Company plugins in Jenkins org
88 views
Skip to first unread message
jn...@cloudbees.com
Oct 21, 2021, 7:47:24 AM10/21/21
to Jenkins Developers
Hi all,
CloudBees has a number of plugins in jenkins-ci organisation that we are maintainers of.
Currently when our internal teams change we need to modify multiple GitHub repo settings and associated permissions RPU. This is cumbersome (and error prone) for us, and for the reviewers of the RPU PRs.
I would like to propose (and ask for) a "CloudBees plugin developers" group in the jenkinsci or that we can add CloudBees developers to and then grant permissions to on the plugins that we maintain. This will allow us to just modify a single GitHub group and have the permissions updated in all our plugins.
Additionally to make RPU easier, we are planning to add support for groups of users so that we would just need to modify a single "group definition file" to update permissions in artifactory.
This approach would then also be available to other companies with multiple plugins in the Future.
CloudBees has a number of plugins in jenkins-ci organisation that we are maintainers of.
Currently when our internal teams change we need to modify multiple GitHub repo settings and associated permissions RPU. This is cumbersome (and error prone) for us, and for the reviewers of the RPU PRs.
I would like to propose (and ask for) a "CloudBees plugin developers" group in the jenkinsci or that we can add CloudBees developers to and then grant permissions to on the plugins that we maintain. This will allow us to just modify a single GitHub group and have the permissions updated in all our plugins.
Additionally to make RPU easier, we are planning to add support for groups of users so that we would just need to modify a single "group definition file" to update permissions in artifactory.
This approach would then also be available to other companies with multiple plugins in the Future.
WDYT?
/James
Olblak
Oct 21, 2021, 7:56:14 AM10/21/21
to Jenkins Developers
While I don't know yet how it would work with our existing tooling, I am in favor of that approach and that would also be useful for other companies as well
Daniel Beck
Oct 21, 2021, 7:58:36 AM10/21/21
to JenkinsCI Developers
On Thu, Oct 21, 2021 at 1:47 PM 'jn...@cloudbees.com' via Jenkins Developers <jenkin...@googlegroups.com> wrote:
Additionally to make RPU easier, we are planning to add support for groups of users so that we would just need to modify a single "group definition file" to update permissions in artifactory.
Sounds great. I would put the permissions declarations in RPU itself though, to make this just a layer of abstraction on top of the current definitions.
Another use case, while RPU has purely artifact-based configuration (something I've wanted to change for a while but haven't found the time), would be multimodule projects deploying multiple artifacts. You don't need to be a company maintaining multiple plugins to have trouble with permissions.
Baptiste Mathus
Oct 21, 2021, 9:47:53 AM10/21/21
to Jenkins Developers
Le jeu. 21 oct. 2021 à 13:58, 'Daniel Beck' via Jenkins Developers <jenkin...@googlegroups.com> a écrit :
On Thu, Oct 21, 2021 at 1:47 PM 'jn...@cloudbees.com' via Jenkins Developers <jenkin...@googlegroups.com> wrote:Additionally to make RPU easier, we are planning to add support for groups of users so that we would just need to modify a single "group definition file" to update permissions in artifactory.Sounds great. I would put the permissions declarations in RPU itself though, to make this just a layer of abstraction on top of the current definitions.
Care to elaborate what you mean and how that would work? IIUC, what you're describing would quite entail refactoring all existing "xyz-plugin developer" groups on GitHub side?
And as you know we currently have close to no notion of github on RPU side, like the names there are only artifactory's ones.
Another use case, while RPU has purely artifact-based configuration (something I've wanted to change for a while but haven't found the time), would be multimodule projects deploying multiple artifacts. You don't need to be a company maintaining multiple plugins to have trouble with permissions.
Do you mean we should improve RPU to better manage multi-modules? In that case, I don't disagree, but I think we should put it in a separate bucket so we can improve the situation iteratively.
I think what James describes can be done in a very quick way (still clean), and what you describe here seems bigger.
Still, I certainly agree it makes sense to define the full & final "desired state" we want to be in. I _think_ this is what you're talking about Daniel.
Still, I certainly agree it makes sense to define the full & final "desired state" we want to be in. I _think_ this is what you're talking about Daniel.
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLX-wWQXYaX6RAR2DWXzU-_ABEHBNDF%3D7Tu8zNCbWYJKw%40mail.gmail.com.
Tim Jacomb
Oct 21, 2021, 10:27:51 AM10/21/21
to Jenkins Developers
Sounds good, could probably have one for the Jenkins core team too in RPU.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANWgJS53HetnKcjS%2BZWRanidi0wL5uDNvh%3De7gUyOu1gbFUb_A%40mail.gmail.com.
Daniel Beck
Oct 21, 2021, 1:12:16 PM10/21/21
to JenkinsCI Developers
On Thu, Oct 21, 2021 at 3:47 PM Baptiste Mathus <m...@batmat.net> wrote:
Care to elaborate what you mean and how that would work? IIUC, what you're describing would quite entail refactoring all existing "xyz-plugin developer" groups on GitHub side?And as you know we currently have close to no notion of github on RPU side, like the names there are only artifactory's ones.
