dduportal
commented
2 years ago We can start this, following up https://github.com/jenkins-infra/jenkins-infra/pull/2049
Open jenkins-infra-bot opened 2 years ago
dduportal
commented
2 years ago We can start this, following up https://github.com/jenkins-infra/jenkins-infra/pull/2049
lemeurherve
commented
2 years ago FTR, current state of ci.jenkins.io:
Unambiguous state:
Desired state?
Corresponding casc of the desired (?) state:
authorizationStrategy:
globalMatrix:
permissions:
- "GROUP:Job/Read:authenticated"
- "GROUP:Overall/Administer:admins"
- "GROUP:Overall/Administer:jenkins-admins"
- "GROUP:Overall/Read:authenticated"
- "USER:Job/Read:anonymous"
- "USER:Overall/Read:anonymous"It looks like we need to move (at first) the permissions from here to a new lockbox.yaml.erb file here.
Example of what kind of casc section we need to approach here (to be fixed too)
Unfortunately, authorizationStrategy is in the jenkins root section, and its merge with existing values in the same section will need some attention.
timja
commented
2 years ago Unfortunately, authorizationStrategy is in the jenkins root section
As long as you aren't trying to merge permissions you will be fine, and even then it can be done.
dduportal
commented
2 years ago timja
commented
2 years ago (merging same elements is very beta quality, there's issues around it but it works for some cases, but again doubt it will be needed here)
Current config is defined at https://github.com/jenkins-infra/jenkins-infra/blob/production/dist/profile/templates/buildmaster/lockbox.groovy.erb#L62-L64
But can also just be exported via jcasc
Make sure to specify if user or group from the matrix-auth 3.0 upgrade.
I believe Damien Duportal manually migrated the auth config to 3.0 but it was reverted by the groovy script
Originally reported by timja, imported from: Move security settings to configuration-as-code for puppet managed instances