-
Notifications
You must be signed in to change notification settings - Fork 165
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Jenkins agent support for GitHub Committer Authorization Strategy #209
Add Jenkins agent support for GitHub Committer Authorization Strategy #209
Conversation
@AndreBrinkop I should have checked the PR list. I just raised a duplicate PR! It seems this plugin is not very actively maintained, I wonder who we can reach out to? edit: mine is #246; I closed it - let's use this PR |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @AndreBrinkop! I have made a few suggestions.
I'll give this a run in my dev instance as a form of integration testing.
src/main/java/org/jenkinsci/plugins/GithubAuthorizationStrategy.java
Outdated
Show resolved
Hide resolved
src/main/java/org/jenkinsci/plugins/GithubRequireOrganizationMembershipACL.java
Show resolved
Hide resolved
src/main/java/org/jenkinsci/plugins/GithubRequireOrganizationMembershipACL.java
Show resolved
Hide resolved
src/main/java/org/jenkinsci/plugins/GithubRequireOrganizationMembershipACL.java
Outdated
Show resolved
Hide resolved
src/main/java/org/jenkinsci/plugins/GithubRequireOrganizationMembershipACL.java
Outdated
Show resolved
Hide resolved
src/main/java/org/jenkinsci/plugins/GithubRequireOrganizationMembershipACL.java
Outdated
Show resolved
Hide resolved
Hi @scurvydoggo, first of all thank you for your detailed feedback to my PR. I went over your suggestions and for some of them I used the implementation from your PR as I think that they are more sophisticated than my original implementation. The only open point is whether we need the overall "Read" right for the Agent User or not. The documentation of the swarm plugins mentions that it is needed (https://github.com/jenkinsci/swarm-plugin/blob/master/docs/security.adoc#authorization) but if you have experience that it is working without it I would say we leave it out? |
Hey @AndreBrinkop , thanks so much. Looking at their document, they are being pretty explicit in that we should use |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oops, I think we'll need to bump the plugin version.
It should be this line here:
https://github.com/jenkinsci/github-oauth-plugin/blame/master/pom.xml#L12
Some things on my end I need to do before merging this:
- Test this in my dev/prod environment
- Figure out how release notes are done
- Check that CD best practices are in place (see this)
If the above becomes a blocker, we could look at making this an experimental release and merge it, so that you can hand it off, however let me look into the above points first.
@scurvydoggo this plugin makes use of the maven release plugin which manages bumping the version as you release. However, since this plugin was last released Jenkins now supports a more direct approach to continuous delivery of plugins. I suggest following this guide so that merging to master automatically releases https://www.jenkins.io/doc/developer/publishing/releasing-cd/ |
Thanks @samrocketman I have raised a PR for this here: #248 |
Co-authored-by: Andreas Nygard <andreas.nygard@gmail.com>
Co-authored-by: Andreas Nygard <andreas.nygard@gmail.com>
708d7aa
to
2feb79b
Compare
The CD pipeline is up to date. I am now deploying this into my instance for testing. |
CasC is also working, and the actual functionality of the agents is ok. |
Add Jenkins agent support for GitHub Committer Authorization Strategy
Problem
A common use case for bigger Jenkins setups is to use a plugin like the Swarm plugin to form an ad-hoc cluster. This plugin allows that agents that can be added and removed flexibly to and from the Jenkins server. Those agents require authentication and authorization to create, configure and add new computers to the Jenkins. Using the github-oauth-plugin the authentication for the agent is already possible using an GitHub access token with minimal rights from a GitHub user.
However, the authorization is not working if the GitHub Committer Authorization Strategy is selected as the access rights retrieved from GitHub are not sufficient in this use case and there is no way to add additional custom rights to users.
Solution
To solve this problem this PR adds a new field in the GitHub Committer Authorization Strategy configuration window that allows the specification of an optional Agent User Name. The user specified in that field will be provided with the following rights that are necessary for the agent user:
The PR also adds a help dialog for this field and it includes unit tests to test that the right permissions are assigned to (and only to) the specified agent user.
Checklist