puppet-jenkins icon indicating copy to clipboard operation
puppet-jenkins copied to clipboard

Worked Example using security

Open markvr opened this issue 9 years ago • 3 comments

I'm not sure if this is an issue/bug or just me, but does anyone have a worked example of how to configure Jenkins with security enabled?

The documentation is unfortunately a bit sparse, but I've got as far as the following:

class{ 'jenkins':
  configure_firewall => true,
  cli_ssh_keyfile => 'jenkins-cli.key',
}

jenkins::user {'cli':
  email => '[email protected]',
  password => 'blah',
  public_key => 'ssh-rsa......$'
}

class {'jenkins::security':
  security_model => 'full_control'
}

This fails with: hudson.security.AccessDeniedException2: anonymous is missing the Overall/RunScripts permission I think because it tries to enable security before the creating the user. Putting dependency arrows (->) between each stage then fails with:

Error: Could not apply complete catalog: Found 1 dependency cycle:
(Anchor[jenkins::end] => Class[Jenkins] => Jenkins::User[cli] => Jenkins::Cli::Exec[create-jenkins-user-cli] => Exec[create-jenkins-user-cli] => Jenkins::Cli::Exec[create-jenkins-user-cli] => Anchor[jenkins::end])

Could anyone provide advice on how I am supposed to do this?! Or am I doing it correctly, and there is a bug somewhere?

markvr avatar Jan 14 '16 09:01 markvr

@markvr There is an unfortunate "chicken vs. egg" problem with managing security due to the semantics of the CLI jar. The "experimental" types and providers are intended to resolve that problem and may be worth a look:

https://github.com/jenkinsci/puppet-jenkins/blob/master/NATIVE_TYPES_AND_PROVIDERS.md

jhoblitt avatar Jan 14 '16 15:01 jhoblitt

Thanks for the reply - I'm a bit confused though, do most people just run Jenkins without security enabled then? Unfortunately although I'm happy to play around with the new types, I'm reluctant to rely on anything labelled "experimental" to manage production systems!

markvr avatar Jan 14 '16 16:01 markvr

@markvr The experimental types are the proposed fixed to this solution. They are what I am using to manage jenkins without this problem. See my puppetconf for a discussion of the issue: https://www.youtube.com/watch?v=lxRQBjtps5Q

jhoblitt avatar Feb 08 '16 17:02 jhoblitt