Provide read access to our ci.nodejs.org configs

[gibfahn]

Jenkins has a well-hidden option to enable read access to configure jobs, see this page.

Basically to enable you have to run Jenkins with:

java -Dhudson.security.ExtendedReadPermission=true jenkins.war

and then a new option pops up in the security matrix.

I assume we'd want to enable it on a few jobs individually to make sure we're not giving anything away.

We could also do something like enabling it for all collaborators, or all of nodejs/build, or any combination.

Key question is: are there any jobs that have dangerous info in their configuration, and if so which ones.

[gibfahn]

My preference would be for a gradual roll-out:

1. Enable the flag on Jenkins, make sure nothing goes horribly wrong
2. Enable it for all jobs for nodejs/build, leave that for a while and see if people notice secret things
3. Expand to core collaborators
4. Expand to other teams (like nodejs/automation)

Not sure we ever need to make it world visible.

[maclover7]

Interesting idea! Big +1 to gradual rollout... should probably start with build wg itself, then tsc, then collaborators, and then forward from there?

[rvagg]

re #419:

perhaps we could make a subset of nodejs/Collaborators for this kind of thing, nodejs/Collaborators is very broad and it might be best if we restrict it to just people that are interested enough in doing this kind of work; like a nodejs/jenkins-job-config or something that doesn't give full access? maybe we can talk about this at our next meeting.

I like enabling more read access but we should also look at the write access and how we deal with that. Can't bring GitHub-based pipeline builds soon enough to solve these problems.

[gibfahn]

I think we should go with a policy of "all new jobs are stored in source control" (whether the whole pipeline or just the shell script parts).

+1 on the idea of expanding write access. Perhaps we could start by giving nodejs/build write access, it's a bit odd currently that you have to get admin access to get write access to jobs.

[gdams]

SGTM

[rvagg]

Well .... It would be possible to store all the config.xml files in GitHub and allow them to be edited here and automatically pushed to Jenkins using the same mechanism that we use to update the website (and the bot I believe). But then we'd have to make it two-way so if you edit it in the interface then it gets pushed back here. Not impossible and it would certainly be nice to have our configs stored here. Editing them in XML wouldn't be pleasant though, that'd be the main drawback.

If you're going to open access to jobs, just do a quick look through them first to make sure we don't have any secrets stored in the scripts. I can't think of any off the top of my head but just in case! Also if you could confirm that you can't get access to any of the Jenkins secrets when you do this. Particularly the ssh keys that are available in dropdowns and the worker secret keys.

Also, we are probably going to have a separate SSH key to access node-private. This should not be selectable for any jobs that don't need it. If any Collab can select it from a dropdown in any job config then we're potentially exposing things we shouldn't.

[gibfahn]

Update: @gdams enabled this on the adoptopenjdk Jenkins instance (see adoptium/infrastructure#40 (comment)) and it seems okay there.

[rvagg]

Looks good on OpenJDK, really it's just missing the buttons at the bottom (and I hope the backend support if you were to fake it!)

[mhdawson]

Removing from build agenda @gibfahn can you define next steps and then add back if/when needed.

[refack]

I found two plugins that fit this:

1. Extended Read Permission, allows us to enable read only view to job configs
2. SCM Sync configuration - automagicly synchs the config directory with an SCM repo of our choosing

For (1) we just need to flip the switch in the auth matrix
For (2) someone with infra access (@rvagg ?) needs to init a git repository in /var/lib/jenkins/ and add/ignore the right files, and setup push access (AFACT it's all at the local .git level)

[rvagg]

How about we try the read-only permissions for logged in users (maybe not anonymous?) and add that extended read permissions to expose more. Do you want to experiment with that @refack? I'm +1 on trying it out at least.

I guess the SCM sync thing would be helpful too, it'd certainly help us by providing us with a backup in case of catastrophic failure! I'm just not sure what the potential for secrets leakage is here so it might not be appropriate for sharing in a public repo?

[refack]

How about we try the read-only permissions for logged in users (maybe not anonymous?) and add that extended read permissions to expose more. Do you want to experiment with that refack? I'm +1 on trying it out at least.

Done.

On that note, I figured out that is we disabled "Anonymous Users" access (like in ci-release) it forces Jenkins to refresh its auth cookie, eliminating the need to click "Log in".
Can we live with that — require an active GitHub login to access the public CI?

[mhdawson]

I think its probably ok if you need a github login.

[gibfahn]

Can we live with that — require an active GitHub login to access the public CI?

QoL improvement for everyone who uses ci.nodejs.org, 💯 on that.

[refack]

New baseline matrix:

and in XML form:

