rtyler
/
repository-permissions-updater
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
Artifactory permissions synchronization tool and data set
505 Commits 2 Branches 0 Tags 728 KiB
Groovy 100%
Go to file
devsquash f25e250169 requesting access for squashtm-publisher-plugin (#412) 
* requesting artifactory access for squashtm-publisher-plugin

* removing an extraneous commiter

* setting the correct artifact id
 		2017-08-30 09:33:23 -07:00
.github Update PULL_REQUEST_TEMPLATE.md 2017-06-02 00:07:36 +02:00
doc Better sample file 2016-08-22 20:41:35 +02:00
permissions requesting access for squashtm-publisher-plugin (#412) 2017-08-30 09:33:23 -07:00
src Add essential support for dry run mode 2017-06-22 09:44:55 +02:00
.gitignore Initial commit 2016-08-19 00:17:15 +02:00
Jenkinsfile Bail out early during pull request builds 2016-11-09 12:42:43 -08:00
README.md Added permission for aws-sqs-plugin. (#49) 2016-09-21 04:18:37 +02:00
pom.xml Add/fix pom.xml repository references 2016-08-19 15:21:42 +02:00

README.md

Repository Permissions Updater

About

The Jenkins project hosts Maven artifacts such as core and plugin releases on Artifactory.

Its permissions system is independent of GitHub's, and we limit which users (identified by the Jenkins LDAP account, same as wiki and JIRA) are allowed to upload which artifacts.

This repository contains both the definitions for Artifactory upload permissions in YAML format, as well as the tool that synchronizes them to Artifactory.

Note: These permissions are specifically for uploading artifacts to the Jenkins project's Maven repository. It is independent of GitHub repository permissions. You may have one without the other. Typically, you'll either have both, or just the GitHub repository access.

Requesting Permissions

Prerequisite: You need to have logged in once to Artifactory with your Jenkins community account before you can be added to a permissions target.

To request upload permissions to an artifact (typically a plugin), file a PR editing the appropriate YAML file, and provide a reference that shows you have commit permissions, or have an existing committer to the plugin comment on your PR, approving it.

Managing Permissions

The directory permissions/ contains a set of files, one per plugin or artifact, that define the permissions for the respective artifacts. Files typically have a component, plugin, or pom prefix for organization purposes:

  • plugin is used for Jenkins plugins.
  • pom is used for parent POMs and everything else consisting of just a POM file.
  • component is used for everything else, usually libraries.

These prefixes, like the rest of the file name, have no semantic meaning and just help in organizing these files.

Each file contains the following in YAML format:

  • A name (typically mirrored in the file name), this is also the artifactId of the Maven artifact.
  • A set of paths, usually just one. These correspond to the full Maven coordinates (groupId and artifactId) used for the artifact. Since Jenkins plugins can change group IDs and are still considered the same artifact, multiple entries are possible.
  • A set of user names (Jenkins community user accounts in LDAP, the same as used for wiki and JIRA) allowed to upload this artifact to Artifactory. This set can be empty, which means nobody is currently allowed to upload the plugin in question (except Artifactory admins). This can happen for plugins that haven't seen releases in several years, or permission cleanups.

Example file:

  • Red (lines 2 and 4): artifactId
  • Green (line 4): groupId (with slashes replacing periods)
  • Blue (line 6): Jenkins community account user name

Adding a new plugin

Create a new YAML file similar to existing files.

Adding a new uploader to an existing plugin

Edit the developers list in the YAML file for the plugin.

Deprecating a plugin

Remove the YAML file. The next synchronization will remove permissions for the plugin.

Renaming a plugin

Rename and edit the existing permissions file, changing both name and the last path component.

Changing a plugin's groupId

Change the paths to match the new Maven coordinates, or, if further uploads for the old coordinates are expected, add a new list entry.

Usage

To see how to run this tool to synchronize Artifactory permission targets with the definitions in this repository, see Jenkinsfile.

It expects the following System properties to be set:

  • definitionsDir - Path to directory containing permission definitions YAML files
  • artifactoryApiTempDir - Path to directory (that will be created) where this tool stores Artifactory permissions API JSON payloads.

It expected the following environment variables to be set:

  • ARTIFACTORY_USERNAME - Admin user name for Artifactory
  • ARTIFACTORY_PASSWORD - Corresponding admin password (or API key) for Artifactory admin user

How It Works

The tool runs three steps in sequence:

  1. Generate JSON payloads from YAML permission definition files.
  2. Submit generated JSON payloads to Artifactory.
  3. Remove all generated permission targets in Artifactory that have no corresponding generated JSON payload file.