Open jenkins-infra-bot opened 2 years ago
We can start this, following up https://github.com/jenkins-infra/jenkins-infra/pull/2049
FTR, current state of ci.jenkins.io:
Unambiguous state:
Desired state?
Corresponding casc of the desired (?) state:
authorizationStrategy:
globalMatrix:
permissions:
- "GROUP:Job/Read:authenticated"
- "GROUP:Overall/Administer:admins"
- "GROUP:Overall/Administer:jenkins-admins"
- "GROUP:Overall/Read:authenticated"
- "USER:Job/Read:anonymous"
- "USER:Overall/Read:anonymous"
It looks like we need to move (at first) the permissions from here to a new lockbox.yaml.erb file here.
Example of what kind of casc section we need to approach here (to be fixed too)
Unfortunately, authorizationStrategy
is in the jenkins
root section, and its merge with existing values in the same section will need some attention.
Unfortunately, authorizationStrategy is in the jenkins root section
As long as you aren't trying to merge permissions you will be fine, and even then it can be done.
(merging same elements is very beta quality, there's issues around it but it works for some cases, but again doubt it will be needed here)
Current config is defined at https://github.com/jenkins-infra/jenkins-infra/blob/production/dist/profile/templates/buildmaster/lockbox.groovy.erb#L62-L64
But can also just be exported via jcasc
Make sure to specify if user or group from the matrix-auth 3.0 upgrade.
I believe Damien Duportal manually migrated the auth config to 3.0 but it was reverted by the groovy script
Originally reported by timja, imported from: Move security settings to configuration-as-code for puppet managed instances