This sounds like something that belongs in an identity and access
management solution in general since it's a common problem to be
solved for all your other applications using those auth sources.

On Fri, Feb 12, 2021 at 5:40 AM Chris Kilding
<[email protected]> wrote:
>
> Hello,
>
> Interest in multi-cloud and multi-account cloud setups is increasing at my 
> company, and I have had correspondence from people in other companies about 
> this too. It's worth thinking about how Jenkins is going to work in this 
> scenario going forward.
>
> There are quite a few Jenkins plugins that connect to cloud providers (e.g. 
> EC2 plugin, S3 plugin, my own Secrets Manager plugin, plus all the Azure, 
> GCP, Kubernetes equivalents). At the moment, these plugins are (at the risk 
> of generalising) built with the assumption that they connect to a single 
> cloud account. They work well within this assumption, but not outside it.
>
> The key issues at the moment are:
>
> 1. Name clashes (due to lack of namespacing facilities) when two resources in 
> different accounts have the same name.
> 2. Slowness/unavailability from interactions with one cloud account affecting 
> interactions with other accounts.
>
> To resolve the first problem, I would propose that we introduce a namespacing 
> feature of some kind, to allow resources from different accounts to safely 
> coexist.
>
> For the second problem, perhaps some partitioning of operations could be done 
> within the namespacing feature, so that if one API call goes bad or slower 
> than the others, it doesn't affect interactions with other accounts.
>
> At a minimum this would need to be done in the credentials API plugin: I'm 
> thinking an optional `namespace` argument could be specified for the 
> `withCredentials` or `credentials` bindings, implemented by the credential 
> providers. But I'm not sure that namespaces should be limited to just the 
> credentials system. Are there other parts of the Jenkins pipeline which deal 
> with cloud resources, and so would need to be aware of the namespacing 
> feature as well?
>
> Regards,
>
> Chris
>
> PS: In the past I have considered generalising the folders credentials 
> provider for this purpose, but this does not seem like the right fit. This is 
> really a namespacing problem, not an access control problem (which is what 
> folders are for).
>
> --
> You received this message because you are subscribed to the Google Groups 
> "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to [email protected].
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/jenkinsci-dev/3e423f19-b3d1-4827-9881-b89d3b73b051%40www.fastmail.com.



-- 
Matt Sicker
Senior Software Engineer, CloudBees

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAEot4owhMdnn5gNQGrkCdv%3D_dCD9oMHmy81khELxZfzgHiTOOA%40mail.gmail.com.

Reply via email to