Securing Hudson and Access Control

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Securing Hudson and Access Control

David Weintraub-4
We are currently using CruiseControl, but I am thinking of switching to
Hudson. I found Hudson easier to setup, and our developers find the
information easier to find. Right now, I am running Hudson directly from
the "java -jar Hudson" command which I understand uses Winstone as a
servlet container. Later on, I'd like to make this part of our Apache
server, and maybe let Apache handle our security. Which brings us to the
topic:

* Right now, any developer could setup, delete, or edit projects. I
would like a bit of access control on this. I want to be the only one
who can edit, delete, or create new Hudson projects to build, but I want
the developers to be able to do everything else including starting a
build manually instead of waiting for the build process to startup.

Unfortunately, the directions on setting this up are not clear. I tried
following the directions in Hudson which referred me back to the
Winstone webpage which then explained it is pretty much the same way you
would do it in tomcat. I tried searching the list archive, but again,
there isn't too much information.

Is there a webpage, a book, or any simple step-by-step directions that
explains how to do this. I would be very happy, once I figure this out,
to put this information into the Wiki for other hapless souls like
myself.

I am not a Java developer, I really don't know anything about servlet
containers, I don't know anything about Winstone, and I don't know
anything about Tomcat. I would be happy to learn, but first, I'd like
some simple instructions on setting things up.

I tried creating a user-list.xml and tried to run Hudson in the
FileRealm, but my efforts failed. Attempting to login by going to
http://hudson:8090/login gives me a Status 404 error. (I have to run
Hudson on port 8090 since port 8080 is already taken).

--
David Weintraub
[hidden email]

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Securing Hudson and Access Control

Kohsuke Kawaguchi
Administrator
2007/10/22, David Weintraub <[hidden email]>:
> * Right now, any developer could setup, delete, or edit projects. I
> would like a bit of access control on this. I want to be the only one
> who can edit, delete, or create new Hudson projects to build, but I want
> the developers to be able to do everything else including starting a
> build manually instead of waiting for the build process to startup.

This is being tracked as issue #326. Such fine-grained access control
is not available today.

> Unfortunately, the directions on setting this up are not clear. I tried
> following the directions in Hudson which referred me back to the
> Winstone webpage which then explained it is pretty much the same way you
> would do it in tomcat. I tried searching the list archive, but again,
> there isn't too much information.
>
> Is there a webpage, a book, or any simple step-by-step directions that
> explains how to do this. I would be very happy, once I figure this out,
> to put this information into the Wiki for other hapless souls like
> myself.
>
> I am not a Java developer, I really don't know anything about servlet
> containers, I don't know anything about Winstone, and I don't know
> anything about Tomcat. I would be happy to learn, but first, I'd like
> some simple instructions on setting things up.
>
> I tried creating a user-list.xml and tried to run Hudson in the
> FileRealm, but my efforts failed. Attempting to login by going to
> http://hudson:8090/login gives me a Status 404 error. (I have to run
> Hudson on port 8090 since port 8080 is already taken).
>
> --
> David Weintraub
> [hidden email]
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>


--
Kohsuke Kawaguchi

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: Re: Securing Hudson and Access Control

David Weintraub-4
I didn't think of this as "fine grain control". Fine grain control to me
would be allowing users to modify some jobs, but not others, or maybe
certain aspects of a job, or maybe from what range of IP addresses. What
I am asking for is to keep the Hudson configuration "read only" except
for the one user who is the administrator.

So, exactly what can I configure in the way of security, and how can I
set this up if I am running Hudson via the "java -jar Hudson" command?

-----Original Message-----
From: [hidden email] [mailto:[hidden email]]
On Behalf Of Kohsuke Kawaguchi
Sent: Monday, October 22, 2007 11:35 PM
To: [hidden email]
Subject: Re: Securing Hudson and Access Control

2007/10/22, David Weintraub <[hidden email]>:
> * Right now, any developer could setup, delete, or edit projects. I
> would like a bit of access control on this. I want to be the only one
> who can edit, delete, or create new Hudson projects to build, but I
want
> the developers to be able to do everything else including starting a
> build manually instead of waiting for the build process to startup.

This is being tracked as issue #326. Such fine-grained access control
is not available today.

--
David Weintraub
[hidden email]

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Securing Hudson and Access Control

Kohsuke Kawaguchi
Administrator
David Weintraub wrote:
> I didn't think of this as "fine grain control". Fine grain control to me
> would be allowing users to modify some jobs, but not others, or maybe
> certain aspects of a job, or maybe from what range of IP addresses. What
> I am asking for is to keep the Hudson configuration "read only" except
> for the one user who is the administrator.
>
> So, exactly what can I configure in the way of security, and how can I
> set this up if I am running Hudson via the "java -jar Hudson" command?

Hudson really only has very minimal privilege control. That is, when you
"secure" Hudson, the model is that you are either an admin or not, and
if you are an admin you get to do everything, and if you are not you
can't do many things. There's nowhere in between.

This clearly needs improvements, but there's not much progress in this
front, (mainly because no committer is interested in this feature, I
suppose.)

So I'm sorry to let you down on this, but we are not quite there yet.


> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]]
> On Behalf Of Kohsuke Kawaguchi
> Sent: Monday, October 22, 2007 11:35 PM
> To: [hidden email]
> Subject: Re: Securing Hudson and Access Control
>
> 2007/10/22, David Weintraub <[hidden email]>:
>> * Right now, any developer could setup, delete, or edit projects. I
>> would like a bit of access control on this. I want to be the only one
>> who can edit, delete, or create new Hudson projects to build, but I
> want
>> the developers to be able to do everything else including starting a
>> build manually instead of waiting for the build process to startup.
>
> This is being tracked as issue #326. Such fine-grained access control
> is not available today.
>
> --
> David Weintraub
> [hidden email]
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>

--
Kohsuke Kawaguchi
Sun Microsystems                   [hidden email]

smime.p7s (4K) Download Attachment