authorizationStrategy class="hudson.security.ProjectMatrixAuthorizationStrategy">
    <permission>com.cloudbees.plugins.credentials.CredentialsProvider.Create:nodejs*jenkins-admins</permission>
    <permission>com.cloudbees.plugins.credentials.CredentialsProvider.Delete:nodejs*jenkins-admins</permission>
    <permission>com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains:nodejs*jenkins-admins</permission>
    <permission>com.cloudbees.plugins.credentials.CredentialsProvider.Update:nodejs*jenkins-admins</permission>
    <permission>com.cloudbees.plugins.credentials.CredentialsProvider.View:nodejs*jenkins-admins</permission>
    <permission>hudson.model.Computer.Build:nodejs*build</permission>
    <permission>hudson.model.Computer.Build:nodejs*jenkins-admins</permission>
    <permission>hudson.model.Computer.Configure:nodejs*build</permission>
    <permission>hudson.model.Computer.Configure:nodejs*jenkins-admins</permission>
    <permission>hudson.model.Computer.Connect:nodejs*build</permission>
    <permission>hudson.model.Computer.Connect:nodejs*jenkins-admins</permission>
    <permission>hudson.model.Computer.Create:nodejs*build</permission>
    <permission>hudson.model.Computer.Create:nodejs*jenkins-admins</permission>
    <permission>hudson.model.Computer.Delete:nodejs*build</permission>
    <permission>hudson.model.Computer.Delete:nodejs*jenkins-admins</permission>
    <permission>hudson.model.Computer.Disconnect:nodejs*build</permission>
    <permission>hudson.model.Computer.Disconnect:nodejs*jenkins-admins</permission>
    <permission>hudson.model.Hudson.Administer:nodejs*jenkins-admins</permission>
    <permission>hudson.model.Hudson.Read:authenticated</permission>
    <permission>hudson.model.Hudson.Read:nodejs*build</permission>
    <permission>hudson.model.Hudson.Read:nodejs*Collaborators</permission>
    <permission>hudson.model.Hudson.Read:nodejs*jenkins-admins</permission>
    <permission>hudson.model.Hudson.Read:nodejs*node-chakracore</permission>
    <permission>hudson.model.Hudson.Read:nodejs*releasers</permission>
    <permission>hudson.model.Item.Build:nodejs*build</permission>
    <permission>hudson.model.Item.Build:nodejs*Collaborators</permission>
    <permission>hudson.model.Item.Build:nodejs*jenkins-admins</permission>
    <permission>hudson.model.Item.Build:nodejs*node-chakracore</permission>
    <permission>hudson.model.Item.Build:nodejs*releasers</permission>
    <permission>hudson.model.Item.Cancel:nodejs*build</permission>
    <permission>hudson.model.Item.Cancel:nodejs*Collaborators</permission>
    <permission>hudson.model.Item.Cancel:nodejs*jenkins-admins</permission>
    <permission>hudson.model.Item.Cancel:nodejs*node-chakracore</permission>
    <permission>hudson.model.Item.Cancel:nodejs*releasers</permission>
    <permission>hudson.model.Item.Configure:nodejs*jenkins-admins</permission>
    <permission>hudson.model.Item.Create:nodejs*jenkins-admins</permission>
    <permission>hudson.model.Item.Delete:nodejs*jenkins-admins</permission>
    <permission>hudson.model.Item.Discover:nodejs*build</permission>
    <permission>hudson.model.Item.Discover:nodejs*jenkins-admins</permission>
    <permission>hudson.model.Item.ExtendedRead:authenticated</permission>
    <permission>hudson.model.Item.ExtendedRead:nodejs*build</permission>
    <permission>hudson.model.Item.ExtendedRead:nodejs*Collaborators</permission>
    <permission>hudson.model.Item.ExtendedRead:nodejs*jenkins-admins</permission>
    <permission>hudson.model.Item.ExtendedRead:nodejs*node-chakracore</permission>
    <permission>hudson.model.Item.ExtendedRead:nodejs*releasers</permission>
    <permission>hudson.model.Item.Move:nodejs*jenkins-admins</permission>
    <permission>hudson.model.Item.Read:authenticated</permission>
    <permission>hudson.model.Item.Read:nodejs*build</permission>
    <permission>hudson.model.Item.Read:nodejs*Collaborators</permission>
    <permission>hudson.model.Item.Read:nodejs*jenkins-admins</permission>
    <permission>hudson.model.Item.Read:nodejs*node-chakracore</permission>
    <permission>hudson.model.Item.Read:nodejs*releasers</permission>
    <permission>hudson.model.Item.Workspace:nodejs*build</permission>
    <permission>hudson.model.Item.Workspace:nodejs*Collaborators</permission>
    <permission>hudson.model.Item.Workspace:nodejs*jenkins-admins</permission>
    <permission>hudson.model.Item.Workspace:nodejs*node-chakracore</permission>
    <permission>hudson.model.Item.Workspace:nodejs*releasers</permission>
    <permission>hudson.model.Run.Delete:nodejs*jenkins-admins</permission>
    <permission>hudson.model.Run.Replay:nodejs*jenkins-admins</permission>
    <permission>hudson.model.Run.Update:nodejs*jenkins-admins</permission>
    <permission>hudson.model.View.Configure:nodejs*build</permission>
    <permission>hudson.model.View.Configure:nodejs*jenkins-admins</permission>
    <permission>hudson.model.View.Create:nodejs*build</permission>
    <permission>hudson.model.View.Create:nodejs*jenkins-admins</permission>
    <permission>hudson.model.View.Delete:nodejs*build</permission>
    <permission>hudson.model.View.Delete:nodejs*jenkins-admins</permission>
    <permission>hudson.model.View.Read:authenticated</permission>
    <permission>hudson.model.View.Read:nodejs*build</permission>
    <permission>hudson.model.View.Read:nodejs*Collaborators</permission>
    <permission>hudson.model.View.Read:nodejs*jenkins-admins</permission>
    <permission>hudson.model.View.Read:nodejs*node-chakracore</permission>
    <permission>hudson.model.View.Read:nodejs*releasers</permission>
    <permission>hudson.scm.SCM.Tag:nodejs*jenkins-admins</permission>
  </authorizationStrategy>
  <securityRealm class="org.jenkinsci.plugins.GithubSecurityRealm">
    <githubWebUri>https://github.com</githubWebUri>
    <githubApiUri>https://api.github.com</githubApiUri>
    <clientID>█████████</clientID>
    <clientSecret>██████████████</clientSecret>
    <oauthScopes>read:org,user:email</oauthScopes>
  </securityRealm>