Open segator opened 4 years ago
@segator I can't follow... can you please add some more details? What do you mean with "... hardcoded read-only on BB opendevstack/share-lib" repo?
prov-app is setting by code permissions to serviceAccount specific users on bitbucket opendevstack/shared-lib repository as RO, from the maintainability perspective I think is better to have a single AD/LDAP group.
@segator did I get it right, are you suggesting instead of setting in a fresh created BitBucket repository Read permission to a ServiceAccount, to add to the fresh created BitBucket repository a Group with read permission? Is this correct?
I have discussed this with segator...
Issue:
too many project specific service account
are explicitly granted with read permission to the repository ods-jenkins-shared-library
.
Why this is implemented this way:
This is necessary to guarantee that when Jenkins trigger a project build pipeline its service account
has read access to repository ods-jenkins-shared-library
.
Problem:
For each project a service account is granted in BitBucket with read permission to ods-jenkins-shared-library
. This makes difficult to manage account and operate BitBucket.
Proposed Solution:
Setup a group in BitBucket with read permissions to the repository ods-jenkins-shared-library
.
Add the service account
to this group on account creation.
Changes in ProvApp: add the configuration to disable to grant read permission on ods-jenkins-shared-library
to the service account
. If this is the case ProvApp should verify that service acount
has read access to the repository ods-jenkins-shared-library
. If not, project creation flow should fail.
@michaelsauter @segator @clemensutschig @borja44 your thoughts on this? any question?
@stitakis I am really confused on this. we are NOT setting any permissions on another bitbucket repo during creation of a repo, or project ... can you please describe the issue better?
The setup should be ... (and always was) - the (SUPER) group of project users was say XYZ - and that group had read access to ods-jenkins-shared-library
I think there is code in the prov-app which grants the project-specific technical user read access to the "readable repos". AFAIK that is not group based. I think @stitakis suggestion is good.
@tjaeschke IIRC you worked on this in the past. Do you have some background on why you did not implement this via groups? Some disadvantage that we are not seeing here?
I confirm every time a project is created their Service account is added as reader on ods/shared-lib repo. anything we can do?
I think this is basically a duplicate of #485, right?
not really, if you use local users then yes, but from prov app you never will be able to add a user to an AD group.
@sino92 @segator @michaelsauter yes, this is duplicate of #485...
The idea here and in #485 is:
instead of set read permissions for the project specific service account
(cd user)
(see implementation here
https://github.com/opendevstack/ods-provisioning-app/blob/89b8cee10846692a8dd5b4b79b095efb6f453bbe/src/main/java/org/opendevstack/provision/services/BitbucketAdapter.java#L561)
the new service account
should be assigned to the group cd_users
on account creation
NOTES:
This group cd_users
is a new group that need to be setup/created in advance in BitBucket/Crowd/etc...
All new service account
(cd user) will need to be assigned to the cd_users
group after the account is created
With this solution read access to ods-jenkins-shared-lib
is granted when the project specific account is created, of course if the new service account is added to the cd_users
account.
@segator, make sense?
where is this cd_users groups? jira, bb, crowd? AD?
@segator the cd_users
groups does not exists yet. The idea is to create it in crowd
o AD
and thanks directory synchronization would be available in bitbucket
. Would this work?
I just find out this morning prov-app seems that is setting serviceAccount project specific user hardcoded read-only on BB opendevstack/shared-lib repo. We need to change this and support a single group instead,