On 2013-05-22 21:37, Ken Dreyer wrote: > On Wed, May 22, 2013 at 1:20 PM, Russ Allbery <[email protected]> wrote: >> Then, use wallet to create that keytab on the build server, and then have >> your Jenkins server end its tasks by running: >> >> k5start -qUf /path/to/keytab/file -- /path/to/upload/script > > I recently set up something just like this to do Jenkins deploys out > of an SCM into AFS (instead of SSH or SCP). k5start works like a charm > and I'd highly recommend it. > > Also, I'd second Russ's point about separate keytabs per build > "server". Out of the box, Jenkins doesn't do privilege separation well > at all. I worked around this by using separate Jenkins shell accounts > on the build servers, one account per project, with separate keytabs > for each shell account/project. They are all prefixed by "jenkins/", > so the keytab that can deploy to an Apache virtualhost in AFS is named > "jenkins/vhost.example.com". It's a pain to manage all these extra > pieces at scale, although Puppet helps a bit.
Ken, thank you, too, for your input! k5start indeed works great. Our build server infrastructure is not as complex as yours seems to be but I've taken your approach and have given each jenkins system account on each of our four build servers its own keytab and set up k5login on the APT repo server (with Puppet modules and types for Wallet and k5login this is easy enough). On the APT repo server the jenkins user can call a single script via sudo to deploy new .deb packages. This works exactly as I had hoped it would. Thanks again, Andreas
signature.asc
Description: OpenPGP digital signature
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
