Uploaded image for project: 'Data Management'
  1. Data Management
  2. DM-17232

migrate jenkins user authorization to github teams (TSSW)

    Details

      Description

      The DM production jenkins instance (and most test instances) uses github teams for user authorization and this policy is maintained in yaml via the jenkins configuration-as-code (CASC) plugin. This is for both the convenience of the technical managers and increases the reproducibility of the jenkins deployment. The "github as truth" model allows the jenkins authorization configuration to be relatively static and user access is administered by github org admins without direct interaction with jenkins. An additional motivation is decrease the configuration delta between the DM and TSSW deployments.

        Attachments

          Issue Links

            Activity

            Hide
            jhoblitt Joshua Hoblitt added a comment -

            The current configuration explicitly lists the following github users in addition to Authenticated Users, which means anyone with a github account is able to access to the jenkins instance.

            • awclemen
            • Eric Coughlin
            • Frossie
            • gcomoretto
            • Joshua Hoblitt
            • Rob Bovill
            • Russell Owen
            • sqre-user
            • Te-Wei Tsai
            • Tiago

            Of those explicitly named users, only gcomoretto and Frossie are not members of the lsst-ts org. I've gone ahead and removed gcomoretto as it appears he will not be involved with release management outside of DM at this time. I am planning to allow the lsst-sqre square team as admins, so no square members strictly need to be listed. I suspect, but am not certain, that allowing all of the lsst-ts org, regardless of team, as non-admin users won't cut off anyone that doesn't need access. Rob Bovill – could you confirm that? Also, what is the intended function of the jenkins team? https://github.com/orgs/lsst-ts/teams/jenkins/members

            Show
            jhoblitt Joshua Hoblitt added a comment - The current configuration explicitly lists the following github users in addition to Authenticated Users , which means anyone with a github account is able to access to the jenkins instance. awclemen Eric Coughlin Frossie gcomoretto Joshua Hoblitt Rob Bovill Russell Owen sqre-user Te-Wei Tsai Tiago Of those explicitly named users, only gcomoretto and Frossie are not members of the lsst-ts org. I've gone ahead and removed gcomoretto as it appears he will not be involved with release management outside of DM at this time. I am planning to allow the lsst-sqre square team as admins, so no square members strictly need to be listed. I suspect, but am not certain, that allowing all of the lsst-ts org, regardless of team, as non-admin users won't cut off anyone that doesn't need access. Rob Bovill – could you confirm that? Also, what is the intended function of the jenkins team? https://github.com/orgs/lsst-ts/teams/jenkins/members
            Hide
            jhoblitt Joshua Hoblitt added a comment -
            Show
            jhoblitt Joshua Hoblitt added a comment - Rob Bovill ping

              People

              • Assignee:
                jhoblitt Joshua Hoblitt
                Reporter:
                jhoblitt Joshua Hoblitt
                Watchers:
                Andy Clements, Joshua Hoblitt, Leanne Guy, Rob Bovill, Simon Krughoff
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: