From: Fernando Alcocer Date: Tue, 21 Apr 2026 13:38:31 +0000 (-0600) Subject: update Jenkins authorization strategy to use ProjectMatrixAuthorizationStrategy and... X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=refs%2Fpull%2F2569%2Fhead;p=ceph-build.git update Jenkins authorization strategy to use ProjectMatrixAuthorizationStrategy and adjust oauth settings --- diff --git a/ansible/roles/ansible-jenkins/tasks/auth.yml b/ansible/roles/ansible-jenkins/tasks/auth.yml index fb2281ff..82012f65 100644 --- a/ansible/roles/ansible-jenkins/tasks/auth.yml +++ b/ansible/roles/ansible-jenkins/tasks/auth.yml @@ -4,9 +4,9 @@ path: "{{ jenkins_lib }}/config.xml" register: jenkins_config_file -- name: Check if github oauth is already enabled - shell: "grep -q github-oauth {{ jenkins_lib }}/config.xml" - register: github_oauth_enabled +- name: Check if Matrix Auth is already enabled + shell: "grep -q ProjectMatrixAuthorizationStrategy {{ jenkins_lib }}/config.xml" + register: matrix_auth_enabled when: jenkins_config_file.stat.exists failed_when: false @@ -30,29 +30,105 @@ path: "{{ jenkins_lib }}/config.xml" insertafter: ".*useSecurity.*" block: |2 - - - - - - - ktdreyer - alfredodeza - gregmeno - dmick - zmc - andrewschoen - djgalloway - ceph-jenkins - - true - false - false - true - false - true - true - + + GROUP:com.cloudbees.plugins.credentials.CredentialsProvider.Create:ceph*jenkins-admins + GROUP:com.cloudbees.plugins.credentials.CredentialsProvider.Delete:ceph*jenkins-admins + GROUP:com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains:ceph*jenkins-admins + GROUP:com.cloudbees.plugins.credentials.CredentialsProvider.Update:ceph*jenkins-admins + GROUP:com.cloudbees.plugins.credentials.CredentialsProvider.View:ceph*jenkins-admins + USER:com.cloudbees.plugins.credentials.CredentialsProvider.View:ceph-jenkins + GROUP:com.sonyericsson.jenkins.plugins.bfa.PluginImpl.RemoveCause:ceph*jenkins-admins + USER:com.sonyericsson.jenkins.plugins.bfa.PluginImpl.RemoveCause:ceph-jenkins + GROUP:com.sonyericsson.jenkins.plugins.bfa.PluginImpl.UpdateCauses:ceph*jenkins-admins + USER:com.sonyericsson.jenkins.plugins.bfa.PluginImpl.UpdateCauses:ceph-jenkins + GROUP:com.sonyericsson.jenkins.plugins.bfa.PluginImpl.ViewCauses:ceph*jenkins-admins + USER:com.sonyericsson.jenkins.plugins.bfa.PluginImpl.ViewCauses:ceph-jenkins + GROUP:hudson.model.Computer.Build:ceph*jenkins-admins + USER:hudson.model.Computer.Build:ceph-jenkins + GROUP:hudson.model.Computer.Configure:ceph*jenkins-admins + USER:hudson.model.Computer.Configure:ceph-jenkins + GROUP:hudson.model.Computer.Connect:ceph*jenkins-admins + GROUP:hudson.model.Computer.Connect:ceph*jenkins-ppc + GROUP:hudson.model.Computer.Connect:ceph*windows + USER:hudson.model.Computer.Connect:ceph-jenkins + GROUP:hudson.model.Computer.Create:ceph*jenkins-admins + GROUP:hudson.model.Computer.Create:ceph*jenkins-ppc + GROUP:hudson.model.Computer.Create:ceph*windows + USER:hudson.model.Computer.Create:ceph-jenkins + GROUP:hudson.model.Computer.Delete:ceph*jenkins-admins + USER:hudson.model.Computer.Delete:ceph-jenkins + GROUP:hudson.model.Computer.Disconnect:ceph*jenkins-admins + USER:hudson.model.Computer.Disconnect:ceph-jenkins + GROUP:hudson.model.Computer.Provision:ceph*jenkins-admins + USER:hudson.model.Computer.Provision:ceph-jenkins + GROUP:hudson.model.Hudson.Administer:ceph*jenkins-admins + GROUP:hudson.model.Hudson.Read:authenticated + GROUP:hudson.model.Hudson.Read:ceph*jenkins-admins + GROUP:hudson.model.Hudson.Read:ceph*jenkins-readwrite + USER:hudson.model.Hudson.Read:anonymous + USER:hudson.model.Hudson.Read:ceph-jenkins + GROUP:hudson.model.Item.Build:ceph*jenkins-admins + GROUP:hudson.model.Item.Build:ceph*jenkins-execute + GROUP:hudson.model.Item.Build:ceph*jenkins-readwrite + GROUP:hudson.model.Item.Build:ceph*windows + USER:hudson.model.Item.Build:ceph-jenkins + GROUP:hudson.model.Item.Cancel:ceph*jenkins-admins + GROUP:hudson.model.Item.Cancel:ceph*jenkins-execute + GROUP:hudson.model.Item.Cancel:ceph*jenkins-readwrite + GROUP:hudson.model.Item.Cancel:ceph*windows + USER:hudson.model.Item.Cancel:ceph-jenkins + GROUP:hudson.model.Item.Configure:ceph*jenkins-admins + GROUP:hudson.model.Item.Configure:ceph*jenkins-readwrite + GROUP:hudson.model.Item.Configure:ceph*windows + USER:hudson.model.Item.Configure:ceph-jenkins + GROUP:hudson.model.Item.Create:ceph*jenkins-admins + GROUP:hudson.model.Item.Create:ceph*jenkins-readwrite + USER:hudson.model.Item.Create:ceph-jenkins + GROUP:hudson.model.Item.Delete:ceph*jenkins-admins + USER:hudson.model.Item.Delete:ceph-jenkins + GROUP:hudson.model.Item.Discover:ceph*jenkins-admins + USER:hudson.model.Item.Discover:ceph-jenkins + GROUP:hudson.model.Item.Move:ceph*jenkins-admins + USER:hudson.model.Item.Move:ceph-jenkins + GROUP:hudson.model.Item.Read:authenticated + GROUP:hudson.model.Item.Read:ceph*jenkins-admins + GROUP:hudson.model.Item.Read:ceph*jenkins-execute + GROUP:hudson.model.Item.Read:ceph*jenkins-ppc + GROUP:hudson.model.Item.Read:ceph*jenkins-readwrite + GROUP:hudson.model.Item.Read:ceph*windows + USER:hudson.model.Item.Read:anonymous + USER:hudson.model.Item.Read:ceph-jenkins + GROUP:hudson.model.Item.Workspace:ceph*jenkins-admins + GROUP:hudson.model.Item.Workspace:ceph*jenkins-readwrite + USER:hudson.model.Item.Workspace:ceph-jenkins + GROUP:hudson.model.Run.Delete:ceph*jenkins-admins + USER:hudson.model.Run.Delete:ceph-jenkins + GROUP:hudson.model.Run.Replay:ceph*jenkins-admins + USER:hudson.model.Run.Replay:ceph-jenkins + GROUP:hudson.model.Run.Update:ceph*jenkins-admins + USER:hudson.model.Run.Update:ceph-jenkins + GROUP:hudson.model.View.Configure:ceph*jenkins-admins + GROUP:hudson.model.View.Create:ceph*jenkins-admins + GROUP:hudson.model.View.Delete:ceph*jenkins-admins + GROUP:hudson.model.View.Read:ceph*jenkins-admins + GROUP:hudson.scm.SCM.Tag:ceph*jenkins-admins + USER:hudson.scm.SCM.Tag:ceph-jenkins + GROUP:jenkins.metrics.api.Metrics.HealthCheck:ceph*jenkins-admins + USER:jenkins.metrics.api.Metrics.HealthCheck:ceph-jenkins + GROUP:jenkins.metrics.api.Metrics.ThreadDump:ceph*jenkins-admins + USER:jenkins.metrics.api.Metrics.ThreadDump:ceph-jenkins + GROUP:jenkins.metrics.api.Metrics.View:ceph*jenkins-admins + USER:jenkins.metrics.api.Metrics.View:ceph-jenkins + GROUP:org.jenkins.plugins.lockableresources.LockableResourcesManager.Queue:ceph*jenkins-admins + USER:org.jenkins.plugins.lockableresources.LockableResourcesManager.Queue:ceph-jenkins + GROUP:org.jenkins.plugins.lockableresources.LockableResourcesManager.Reserve:ceph*jenkins-admins + USER:org.jenkins.plugins.lockableresources.LockableResourcesManager.Reserve:ceph-jenkins + GROUP:org.jenkins.plugins.lockableresources.LockableResourcesManager.Steal:ceph*jenkins-admins + USER:org.jenkins.plugins.lockableresources.LockableResourcesManager.Steal:ceph-jenkins + GROUP:org.jenkins.plugins.lockableresources.LockableResourcesManager.Unlock:ceph*jenkins-admins + USER:org.jenkins.plugins.lockableresources.LockableResourcesManager.Unlock:ceph-jenkins + GROUP:org.jenkins.plugins.lockableresources.LockableResourcesManager.View:ceph*jenkins-admins + USER:org.jenkins.plugins.lockableresources.LockableResourcesManager.View:ceph-jenkins https://github.com @@ -61,7 +137,7 @@ {{ github_oauth_secret }} read:org,user:email - when: jenkins_config_file.stat.exists and github_oauth_enabled.rc == 1 + when: jenkins_config_file.stat.exists and matrix_auth_enabled.rc == 1 no_log: true notify: - restart jenkins