From dev-return-1756-archive-asf-public=cust-asf.ponee.io@mxnet.incubator.apache.org Fri Jan 5 20:02:32 2018 Return-Path: X-Original-To: archive-asf-public@eu.ponee.io Delivered-To: archive-asf-public@eu.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by mx-eu-01.ponee.io (Postfix) with ESMTP id 570F3180647 for ; Fri, 5 Jan 2018 20:02:32 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 46F3C160C27; Fri, 5 Jan 2018 19:02:32 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 642B1160C15 for ; Fri, 5 Jan 2018 20:02:31 +0100 (CET) Received: (qmail 91156 invoked by uid 500); 5 Jan 2018 19:02:30 -0000 Mailing-List: contact dev-help@mxnet.incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@mxnet.incubator.apache.org Delivered-To: mailing list dev@mxnet.incubator.apache.org Received: (qmail 91140 invoked by uid 99); 5 Jan 2018 19:02:30 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 05 Jan 2018 19:02:30 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id CB4E118095C for ; Fri, 5 Jan 2018 19:02:29 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 2.879 X-Spam-Level: ** X-Spam-Status: No, score=2.879 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_REPLY=1, HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd3-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=googlemail.com Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id LxZuHlse7Qk5 for ; Fri, 5 Jan 2018 19:02:27 +0000 (UTC) Received: from mail-lf0-f50.google.com (mail-lf0-f50.google.com [209.85.215.50]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 2E90D5F286 for ; Fri, 5 Jan 2018 19:02:27 +0000 (UTC) Received: by mail-lf0-f50.google.com with SMTP id m8so36867lfc.6 for ; Fri, 05 Jan 2018 11:02:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=4/UF+AqN06T3YQyHE8X3+oBZf9W5oPjER687DT2+oNA=; b=Xj7hpv7+hqcg7OgvqqAQe2qRwmQ8YUexsMRHVzggiI5iDzEH4nlaV7RybcpMOeCfpq SH0vXTbn05vsspwRFs42+ZRwWEnwCXTvXluG0zaLA1CZ2t0ON3oNGsgSEcy3IhgB2vNe xRQTZvn5lAjXGfrNusLDM0petZpbN5PBRQB6Z4rw2wcGh9rOily+jhDEB6EmAuhw2jhH G2Xq55YTH+F38DuUZrEm15ucPj197rPcYoRWqXHy9PudgEXdz1F/6yMypdcITWHqb4Ut zK+WmmIWx2qYZ7kMZNxdCQw876uHutJDN+L7YPKx6fvfTJ++IOi+ymVxof9pPVDuM9ID Np/w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=4/UF+AqN06T3YQyHE8X3+oBZf9W5oPjER687DT2+oNA=; b=aCfriHZgsXyYbBS7q/+HaK7DOFxR6Lfl8cEwUu2k76lWXNMw4Iz2Ni/ZAPXNKcrsS2 HkN2zWIkaMmG8FUXg8o6H9vfR+NAl27WwqbsFzVISWFDTjk753NqN6mEpmE7AjaFK6gc qzIqEyFeGKWy0Kur6wZ6BZMlMKWvS/WN0m5JgHncors1ewAVZGoa0ERsZG+XTuXAkRd7 xiG5NhVDTZ1FICVZan4pqtMxrI4Dpbz3mjrX8KubQ5AU/8tk+ix/nFmVVbXM+0O2qKEp BJKR5BIOJJuqIGay7FX3NML00LxZnlmuTKO3EalnVFZqwgoYRip6RmwY8TpmU8Obm0Tp 3ayw== X-Gm-Message-State: AKGB3mI+2eiPOgdDJhTw/ElOH27zxw9uU8Vc/W4AbZ8lglyYmygjje2X bMnGkNyqRSxYJfnYwfkN7qxKjlMCWR6yVYaybp8= X-Google-Smtp-Source: ACJfBotkkm/Oj2Da0qpc837VSZ0mSZVEiE94m/LgUhb4xN4k0v7lLde1THv2oq4p3RnxG46ynDeqLmdlFWevHo6ImCU= X-Received: by 10.25.163.139 with SMTP id m133mr2102785lfe.111.1515178946266; Fri, 05 Jan 2018 11:02:26 -0800 (PST) MIME-Version: 1.0 Received: by 10.25.19.210 with HTTP; Fri, 5 Jan 2018 11:02:25 -0800 (PST) Received: by 10.25.19.210 with HTTP; Fri, 5 Jan 2018 11:02:25 -0800 (PST) In-Reply-To: References: From: Marco de Abreu Date: Fri, 5 Jan 2018 20:02:25 +0100 Message-ID: Subject: Re: Commiter access to Jenkins Sevrer To: dev@mxnet.incubator.apache.org Content-Type: multipart/alternative; boundary="001a114128badd0b4c05620c16cc" --001a114128badd0b4c05620c16cc Content-Type: text/plain; charset="UTF-8" GitHub SSO allows the neat feature that login and permission can be selected depending on the access rights a user has to a project. Somebody with write access (committers) would be get different permissions than somebody with only read access. We could check back with Apache for SSO, but this would involve Apache infra. We could put it up to a vote whether to use GitHub or Apache SSO. In order to reproduce a build failure we have been thinking about changing the ci_build.sh in such a way that it can be run manually without Jenkins. The setup I took over binds the Jenkins work directory into the docker containers and uses a few hacks which are hard to reproduce locally. We plan to reengineer this script to make it easier to run manually. But making the AMI public is a good idea! We plan to make the whole infrastructure code (based on Terraform) completely public - at the moment it's in a private repository as it contains credentials, but they will be moved to KMS soon. It would definitely be a good approach to just supply the AMI so everybody could recreate the environment in their own account. -Marco Am 05.01.2018 7:51 nachm. schrieb "Chris Olivier" : Well, login to the Jenkins server, I would imagine. github or Apache SSO (does Apache support OAUTH?) seems like a good idea as long as there's a way to not let everyone with a github account log in. Access to actual slave machines could be more restricted, I imagine. Eventually, a public current AMI for a build slave would be good in order to reproduce build or test problems that can't be reproduced locally. wdyt? On Fri, Jan 5, 2018 at 10:41 AM, Marco de Abreu < marco.g.abreu@googlemail.com> wrote: > Would it be an acceptable solution if we add SSO or do you also want access > to the actual AWS account and all machines? > > Yes, the build jobs are automatically getting created for new branches. > > -Marco > > Am 05.01.2018 7:35 nachm. schrieb "Marco de Abreu" < > marco.g.abreu@googlemail.com>: > > I totally agree, this is not the way it should work in an Apache Project. > It's running on an isengard account, meaning it is only accessible for > Amazon employees. The problem is that a compromised account could cause > damage up to 170,000$ per day. There are alarms in place to notice those > cases, but we still have to be very careful. These high limits have been > chosen due to auto scaling being added within the next week's. > > I'd be happy to introduce a committer into the CI process and all the > necessary steps as well as granting them permission. The only restriction > being that it has to be and Amazon employee and access to console, master > and slave only being possible from the Corp network. > > There is no open ticket. What would you like to request? > > -Marco > > > Am 05.01.2018 7:22 nachm. schrieb "Chris Olivier" : > > Like John and other mentors were saying, it's not proper for CI to be a > closed/inaccessible environment. Is it running on an Isengard account or > in PROD or CORP or just generic EC2? I think that we should remedy this. > It's very strange that no committers have access at all. Is there a ticket > open to IPSEC? > > On Fri, Jan 5, 2018 at 10:17 AM, Marco de Abreu < > marco.g.abreu@googlemail.com> wrote: > > > Hello Chris, > > > > At the moment this is not possible due Amazon AppSec (Application > security) > > restrictions which does not permit user data and credentials on these > > machines. > > > > I have been thinking about adding single sign on bound to GitHub, but we > > would have to check back with AppSec. > > > > Is the reason for your request still the ability to start and stop > running > > builds? > > > > Best regards, > > Marco > > > > Am 05.01.2018 7:11 nachm. schrieb "Chris Olivier" >: > > > > Marco, > > > > Are all committers able to get login access to the Jenkins Server? If > not, > > why? > > > > -Chris > > > --001a114128badd0b4c05620c16cc--