www-builds mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tony Stevenson <t...@pc-tony.com>
Subject Re: LDAP configuration for the new Hudson master (was: New Machine waiting for Hudson Master)
Date Fri, 16 Jul 2010 23:09:49 GMT
On Sat, Jul 17, 2010 at 12:04:38AM +0200, Niklas Gustavsson wrote:
> On Tue, Jun 22, 2010 at 9:48 PM, Niklas Gustavsson <niklas@protocol7.com> wrote:
> > Alright, so now that we're in, how to do want to go about with the
> > installation? Set up Hudson and tools on aegis, move over
> > configuration and plugins, set up HTTP redirects, test and then move
> > over as master over the slaves?
> 
> Hudson is now up and running for testing on the new host.
> 
> Also, with the help of pctony and Gav, LDAP is now configured for
> testing. We've had some discussions on how to use LDAP in Hudson over
> on IRC. I would here like to sum up our suggestions:
> 
> Use LDAP for Hudson web access (possibly shell in the future but
> that's out of scope for this description). Allow three levels of
> access:

Shell access might be a little way off, as we dont currently use LDAP for shell access anywhere,
except on people.apache.org

> * Hudson admins - a very limited set of admins for Hudson, like to
> current five admins plus the infra guys
> * Job admins - users with access to create, delete, configure and run
> jobs. Will not have access to the core Hudson configuration.
> * Everyone else - this is users which are not logged in. Anonymous
> users in Hudson. Same access as today
> 
> Hudson admins are managed in a LDAP group managed by infra. Hudson
> admins will not have root on aegis, but will have sudo to the hudson
> user.
> 
> Job admins are managed in a LDAP group managed by PMC chairs. Thus, if
> a PMC wants to add a new Hudson job admin, they manage this themselves
> without any need for Hudson admins to get in their way. A shell script
> on people.a.o, like the current one for PMC roster management, will be
> available. Hudson admins will not have access to manage this group.

Actually, I just set it up so that hudson admins can add users to this group.  Is this not
wanted?  PMC-Chairs will also have access.  I'll document the process separately as this list
isn't the place for that discussion.

> 
> Hudson web access will only be available over https, as we will now
> use the LDAP passwords.

With this in mind, please do not publicise the current URL, to anyone, as it is not over SSL.

Access is currently restricted to the hudson-admin group, once the site is on SSL I will allow
access for everyone again. 

> 
> Current accounts will be migrated as part of setting up the new Hudson master.

How will this be done?  I presume you mean add all users to the hudson-jobadmin group? 

-- 
Cheers,
Tony

--------------------------------------------                                             
                                                                                         
                                                                                         
        
Tony Stevenson                                                                           
                                                                                         
                                                                                         
        
                                                                                         
                                                                                         
                                                                                         
        
tony@pc-tony.com - pctony@apache.org                                                     
                                                                                         
                                                                                         
        
pctony@freenode.net - tony@caret.cam.ac.uk                                               
                                                                                         
                                                                                         
        
                                                                                         
                                                                                         
                                                                                         
        
http://blog.pc-tony.com                                                                  
                                                                                         
                                                                                         
        
                                                                                         
                                                                                         
                                                                                         
        
1024D/51047D66                                                                           
                                                                                         
                                                                                         
        
--------------------------------------------

Mime
View raw message