Potential accounts.jenkins.io replacement

[Olivier Vernin]

Dear All,

I have been thinking to a possible solution regarding our recent issues with Jenkins accounts management and one of them would be to replace accounts.jenkins.io by Keycloak.

It doesn't seems to be difficult to maintain and all datas are stored in a RDS database on AWS so I wouldn't be too concerned about  the risk of loosing data.

Note, considering the amount of services that rely on Ldap, I am not planning to remove it anytime soon.

Basically we have access two interfaces, one for administrators(only available from VPN) and a second one for user which would replace accounts.jenkins.io.

It's the same workflow than before and even better. It supports many different validation mechanisms like validating your email address or having password policy, etc

We can easily manage users, etc

We **could** use Github identities to login on our systems, but it's not part of my testing at the moment.

I opened a pull request here, if you want to give some feedback

For those people who have VPN access, you can test the workflow here using your Jenkins account or by creating a new one.

You'll notice that you will have to validate your email address, it's on purpose as I prefer to not trust our Ldap database content.

Also if some of you already have experience managing Keycloak servers, I would be glad to have a discussion to know more about potential pitfalls.

Next step is to identify if it easily scale and if I can enable High availability.

It's an experimental project so I cannot guaranty that I won't restart or delete the service in the coming days.

Best,

[Tim Jacomb]

Hi Olivier / all

I've tried this out quite a bit

Looks really promising!

I wrote a theme for it based on the login page in Jenkins core (only css changes done, so it doesn't quite look the same).

and deployed it to the instance that Olivier created.

I linked the Ldap groups to keycloak, easy to set up and all working fine.

Tried out the force password change option.

Enabled 2FA on my account (it will only work when OpenID connect is used for login and not LDAP).

Enabled the HA option in the helm chart

It would be good to try out the GitHub social provider option, 

looks like there's an OpenID connect plugin for Jira  that we can get an open source license for:

https://marketplace.atlassian.com/apps/1217688/oauth-openid-connect-oidc-for-jira-sso?hosting=server&tab=overview

and looks possible with artifactory as well:

https://jfrog.com/knowledge-base/how-to-integrate-artifactory-with-openid-connect-oauth-2-0/

But the GitHub option would probably be very easy to add on if we start using this anyway.

Thanks

Tim

--
You received this message because you are subscribed to the Google Groups "Jenkins Infrastructure" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkins-infr...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/jenkins-infra/c8ed45b9-acb9-477b-8178-dd88d70deffao%40googlegroups.com.

[Mark Waite]

That is a great user experience!

I logged in using my username and password and configured it to use two factor authentication with Google Authenticator on my Android phone.  It felt as smooth and simple as any of the other two factor authentication systems that I've used.

I really like the theming that Tim provided.

To view this discussion on the web, visit https://groups.google.com/d/msgid/jenkins-infra/CAH-3Bida4BX2H-t-zPaZUBzzhouXagh%3DAPC1S3PoXYM_hL84iQ%40mail.gmail.com.

[Olblak]

Hi,

We made some progress regarding high availability, theme,  and the new public endpoint..

It's available on beta.accounts.jenkins.io if you want to give it a try, feel free to do.

Remark the first time you log in, it will ask you to verify your email  address.

We could easily add github/twitter as identity providers witch could be used to either create new ldap user (if they don't exist yet) or bind to an existing user which would allows us to have a trusted mapping of Jenkins account with github account.

At the moment, our current limitation is that all our services like Jira, Artifactory, Jenkins, etc. use directly Ldap which means that  social accounts won't be useful as long as those services haven't switch to keycloak for authentication.

Remark if you register a new account from beta.account.jenkins.io, this is because at the moment our Jira doesn't synchronize users instead accounts.jenkins.io create them.

So one of the next step would be to update Jira configuration.

Cheers,

To view this discussion on the web, visit https://groups.google.com/d/msgid/jenkins-infra/CAO49JtFG1yAn6SJgFDb5b4fSF1fiGRM_s-bjhBnMVXczrMgY-w%40mail.gmail.com.

[Radek Antoniuk]

Just tested the flows for reset password and OTP on iPhone, all went easy and smooth. 

I'll keep watching the thread for SSO enabling for JIRA and Artifactory.

Great work guys.

Cheers,

Radek

[Tim Jacomb]

If we go with keycloak can linux foundation still manage Jira?

As it would be great to not have to manage that anymore

I've tested enabling SSO with jira and it worked.

There's a guide for doing it with artifactory as well so I assume that will work fine too.

Thanks

Tim

--

You received this message because you are subscribed to the Google Groups "Jenkins Infrastructure" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkins-infr...@googlegroups.com.

To view this discussion on the web, visit https://groups.google.com/d/msgid/jenkins-infra/55d5e024-a6c4-43d0-8605-ca177743d751n%40googlegroups.com.

[Olivier Vernin]

I started a new discussion in a separate thread to discuss specifically the LF infrastructure in order to have it as visible as possible.