canonical-ci-engineering team mailing list archive

Thread
Date

User authentication for CI Lab Jenkins instances

To: canonical-ci-engineering <canonical-ci-engineering@xxxxxxxxxxxxxxxxxxx>, ubuntu-qa@xxxxxxxxxxxxxxxxxxx, ubuntu-engineering@xxxxxxxxxxxxxxxxxxx, canonical-ci-engineering-notifications@xxxxxxxxxxxxxxxxxxx
From: Larry Works <larry.works@xxxxxxxxxxxxx>
Date: Mon, 14 Apr 2014 10:08:54 -0400
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0

Greetings all,

The CI team will be migrating the various Jenkins servers within the CI
Lab from the built-in Jenkins user database to OpenID/SSO for all user
authentication. The jenkins instances that will be affected are:
    http://d-jenkins.ubuntu-ci:8080
         Testing Affected: auto package testing, upgrade testing, kernel SRU
                           MaaS QA testing, UTAH testing, DKMS
    http://m-jenkins.ubuntu-ci:8080
         Testing Affected: MIR benchmarking, openarena benchmarking
    http://q-jenkins.ubuntu-ci:8080
         Testing Affected: touch smole testing, daily release, kernel SRU,
                           bootspeed
    http://s-jenkins.ubuntu-ci:8080
         Testing Affected: Upstream merger, autopilot
    http://dev-jenkins.ubuntu-ci:8080
         Testing Affected: Job development testing
    http://staging-jenkins.ubuntu-ci:8080
         Testing Affected: Jenkins configuration and plugin testing
    http://dmz-jenkins.ubuntu-ci:8080
         Testing Affected: WebApps testing, LibreOffice, JHbuild, Ubuquity

The staging-jenkins instance was used as the tesbed and it's migration
has already been completed. The migration of all remaining jenkins
instances will commence on April 28th, 2014 and should be completed by
April 30th, 2014. The migration of the jenkins instances will occur in
the following order:
    April 28th:  dev-jenkins (1300 UTC), m-jenkins (1500 UTC),
dmz-jenkins (1700 UTC)
    April 29th:  d-jenkins (1300 UTC), q-jenkins (1500 UTC)
    April 30th:  s-jenkins (1300 UTC)

During the migration each jenkins instance will be shut down. The
jenkins configuration file and users directory will be backed up. Once
the back up is complete the configuration will be switched from the
jenkins internal user database to OpenID/SSO which will use
https://login.ubuntu.com as the backend. User permissions will be
controlled by LP groups instead of being managed on a per-user basis.It
should only take about 30 minutes to migrate each jenkins instance to
OpenID. Additional time is being allocated a) in case tweaks are needed
to the security realm for each jenkins instance on the SSO whitelist and
b) to allow time to test each system post-migration.

On the off chance jobs don't run properly or user's are unable to log in
the jenkins instance it will be shut down again, the original
configuration file and users directory will be restored and the jenkins
instance will be restarted using the original jenkins internal user
database.

If there are any questions or concerns please contact me or Evan Dandrea.

~w

Follow ups

Re: User authentication for CI Lab Jenkins instances
From: Thomi Richards, 2014-04-14