Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[4564] Restructure Security section #4612

Open
wants to merge 69 commits into
base: master
Choose a base branch
from
Open

[4564] Restructure Security section #4612

wants to merge 69 commits into from
+513 −351

Conversation

StackScribe
Copy link
Contributor

This is the first of a series of PRs to restructure and update the "Securing Jenkins" chapter, adding:

  • Jenkins is a fully-distributed build system...
  • Security principles
  • How Jenkins executes a pipeline

Reviewers: please particularly note material about Security Advisories and Security Updates. I am not sure that they are linked to the most appropriate pages.

@MarkEWaite @daniel-beck @Wadeck

This PR also modifies the information about "Enable Security" that is in the "Managing Security" page and turns it into a NOTE. This is here because I first moved that note onto this page but then decided it belongs where it is.

This PR also includes some rewrites to the "Agents and Security" material that was here, although this will be removed and merged with what is in the "Controller Isolation" page.

The rest of the material on this page will be merged with information in other pages of this chapter.

When completed, this chapter will have this general flow:

  • Security concepts and information (this page)
  • Controller Isolation
  • Configure Global Security -- introduce the UI
  • Sections that discuss how to populate the UI sections, presented in the order they appear after installing Jenkins with the recommended plugins. So begin with Security Realm, then Authentication, TCP Port, other security settings...
  • Other security topics such as "Access Control for Builds" and "Handling Environment Variables"

@StackScribe StackScribe requested a review from a team as a code owner October 5, 2021 09:15
@probot-autolabeler probot-autolabeler bot added the documentation Jenkins documentation, including user and developer docs, solution pages, etc. label Oct 5, 2021
@daniel-beck daniel-beck self-requested a review October 5, 2021 09:16
@StackScribe StackScribe mentioned this pull request Oct 5, 2021
Open
@StackScribe
Copy link
Contributor Author

@daniel-beck Can you approve this so we can merge it?

daniel-beck
daniel-beck reviewed Oct 13, 2021
View reviewed changes
content/doc/book/security/index.adoc Outdated
that are destroyed at the end of each build job.

NOTE: A job that performs administrative tasks such as backups may run on the controller,
but be sure to label the executor and only allow it to be used by jobs that specify that label.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is already a potential problem, as pipeline authors can configure their pipelines to run on node('master || built-in') and suddenly other stuff is running. https://plugins.jenkins.io/job-restrictions/ exists, but out of the box, only zero executors can prevent that.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This whole sub-section is being merged with the info in the controller-isolation.adoc file. See #4635 . I will modify the note in that PR.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See lines 45ff in the controller-isolation.adoc file. I did not include the syntax that Pipeline authors can use to access a labeled executor. I figured we didn't want to make this a how-to manual, right?

@StackScribe
Copy link
Contributor Author

StackScribe commented Oct 19, 2021
edited

The PR is now being redone to conform with the structure discussed in https://docs.google.com/document/d/1xpx6CGyCv3Dcs9blZLwKnzgTsPg-pkabM3XeyfMiUNY/edit#heading=h.df9a9tasgkqd .

All this restructuring is going to make this PR very large but it will mean we have the structure in place moving forward. To try to reduce the pain, I am annotating the gdoc with links to the relevant commit.

@StackScribe StackScribe changed the title [4564] Add conceptual info to security introduction [4564] Restructure Security section Oct 20, 2021
Meg McRoberts and others added 3 commits January 21, 2022 01:05
delete securing-jenkins.adoc -- dbeck says these wiki links are obsolete
2c46b5a
@daniel-beck
InBound -> Inbound
d512ff7 
Co-authored-by: Daniel Beck <1831569+daniel-beck@users.noreply.github.com>
Merge branch '1004-security-overview' of github.com:StackScribe/jenki…
1609c80 
…ns.io into 1004-security-overview
Meg McRoberts and others added 3 commits January 21, 2022 01:26
@daniel-beck
fix indentation
2549d42 
Co-authored-by: Daniel Beck <1831569+daniel-beck@users.noreply.github.com>
Merge branch '1004-security-overview' of github.com:StackScribe/jenki…
fb96a9e 
…ns.io into 1004-security-overview
"Jenkins Access Control" -> "Access Control"
8b9af00
MarkEWaite added a commit to MarkEWaite/docker-confluence-data that referenced this pull request Jan 21, 2022
@MarkEWaite
Redirect file that Daniel Beck noted has been replaced
81d3b8c 
jenkins-infra/jenkins.io#4612 includes a
detailed review by Daniel where he recommended that Meg McRoberts
proceed with the removal of the file that references this location.

The content on the page is well covered by the destination of the
redirect and the destination of the redirect is being updated and
corrected as needed for further improvements.
@MarkEWaite MarkEWaite mentioned this pull request Jan 21, 2022
Merged
@StackScribe
Copy link
Contributor Author

StackScribe commented Jan 25, 2022
edited

We discussed the structural issues with this piece in the 24 January Docs Office Hours and came up with the following actions, all of which have been implemented:

  • Split "How Jenkins executes jobs" into a separate page (d5b6325 )
  • Rename "Background concepts" to "Security concepts" (same commit as above)
  • Remove the descriptions of the individual fields on the "Configure Global Security" page from the list in index.adoc so that list is not so long. These topics still show in the left frame and the "Configure Global Security" page still has a comprehensive list of all fields. (1d349e8 )
  • Move the information about Agent -> Controller security to controller-isolation and remove that file since this field no longer shows on the UI. (4b4ced3 )

@daniel-beck daniel-beck self-requested a review January 26, 2022 08:36
@github-actions github-actions bot added the unresolved-merge-conflict There is a merge conflict with the target branch. label Mar 7, 2023
@github-actions
Copy link
Contributor

github-actions bot commented Mar 7, 2023

Please take a moment and address the merge conflicts of your pull request. Thanks!

@MarkEWaite MarkEWaite added the stalled Pull requests that are not progressing label Apr 20, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@timja timja timja left review comments

@MarkEWaite MarkEWaite Awaiting requested review from MarkEWaite

@daniel-beck daniel-beck Awaiting requested review from daniel-beck

Requested changes must be addressed to merge this pull request.

Assignees

@daniel-beck daniel-beck

Labels
documentation Jenkins documentation, including user and developer docs, solution pages, etc. stalled Pull requests that are not progressing unresolved-merge-conflict There is a merge conflict with the target branch.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@StackScribe @daniel-beck @MarkEWaite @timja