- name: canonical-livepatch-server-admin
- description: A tool for managing a canonical livepatch server instance.
- upstream: PRIVATE
- upstream-relation: The livepatch team in Comsys.
- interfaces:
- password-manager-interface
- request-type: auto-connection
- reasoning: As part of the policy to move towards Canonical IDP (CiDP), the livepatch team needs to implement device-auth flow for the Canonical livepatch admin tool. The tool currently uses HTTP basic auth or Ubuntu SSO; we plan on deprecating SSO in favor of CiDP. Rather than store the access token and refresh tokens in the filesystem with sudo-only access, we want to store the secrets in the system keyring, which is encrypted at rest. To access the keyring, we need the snap to have the password-manager-interface. Ideally, this should be auto-attached so that the user can use the admin tool CiDP without having to manually attach the interface on each device on which the user has the tool installed.
- password-manager-interface
Edit: in the reasoning section, password-manager-interface should be password-manager-service.
@haydntamura The password-manager-interface gives the ability to read all existing stored secrets, not just what the snap owns. We avoid granting auto-connect for it in general. As an alternative, can you try the desktop interface which provides access to gnome-keyring and it’s already auto-connected? More info here.
I see, I will take a look at the desktop interface. Thank you for the information!