puppet-jenkins
puppet-jenkins copied to clipboard
voxpupuli
Worked Example using security
I'm not sure if this is an issue/bug or just me, but does anyone have a worked example of how to configure Jenkins with security enabled?
The documentation is unfortunately a bit sparse, but I've got as far as the following:
class{ 'jenkins':
configure_firewall => true,
cli_ssh_keyfile => 'jenkins-cli.key',
}
jenkins::user {'cli':
email => '[email protected]',
password => 'blah',
public_key => 'ssh-rsa......$'
}
class {'jenkins::security':
security_model => 'full_control'
}
This fails with: hudson.security.AccessDeniedException2: anonymous is missing the Overall/RunScripts permission I think because it tries to enable security before the creating the user. Putting dependency arrows (->) between each stage then fails with:
Error: Could not apply complete catalog: Found 1 dependency cycle:
(Anchor[jenkins::end] => Class[Jenkins] => Jenkins::User[cli] => Jenkins::Cli::Exec[create-jenkins-user-cli] => Exec[create-jenkins-user-cli] => Jenkins::Cli::Exec[create-jenkins-user-cli] => Anchor[jenkins::end])
Could anyone provide advice on how I am supposed to do this?! Or am I doing it correctly, and there is a bug somewhere?
@markvr There is an unfortunate "chicken vs. egg" problem with managing security due to the semantics of the CLI jar. The "experimental" types and providers are intended to resolve that problem and may be worth a look:
https://github.com/jenkinsci/puppet-jenkins/blob/master/NATIVE_TYPES_AND_PROVIDERS.md
Thanks for the reply - I'm a bit confused though, do most people just run Jenkins without security enabled then? Unfortunately although I'm happy to play around with the new types, I'm reluctant to rely on anything labelled "experimental" to manage production systems!
@markvr The experimental types are the proposed fixed to this solution. They are what I am using to manage jenkins without this problem. See my puppetconf for a discussion of the issue: https://www.youtube.com/watch?v=lxRQBjtps5Q