Add Jenkins agent support for GitHub Committer Authorization Strategy #209
Conversation
|
@AndreBrinkop I should have checked the PR list. I just raised a duplicate PR! It seems this plugin is not very actively maintained, I wonder who we can reach out to? edit: mine is #246; I closed it - let's use this PR |
There was a problem hiding this comment.
Thanks @AndreBrinkop! I have made a few suggestions.
I'll give this a run in my dev instance as a form of integration testing.
src/main/java/org/jenkinsci/plugins/GithubAuthorizationStrategy.java
Outdated
Show resolved
Hide resolved
src/main/java/org/jenkinsci/plugins/GithubRequireOrganizationMembershipACL.java
Show resolved
Hide resolved
src/main/java/org/jenkinsci/plugins/GithubRequireOrganizationMembershipACL.java
Show resolved
Hide resolved
src/main/java/org/jenkinsci/plugins/GithubRequireOrganizationMembershipACL.java
Outdated
Show resolved
Hide resolved
src/main/java/org/jenkinsci/plugins/GithubRequireOrganizationMembershipACL.java
Outdated
Show resolved
Hide resolved
src/main/java/org/jenkinsci/plugins/GithubRequireOrganizationMembershipACL.java
Outdated
Show resolved
Hide resolved
|
Hi @scurvydoggo, first of all thank you for your detailed feedback to my PR. I went over your suggestions and for some of them I used the implementation from your PR as I think that they are more sophisticated than my original implementation. The only open point is whether we need the overall "Read" right for the Agent User or not. The documentation of the swarm plugins mentions that it is needed (https://github.com/jenkinsci/swarm-plugin/blob/master/docs/security.adoc#authorization) but if you have experience that it is working without it I would say we leave it out? |
|
Hey @AndreBrinkop , thanks so much. Looking at their document, they are being pretty explicit in that we should use |
There was a problem hiding this comment.
Oops, I think we'll need to bump the plugin version.
It should be this line here:
https://github.com/jenkinsci/github-oauth-plugin/blame/master/pom.xml#L12
Some things on my end I need to do before merging this:
- Test this in my dev/prod environment
- Figure out how release notes are done
- Check that CD best practices are in place (see this)
If the above becomes a blocker, we could look at making this an experimental release and merge it, so that you can hand it off, however let me look into the above points first.
|
@scurvydoggo this plugin makes use of the maven release plugin which manages bumping the version as you release. However, since this plugin was last released Jenkins now supports a more direct approach to continuous delivery of plugins. I suggest following this guide so that merging to master automatically releases https://www.jenkins.io/doc/developer/publishing/releasing-cd/ |
|
Thanks @samrocketman I have raised a PR for this here: #248 |
Co-authored-by: Andreas Nygard <andreas.nygard@gmail.com>
Co-authored-by: Andreas Nygard <andreas.nygard@gmail.com>
scurvydoggo
force-pushed
the
add-jenkins-agent-support
branch
from
708d7aa
to
2feb79b
Compare
|
The CD pipeline is up to date. I am now deploying this into my instance for testing. |
|
The UI looks good |
|
CasC is also working, and the actual functionality of the agents is ok. |
Add Jenkins agent support for GitHub Committer Authorization Strategy
Problem
A common use case for bigger Jenkins setups is to use a plugin like the Swarm plugin to form an ad-hoc cluster. This plugin allows that agents that can be added and removed flexibly to and from the Jenkins server. Those agents require authentication and authorization to create, configure and add new computers to the Jenkins. Using the github-oauth-plugin the authentication for the agent is already possible using an GitHub access token with minimal rights from a GitHub user.
However, the authorization is not working if the GitHub Committer Authorization Strategy is selected as the access rights retrieved from GitHub are not sufficient in this use case and there is no way to add additional custom rights to users.
Solution
To solve this problem this PR adds a new field in the GitHub Committer Authorization Strategy configuration window that allows the specification of an optional Agent User Name. The user specified in that field will be provided with the following rights that are necessary for the agent user:
The PR also adds a help dialog for this field and it includes unit tests to test that the right permissions are assigned to (and only to) the specified agent user.
Checklist