You are viewing a plain text version of this content. The canonical link for it is here.
Posted to builds@apache.org by Tony Stevenson <to...@pc-tony.com> on 2010/07/17 01:09:49 UTC
Re: LDAP configuration for the new Hudson master (was: New Machine
waiting for Hudson Master)
On Sat, Jul 17, 2010 at 12:04:38AM +0200, Niklas Gustavsson wrote:
> On Tue, Jun 22, 2010 at 9:48 PM, Niklas Gustavsson <ni...@protocol7.com> wrote:
> > Alright, so now that we're in, how to do want to go about with the
> > installation? Set up Hudson and tools on aegis, move over
> > configuration and plugins, set up HTTP redirects, test and then move
> > over as master over the slaves?
>
> Hudson is now up and running for testing on the new host.
>
> Also, with the help of pctony and Gav, LDAP is now configured for
> testing. We've had some discussions on how to use LDAP in Hudson over
> on IRC. I would here like to sum up our suggestions:
>
> Use LDAP for Hudson web access (possibly shell in the future but
> that's out of scope for this description). Allow three levels of
> access:
Shell access might be a little way off, as we dont currently use LDAP for shell access anywhere, except on people.apache.org
> * Hudson admins - a very limited set of admins for Hudson, like to
> current five admins plus the infra guys
> * Job admins - users with access to create, delete, configure and run
> jobs. Will not have access to the core Hudson configuration.
> * Everyone else - this is users which are not logged in. Anonymous
> users in Hudson. Same access as today
>
> Hudson admins are managed in a LDAP group managed by infra. Hudson
> admins will not have root on aegis, but will have sudo to the hudson
> user.
>
> Job admins are managed in a LDAP group managed by PMC chairs. Thus, if
> a PMC wants to add a new Hudson job admin, they manage this themselves
> without any need for Hudson admins to get in their way. A shell script
> on people.a.o, like the current one for PMC roster management, will be
> available. Hudson admins will not have access to manage this group.
Actually, I just set it up so that hudson admins can add users to this group. Is this not wanted? PMC-Chairs will also have access. I'll document the process separately as this list isn't the place for that discussion.
>
> Hudson web access will only be available over https, as we will now
> use the LDAP passwords.
With this in mind, please do not publicise the current URL, to anyone, as it is not over SSL.
Access is currently restricted to the hudson-admin group, once the site is on SSL I will allow access for everyone again.
>
> Current accounts will be migrated as part of setting up the new Hudson master.
How will this be done? I presume you mean add all users to the hudson-jobadmin group?
--
Cheers,
Tony
--------------------------------------------
Tony Stevenson
tony@pc-tony.com - pctony@apache.org
pctony@freenode.net - tony@caret.cam.ac.uk
http://blog.pc-tony.com
1024D/51047D66
--------------------------------------------
Re: LDAP configuration for the new Hudson master (was: New Machine
waiting for Hudson Master)
Posted by Niklas Gustavsson <ni...@protocol7.com>.
On Sat, Jul 17, 2010 at 1:09 AM, Tony Stevenson <to...@pc-tony.com> wrote:
> On Sat, Jul 17, 2010 at 12:04:38AM +0200, Niklas Gustavsson wrote:
>> Job admins are managed in a LDAP group managed by PMC chairs. Thus, if
>> a PMC wants to add a new Hudson job admin, they manage this themselves
>> without any need for Hudson admins to get in their way. A shell script
>> on people.a.o, like the current one for PMC roster management, will be
>> available. Hudson admins will not have access to manage this group.
>
> Actually, I just set it up so that hudson admins can add users to this group. Is this not wanted? PMC-Chairs will also have access. I'll document the process separately as this list isn't the place for that discussion.
Personally, I'm fine with either way.
>> Hudson web access will only be available over https, as we will now
>> use the LDAP passwords.
>
> With this in mind, please do not publicise the current URL, to anyone, as it is not over SSL.
> Access is currently restricted to the hudson-admin group, once the site is on SSL I will allow access for everyone again.
Since we haven't migrated any of the jobs, slaves or plugin configs,
the new site is pretty useless to anyone so far :-)
>> Current accounts will be migrated as part of setting up the new Hudson master.
>
> How will this be done? I presume you mean add all users to the hudson-jobadmin group?
Yes.
/niklas