Yup, these realms are independent so unless you find a way to have a tamper-proof bi-directional mapping, there's no need to worry about GH permissions while dealing with upload permissions. Note that I only responded to the part around RPU.
Do you mean we should improve RPU to better manage multi-modules? In that case, I don't disagree, but I think we should put it in a separate bucket so we can improve the situation iteratively.I think what James describes can be done in a very quick way (still clean), and what you describe here seems bigger.
I am just pointing out that the use case goes beyond multiple plugins maintained by the same group, and this change can also benefit others while the mentioned limitation exists.
Baptiste Mathus
Oct 27, 2021, 5:42:44 AM10/27/21
to Jenkins Developers
Hi all,
FYI I've created this epic to track this: https://issues.jenkins.io/browse/INFRA-3111.
I plan to manually do the creation of a GitHub team for CloudBees developers in the next hour or so if nobody objects. AFAICT from the discussion above, we have an agreement that it makes sense and is acceptable.
I will name it "company-cloudbees-developers" so one can easily find all companies in the teams, using typically https://github.com/orgs/jenkinsci/teams?query=company-
For the RPU part, I've created https://issues.jenkins.io/browse/INFRA-3113 to describe what we'd want to have.
We (cloudbees team) plan to look into implementing this soon. Given this sounds reasonably simple, I think it can be done some time in November 2021.
Any review on this enhancement proposal is welcome :-).
Last, and important, thing: this feature is not only for CloudBees. The point is that any company/team willing to do this is welcome to ask.
Cheers
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLs27A9ODjSe537Ar3pRwkTYNiFr8WHX88Kd7EQtvUSow%40mail.gmail.com.
Tim Jacomb
Oct 27, 2021, 5:51:00 AM10/27/21
to jenkin...@googlegroups.com
Sounds fine, not 100% sure company needs to be at the start but we can also rationalise it later if we get more
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANWgJS4prSBQsOx%3D2UmfqrjronEkn7j4qWWQvVk2WaGwS8ZPZA%40mail.gmail.com.
Baptiste Mathus
Oct 27, 2021, 5:58:51 AM10/27/21
to Jenkins Developers
Thanks Tim for the confirmation.
Yeah, not 100% of the naming either.
But yep, given at this point it's only one + this part is manual, that's not a big deal yet.
But yep, given at this point it's only one + this part is manual, that's not a big deal yet.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAH-3Bicz862ZrAAx%2Bbjsb_E_6gTj8NkYk2x%3DNBZQvxNktLye3w%40mail.gmail.com.
jn...@cloudbees.com
Oct 27, 2021, 7:18:08 AM10/27/21
to Jenkins Developers
Hi all,
So thanks Baptiste for creating the team which I now have maintainership of so can add users.
One issue I have is that users that are not currently a member of the jenkinsci organisation can not be added to the team.
I guess normally adding a user to a plugin group via IRC would also invite them to the org, but as this is to be used outside of a plugin group not sure what we should be doing?
irc-bot has `jenkins-admin: Make USER a maintainer on TEAM` but we do not want all members to be maintainers of the team.
So my question is what would be the best cause of action here, or how would we best onbaoard users into the jenkinsci org?
I am open to extending irc-bot with a command like `jenkins-admin: invite user to the organisation` or `jenkins-admin: Make USER a member on TEAM` if that helps at all.
One issue I have is that users that are not currently a member of the jenkinsci organisation can not be added to the team.
I guess normally adding a user to a plugin group via IRC would also invite them to the org, but as this is to be used outside of a plugin group not sure what we should be doing?
irc-bot has `jenkins-admin: Make USER a maintainer on TEAM` but we do not want all members to be maintainers of the team.
So my question is what would be the best cause of action here, or how would we best onbaoard users into the jenkinsci org?
I am open to extending irc-bot with a command like `jenkins-admin: invite user to the organisation` or `jenkins-admin: Make USER a member on TEAM` if that helps at all.
/James
Tim Jacomb
Oct 27, 2021, 12:28:10 PM10/27/21
to Jenkins Developers
I think just for now add a command to the irc bot to invite the user to the org.
Make user a maintainer on team doesn't work unless the user is part of the org anyway...
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/97fdb78d-1275-4a4a-94c4-b1b9ce1b923an%40googlegroups.com.
Daniel Beck
Oct 28, 2021, 3:57:37 AM10/28/21
to jenkin...@googlegroups.com
On Wed, Oct 27, 2021 at 1:18 PM 'jn...@cloudbees.com' via Jenkins Developers <jenkin...@googlegroups.com> wrote:
I am open to extending irc-bot with a command like `jenkins-admin: invite user to the organisation` or `jenkins-admin: Make USER a member on TEAM` if that helps at all.
Would be useful; we've done that manually in the past to facilitate code review requests.
Baptiste Mathus
Nov 1, 2021, 5:55:06 PM11/1/21
to Jenkins Developers
Just implemented the RPU teams part. Open for feedback https://github.com/jenkins-infra/repository-permissions-updater/pull/2154
Le mer. 27 oct. 2021 à 11:50, Tim Jacomb <timja...@gmail.com> a écrit :
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAH-3Bicz862ZrAAx%2Bbjsb_E_6gTj8NkYk2x%3DNBZQvxNktLye3w%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages