You are viewing a plain text version of this content. The canonical link for it is here.
Posted to builds@apache.org by Niklas Gustavsson <ni...@protocol7.com> on 2010/07/17 00:04:38 UTC
LDAP configuration for the new Hudson master (was: New Machine
waiting for Hudson Master)
On Tue, Jun 22, 2010 at 9:48 PM, Niklas Gustavsson <ni...@protocol7.com> wrote:
> Alright, so now that we're in, how to do want to go about with the
> installation? Set up Hudson and tools on aegis, move over
> configuration and plugins, set up HTTP redirects, test and then move
> over as master over the slaves?
Hudson is now up and running for testing on the new host.
Also, with the help of pctony and Gav, LDAP is now configured for
testing. We've had some discussions on how to use LDAP in Hudson over
on IRC. I would here like to sum up our suggestions:
Use LDAP for Hudson web access (possibly shell in the future but
that's out of scope for this description). Allow three levels of
access:
* Hudson admins - a very limited set of admins for Hudson, like to
current five admins plus the infra guys
* Job admins - users with access to create, delete, configure and run
jobs. Will not have access to the core Hudson configuration.
* Everyone else - this is users which are not logged in. Anonymous
users in Hudson. Same access as today
Hudson admins are managed in a LDAP group managed by infra. Hudson
admins will not have root on aegis, but will have sudo to the hudson
user.
Job admins are managed in a LDAP group managed by PMC chairs. Thus, if
a PMC wants to add a new Hudson job admin, they manage this themselves
without any need for Hudson admins to get in their way. A shell script
on people.a.o, like the current one for PMC roster management, will be
available. Hudson admins will not have access to manage this group.
Hudson web access will only be available over https, as we will now
use the LDAP passwords.
Current accounts will be migrated as part of setting up the new Hudson master.
Sounds reasonable?
/niklas
Re: LDAP configuration for the new Hudson master (was: New Machine
waiting for Hudson Master)
Posted by Niklas Gustavsson <ni...@protocol7.com>.
On Sat, Jul 17, 2010 at 1:09 AM, Tony Stevenson <to...@pc-tony.com> wrote:
> On Sat, Jul 17, 2010 at 12:04:38AM +0200, Niklas Gustavsson wrote:
>> Job admins are managed in a LDAP group managed by PMC chairs. Thus, if
>> a PMC wants to add a new Hudson job admin, they manage this themselves
>> without any need for Hudson admins to get in their way. A shell script
>> on people.a.o, like the current one for PMC roster management, will be
>> available. Hudson admins will not have access to manage this group.
>
> Actually, I just set it up so that hudson admins can add users to this group. Is this not wanted? PMC-Chairs will also have access. I'll document the process separately as this list isn't the place for that discussion.
Personally, I'm fine with either way.
>> Hudson web access will only be available over https, as we will now
>> use the LDAP passwords.
>
> With this in mind, please do not publicise the current URL, to anyone, as it is not over SSL.
> Access is currently restricted to the hudson-admin group, once the site is on SSL I will allow access for everyone again.
Since we haven't migrated any of the jobs, slaves or plugin configs,
the new site is pretty useless to anyone so far :-)
>> Current accounts will be migrated as part of setting up the new Hudson master.
>
> How will this be done? I presume you mean add all users to the hudson-jobadmin group?
Yes.
/niklas
Re: LDAP configuration for the new Hudson master (was: New Machine
waiting for Hudson Master)
Posted by Tony Stevenson <to...@pc-tony.com>.
On Sat, Jul 17, 2010 at 12:04:38AM +0200, Niklas Gustavsson wrote:
> On Tue, Jun 22, 2010 at 9:48 PM, Niklas Gustavsson <ni...@protocol7.com> wrote:
> > Alright, so now that we're in, how to do want to go about with the
> > installation? Set up Hudson and tools on aegis, move over
> > configuration and plugins, set up HTTP redirects, test and then move
> > over as master over the slaves?
>
> Hudson is now up and running for testing on the new host.
>
> Also, with the help of pctony and Gav, LDAP is now configured for
> testing. We've had some discussions on how to use LDAP in Hudson over
> on IRC. I would here like to sum up our suggestions:
>
> Use LDAP for Hudson web access (possibly shell in the future but
> that's out of scope for this description). Allow three levels of
> access:
Shell access might be a little way off, as we dont currently use LDAP for shell access anywhere, except on people.apache.org
> * Hudson admins - a very limited set of admins for Hudson, like to
> current five admins plus the infra guys
> * Job admins - users with access to create, delete, configure and run
> jobs. Will not have access to the core Hudson configuration.
> * Everyone else - this is users which are not logged in. Anonymous
> users in Hudson. Same access as today
>
> Hudson admins are managed in a LDAP group managed by infra. Hudson
> admins will not have root on aegis, but will have sudo to the hudson
> user.
>
> Job admins are managed in a LDAP group managed by PMC chairs. Thus, if
> a PMC wants to add a new Hudson job admin, they manage this themselves
> without any need for Hudson admins to get in their way. A shell script
> on people.a.o, like the current one for PMC roster management, will be
> available. Hudson admins will not have access to manage this group.
Actually, I just set it up so that hudson admins can add users to this group. Is this not wanted? PMC-Chairs will also have access. I'll document the process separately as this list isn't the place for that discussion.
>
> Hudson web access will only be available over https, as we will now
> use the LDAP passwords.
With this in mind, please do not publicise the current URL, to anyone, as it is not over SSL.
Access is currently restricted to the hudson-admin group, once the site is on SSL I will allow access for everyone again.
>
> Current accounts will be migrated as part of setting up the new Hudson master.
How will this be done? I presume you mean add all users to the hudson-jobadmin group?
--
Cheers,
Tony
--------------------------------------------
Tony Stevenson
tony@pc-tony.com - pctony@apache.org
pctony@freenode.net - tony@caret.cam.ac.uk
http://blog.pc-tony.com
1024D/51047D66
--------------------------------------------