Hi Radek, Thanks for your feedback
> PS. I am unable to reset my password on *Jira/accounts.jenkins.io* ATM - no > password reset email is coming to me. If you send me your username and email address, I could have a look to it. > I don't know what (tools/process) Linux Foundation is using They are using https://identity.linuxfoundation.org/ and migrating to Auth0 but in both cases they allow you to use social accounts like Github > - we need to know what are the limitations (would they allow for managing > groups for different access levels e.g. plugin maintainers vs infra > maintainers vs normal reporters) This is something that need to be clarify indeed, as far as I understood it at the moment LF identity management can only be used for services that they manage on the opposite is true as well if we ask they to manage our Jira they will probably need to also manage the identity, but indeed this is something that need clarification. Ps: We continued the discussion about keycloak on the jenkins infrastructure mailing list here <https://groups.google.com/d/msgid/jenkins-infra/CAO49JtFG1yAn6SJgFDb5b4fSF1fiGRM_s-bjhBnMVXczrMgY-w%40mail.gmail.com?utm_medium=email&utm_source=footer> On Thu, Jun 18, 2020, at 12:59 PM, Radosław Antoniuk wrote: > On Thu, Jun 18, 2020 at 10:41 AM 'Olblak' via Jenkins Developers > <[email protected]> wrote: >> Hi Everybody, >> >> Some updates regarding this topics, while almost everything is back to >> normal, we decided to not pursue with the "every user password reset" as we >> announced initially but instead we focused on maintainers and administrators >> access. >> The reason for that is because we don't have ready to use tooling so it >> requires us to write custom scripts. >> While we initially tried to go down that path, we reset +-30% of the >> database, we realized that because of the amount of garbage we have in that >> database, it was hard and time-consuming to finish this so we decided to >> look after alternatives for accounts.jenkins.io. >> >> At the moment we have two promising alternatives: >> >> Keycloak as a replacement for accounts.jenkins.io. >> keycloak is an opensource identity management tool, which supports many >> integrations like Github SSO or LDAP. >> It's deployed and only available from our VPN at the moment, configuration >> is defined here <https://github.com/jenkins-infra/charts/pull/256>. >> It uses a RDS PostgreSQL database running on AWS and containers are running >> on our AKS cluster. >> It was easy to deploy, configured, *seems* easy to maintain, and its >> database is running on a managed service. >> It sounds very promising as it does exactly everything that >> accounts.jenkins.io do with a lot more like: >> * Enforce email verification >> * OTP >> * Safe reset password workflow >> * Using your social account like Github for login >> * And many more >> So we could stop losing our time patching our custom identity management >> tool. >> >> The second option would be to totally or partially delegate identity >> management to the Linux Foundation infrastructure team. >> We had a first exploratory meeting with them this week and we have another >> one planned next week >> The whole idea is the vast majority of Jenkins account are used to >> report/update issues while the smallest amount of accounts are used by >> plugin maintainers (+-1700)and Jenkins administrators(+-20). >> So if we can delegate the management of Jira to them, we wouldn't need to >> maintain an identity management tool anymore. >> While implementation details still need to be discussed with them what seems >> to be clear at the moment are: >> * Identify management would be a black box, as it would also contain other >> Linux Foundation accounts. >> * We could use it for Artifactory (repo.jenkins-ci.org) as they are already >> doing the same for other communities that they are managing. >> While we would lose flexibility on this, we wouldn't have to maintain it or >> care about GDPR. >> Therefore it will give us more time to focus on other initiatives. >> >> If you have any advice, questions, concerns on this topic, feel free to >> raise them. >> >> Thanks for your patience >> >> Olivier > > Hi Olivier, > > Thanks a lot for thorough update, both options sound really interesting. > > I think it would be easier to rely on an external identity provider and each > of the Cloud providers now provide this (e.g. AWS SSO, Azure AD etc.). I > believe that most people using Jenkins have GH or FB accounts. Sounds like > this is almost the same as running keycloak so assuming that we are using k8s > and rds anyway, but I understand that GDPR/CCPA would need to be handled by > us in such case. > > I don't know what (tools/process) Linux Foundation is using, but the > important parts from my perspective: > - all the tools, not only Jira, but also blog, artifactory and ci should use > it for Auth/AuthZ > - we need to know what are the limitations (would they allow for managing > groups for different access levels e.g. plugin maintainers vs infra > maintainers vs normal reporters) > - would it still be possible to use GitOps for open permission management > > For me both solutions are a great step forward from the current solution and > I would personally choose the one that allows the least maintenance but that > would address all the requirements (i.e. being the SSO solution) - for me GH > is the natural choice as the SSO provider as Jenkins code is hosted there. > > PS. I am unable to reset my password on *Jira/accounts.jenkins.io* ATM - no > password reset email is coming to me. > > Cheers, > Radek > > > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/CAPe2pWgGGCMxSWbm7z_v9dqwqez1%3DMWBJMJCyOkZTYOksnr9cA%40mail.gmail.com > > <https://groups.google.com/d/msgid/jenkinsci-dev/CAPe2pWgGGCMxSWbm7z_v9dqwqez1%3DMWBJMJCyOkZTYOksnr9cA%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/0f2063ce-c466-4331-981d-c2608bc02c6c%40www.fastmail.com.
