[Gluster-devel] Jenkins accounts for all devs.

Michael Scherer mscherer at redhat.com
Fri Jan 22 11:49:28 UTC 2016


Le vendredi 22 janvier 2016 à 11:31 +0100, Niels de Vos a écrit :
> On Fri, Jan 22, 2016 at 02:44:05PM +0530, Raghavendra Talur wrote:
> > On Fri, Jan 22, 2016 at 2:41 PM, Michael Scherer <mscherer at redhat.com>
> > wrote:
> > 
> > > Le vendredi 22 janvier 2016 à 11:31 +0530, Ravishankar N a écrit :
> > > > On 01/14/2016 12:16 PM, Kaushal M wrote:
> > > > > On Thu, Jan 14, 2016 at 10:33 AM, Raghavendra Talur <rtalur at redhat.com>
> > > wrote:
> > > > >>
> > > > >> On Thu, Jan 14, 2016 at 10:32 AM, Ravishankar N <
> > > ravishankar at redhat.com>
> > > > >> wrote:
> > > > >>> On 01/08/2016 12:03 PM, Raghavendra Talur wrote:
> > > > >>>> P.S: Stop using the "universal" jenkins account to trigger jenkins
> > > build
> > > > >>>> if you are not a maintainer.
> > > > >>>> If you are a maintainer and don't have your own jenkins account
> > > then get
> > > > >>>> one soon!
> > > > >>>>
> > > > >>> I would request for a jenkins account for non-maintainers too, at
> > > least
> > > > >>> for the devs who are actively contributing code (as opposed to random
> > > > >>> one-off commits from persons). That way, if the regression failure is
> > > > >>> *definitely* not in my patch (or) is a spurious failure (or) is
> > > something
> > > > >>> that I need to take a netbsd slave offline to debug etc.,  I don't
> > > have to
> > > > >>> be blocked on the Maintainer. Since the accounts are anyway tied to
> > > an
> > > > >>> individual, it should be easy to spot if someone habitually
> > > re-trigger
> > > > >>> regressions without any initial debugging.
> > > > >>>
> > > > >> +1
> > > > > We'd like to give everyone accounts. But the way we're providing
> > > > > accounts now gives admin accounts to all. This is not very secure.
> > > > >
> > > > > This was one of the reasons misc setup freeipa.gluster.org, to provide
> > > > > controlled accounts for all. But it hasn't been used yet. We would
> > > > > need to integrate jenkins and the slaves with freeipa, which would
> > > > > give everyone easy access.
> > > >
> > > > Hi Michael,
> > > > Do you think it is possible to have this integration soon so that all
> > > > contributors can re-trigger/initiate builds by themselves?
> > >
> > > The thing that is missing is still the same, how do we consider that
> > > someone is a contributor. IE, do we want people just say "add me" and
> > > get root access to all our jenkins builder (because that's also what go
> > > with jenkins way of restarting a build for now) ?
> 
> Contributors would need to get root permissions on the Jenkins slaves
> (the machines that do the actual building/testing). 

I rather prefer to not have people have root access on the builder.

1) they are used to build the rpms we distribute
2) root access also mean that some people might just do a quick fix to
make some tests pass instead of making a proper long term fix where it
is needed.

>  There is no need
> for root access on the Jenkins master (build.gluster.org). Because
> Jenkins accounts are connected to the PAM cofiguration on
> build.gluster.org, contributors would get an account there (does not
> need to have a shell?).

This is something that can be fixed by using LDAP. 

> > > I did the technical stuff, but so far, no one did the organisational
> > > part of giving a criteria for who has access to what. Without clear
> > > process, I can't do much.
> > >
> > 
> > 
> > +ndevos +vijay
> > 
> > Something like "should have contributed 10 patches to Gluster and be
> > supported by at least 1 maintainer" would do?
> 
> Works for me. Please send a new page with a description on what
> requirements a (new) contributor needs to fullfill, what privileges are
> given and a little on when/how to use those.
> 
>   http://gluster.readthedocs.org/en/latest/Contributors-Guide/Index/

Also, we expect people to request that access, or someone is in charge
of picking them ?

Also, do we have a formal list of maintainers ? And a process for
becoming one ?
-- 
Michael Scherer
Sysadmin, Community Infrastructure and Platform, OSAS


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://www.gluster.org/pipermail/gluster-devel/attachments/20160122/cdbdac70/attachment.sig>


More information about the Gluster-devel mailing list