Re: [Essentials] RFC: first cut at registration and authentication for Jenkins Essentials

Mon, 26 Mar 2018 08:34:27 -0700 

(replies inline)

On Mon, 26 Mar 2018, Jesse Glick wrote:

> Jenkins already includes the `instance-identity` module, which is the
> standard mechanism¹ for both uniquely identifying a Jenkins
> installation, and permitting asymmetrically-encrypted communications
> with it. Is there a reason you are not using it? If so, that should be
> clearly documented under ???Alternative Approaches???. There is a vague
> mention of OpenSSH keys, but this module is not limited to SSH (much
> less OpenSSH), and public-key encryption has widespread library
> support.


Thanks for taking a look Jesse! You're right that Jenkins already does have an
instance identity floating around. In a much earlier iteration of my thinking I 
was
considering using this until I started to think about how this would work in
practice for new installations.

Unfortunately when the jenkins/evergreen image comes online and checks for
updates, it will not have run `jenkins.war` at all yet, and therefore no
instance identity. Rather than have one unprotected/identified route in the
service backend for bootstrapping new nodes, I am erring on the side of
treating all "got updates?" requests the same, which requires a client
registration and identity to kick the process off.

You're absolutely right that the 'Alternative Approaches" section doesn't list
this and should, I'll update shortly.



Cheers
- R. Tyler Croy

------------------------------------------------------
     Code: <https://github.com/rtyler>
  Chatter: <https://twitter.com/agentdero>
     xmpp: rty...@jabber.org

  % gpg --keyserver keys.gnupg.net --recv-key 1426C7DC3F51E16F
------------------------------------------------------

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/20180326153407.5on7xn7gdl7odfue%40blackberry.coupleofllamas.com.
For more options, visit https://groups.google.com/d/optout.

Attachment: signature.asc
Description: PGP signature

Reply via email to