchpad.net before it becomes an OpenID RP, finishing the process after it becomes an RP, we should give them at least a few days after the rollout to finish the process using the existing tokens (through launchpad.net). We must also consume/delete the non-consumed LP tokens for registration/password-reset before doing the split.