Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[INFRA-3167] Move security settings to configuration-as-code for puppet managed instances #2708

Open
jenkins-infra-bot opened this issue Dec 22, 2021 · 5 comments

Comments

@jenkins-infra-bot
Copy link

Current config is defined at https://github.com/jenkins-infra/jenkins-infra/blob/production/dist/profile/templates/buildmaster/lockbox.groovy.erb#L62-L64

 

But can also just be exported via jcasc

Make sure to specify if user or group from the matrix-auth 3.0 upgrade.

I believe Damien Duportal manually migrated the auth config to 3.0 but it was reverted by the groovy script


Originally reported by timja, imported from: Move security settings to configuration-as-code for puppet managed instances
  • status: Open
  • priority: Minor
  • resolution: Unresolved
  • imported: 2022/01/10
@dduportal
Copy link
Contributor

We can start this, following up jenkins-infra/jenkins-infra#2049

@lemeurherve lemeurherve self-assigned this Jan 19, 2022
@lemeurherve
Copy link
Member

lemeurherve commented Jan 19, 2022

FTR, current state of ci.jenkins.io:
image

Unambiguous state:
image

Desired state?
image

Corresponding casc of the desired (?) state:

  authorizationStrategy:
    globalMatrix:
      permissions:
      - "GROUP:Job/Read:authenticated"
      - "GROUP:Overall/Administer:admins"
      - "GROUP:Overall/Administer:jenkins-admins"
      - "GROUP:Overall/Read:authenticated"
      - "USER:Job/Read:anonymous"
      - "USER:Overall/Read:anonymous"

It looks like we need to move (at first) the permissions from here to a new lockbox.yaml.erb file here.
Example of what kind of casc section we need to approach here (to be fixed too)
Unfortunately, authorizationStrategy is in the jenkins root section, and its merge with existing values in the same section will need some attention.

@timja
Copy link
Member

timja commented Jan 20, 2022

Unfortunately, authorizationStrategy is in the jenkins root section

As long as you aren't trying to merge permissions you will be fine, and even then it can be done.

@dduportal
Copy link
Contributor

For info: https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/docs/features/mergeStrategy.md

@timja
Copy link
Member

timja commented Jan 20, 2022

(merging same elements is very beta quality, there's issues around it but it works for some cases, but again doubt it will be needed here)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants