[INFRA-3167] Move security settings to configuration-as-code for puppet managed instances

[jenkins-infra-bot]

Current config is defined at https://github.com/jenkins-infra/jenkins-infra/blob/production/dist/profile/templates/buildmaster/lockbox.groovy.erb#L62-L64

 

But can also just be exported via jcasc

Make sure to specify if user or group from the matrix-auth 3.0 upgrade.

I believe Damien Duportal manually migrated the auth config to 3.0 but it was reverted by the groovy script

---

Originally reported by timja, imported from: Move security settings to configuration-as-code for puppet managed instances

• status: Open
• priority: Minor
• resolution: Unresolved
• imported: 2022/01/10

[dduportal]

We can start this, following up jenkins-infra/jenkins-infra#2049

[lemeurherve]

FTR, current state of ci.jenkins.io:

Unambiguous state:

Desired state?

Corresponding casc of the desired (?) state:

  authorizationStrategy:
    globalMatrix:
      permissions:
      - "GROUP:Job/Read:authenticated"
      - "GROUP:Overall/Administer:admins"
      - "GROUP:Overall/Administer:jenkins-admins"
      - "GROUP:Overall/Read:authenticated"
      - "USER:Job/Read:anonymous"
      - "USER:Overall/Read:anonymous"

It looks like we need to move (at first) the permissions from here to a new lockbox.yaml.erb file here.
Example of what kind of casc section we need to approach here (to be fixed too)
Unfortunately, authorizationStrategy is in the jenkins root section, and its merge with existing values in the same section will need some attention.

[timja]

Unfortunately, authorizationStrategy is in the jenkins root section

As long as you aren't trying to merge permissions you will be fine, and even then it can be done.

[dduportal]

For info: https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/docs/features/mergeStrategy.md

[timja]

(merging same elements is very beta quality, there's issues around it but it works for some cases, but again doubt it will be needed here)