On Wed, May 22, 2013 at 1:20 PM, Russ Allbery <[email protected]> wrote: > Then, use wallet to create that keytab on the build server, and then have > your Jenkins server end its tasks by running: > > k5start -qUf /path/to/keytab/file -- /path/to/upload/script
I recently set up something just like this to do Jenkins deploys out of an SCM into AFS (instead of SSH or SCP). k5start works like a charm and I'd highly recommend it. Also, I'd second Russ's point about separate keytabs per build "server". Out of the box, Jenkins doesn't do privilege separation well at all. I worked around this by using separate Jenkins shell accounts on the build servers, one account per project, with separate keytabs for each shell account/project. They are all prefixed by "jenkins/", so the keytab that can deploy to an Apache virtualhost in AFS is named "jenkins/vhost.example.com". It's a pain to manage all these extra pieces at scale, although Puppet helps a bit. - Ken ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
