Uses Github OAuth plugin to secure Jenkins

* Configures github oauth as default jenkins auth realm (was unix system user)
* Uses the Matrix Authorization Strategy at 3 levels: anonymous, administrator,
  and job builder.
* Allows configuration of the list of users/groups and permissions granted to
  each authorization level.
* Adds ssh private key to jenkins user, to maintain CLI tool access
* Sets jenkins password only if using old unix system user realm; locks the
  jenkins system user when using github oauth.
* Adds jenkins public key to Jenkins user config.xml, and creates that user
  config.xml file if it's missing (required to bootstrap jenkins user CLI access)
* Renames the existing JENKINS_ANALYTICS_GITHUB_* credential variables to
  JENKINS_ANALYTICS_GITHUB_CREDENTIAL_* to avoid confusing them with the Github
  OAUTH variables.

playbooks/roles/jenkins_analytics/README.md

@@ -6,7 +6,7 @@ This role performs the following steps:
 
 * Installs Jenkins using `jenkins_master`.
 * Configures `config.xml` to enable security and use
-  Linux Auth Domain.
+  Github OAuth plugin (by default) or Unix Auth Domain.
 * Creates Jenkins credentials.
 * Enables the use of Jenkins CLI.
 * Installs a seed job from configured repository, launches it and waits
@@ -29,9 +29,9 @@ all required variables from this section.
 This file needs to contain, at least, the following variables
 (see the next few sections for more information about them):
 
-* `JENKINS_ANALYTICS_USER_PASSWORD_PLAIN`.
-  See [Jenkins User Password](#jenkins-user-password) for details.
-* (`JENKINS_ANALYTICS_GITHUB_*` and `ANALYTICS_SCHEDULE_MASTER_SSH_CREDENTIAL_*`)
+* `JENKINS_ANALYTICS_GITHUB_OAUTH_CLIENT_*` or `JENKINS_ANALYTICS_USER_PASSWORD_PLAIN`.
+  See [Jenkins Security](#jenkins-security) for details.
+* (`JENKINS_ANALYTICS_GITHUB_CREDENTIAL_*` and `ANALYTICS_SCHEDULE_MASTER_SSH_CREDENTIAL_*`)
   and/or `JENKINS_ANALYTICS_CREDENTIALS`.
   See [Jenkins Credentials](#jenkins-credentials) for details.
 * `ANALYTICS_SCHEDULE_SECURE_REPO_*` and `ANALYTICS_SCHEDULE_<TASK_NAME>_EXTRA_VARS`.
@@ -39,25 +39,168 @@ This file needs to contain, at least, the following variables
 
 ### End-user editable configuration
 
-#### Jenkins user password
+#### Jenkins Security
 
-You'll need to override default `jenkins` user password, please do that
+The `jenkins_analytics` role provides two options for controlling authentication and authorization to the Jenkins
+application:
+
+* [Github OAuth plugin](https://wiki.jenkins-ci.org/display/JENKINS/Github+OAuth+Plugin) (default)
+* Unix system user
+
+Both roles control authorization permissions using the 
+[Matrix Authorization Strategy](https://wiki.jenkins-ci.org/display/JENKINS/Matrix+Authorization+Strategy+Plugin).
+See [Authorization](#authorization) for details.
+
+##### Github OAuth
+
+To select this security mechanism, set `JENKINS_ANALYTICS_AUTH_REALM: github_oauth`.
+
+The [Github OAuth plugin](https://wiki.jenkins-ci.org/display/JENKINS/Github+OAuth+Plugin) 
+uses Github usernames and organization memberships to control access to the
+Jenkins GUI and CLI tool.
+
+To configure Github OAuth:
+
+1. Create a [GitHub application registration](https://github.com/settings/applications/new).
+
+    * Application name: choose an appropriate name, e.g. edX Analytics Scheduler
+    * Homepage URL: choose an appropriate URL within your Jenkins install, usually the home page.  
+      e.g., `http://localhost:8080`
+    * Authorization callback URL: Must be your Jenkins base URL, with path `/securityRealm/finishLogin`.  
+      e.g., `http://localhost:8080/securityRealm/finishLogin`
+
+1. Copy the Client ID and Client Secret into these variables:
+
+        JENKINS_ANALYTICS_GITHUB_OAUTH_CLIENT_ID: <Github Client ID>
+        JENKINS_ANALYTICS_GITHUB_OAUTH_CLIENT_SECRET: <Github Client Secret>
+
+1. Optionally add your Github username or groups to the `JENKINS_ANALYTICS_AUTH_JOB_BUILDERS` and/or 
+   `JENKINS_ANALYTICS_AUTH_ADMINISTRATORS` lists.  See [Authorization](#authorization) below for details.
+
+1. Optionally, but only with good reason, update the list of Github OAuth Scopes.  This setting determines the Github
+   permissions that the Jenkins application will have in Github on behalf of the authenticated user.  
+   Default value is:
+
+        JENKINS_ANALYTICS_GITHUB_OAUTH_SCOPES:
+          - read:org
+          - user:email
+
+1. You may also update the Github OAuth Web URI and API URI values, if for instance, you're using a locally installed
+enterprise version of Github.  Default values are:
+
+        JENKINS_ANALYTICS_GITHUB_OAUTH_WEB_URI: 'https://github.com'
+        JENKINS_ANALYTICS_GITHUB_OAUTH_API_URI: 'https://api.github.com'
+
+
+##### Unix system user
+
+To select this security mechanism, set `JENKINS_ANALYTICS_AUTH_REALM: unix`.
+
+This security mechanism uses the `jenkins` system user and password for access
+to the Jenkins GUI and CLI tool.
+
+You'll need to override default `jenkins` user password, please do that carefully
 as this sets up the **shell** password for this user.
 
 You'll need to set a plain password so ansible can reach Jenkins via the command line tool.
 
-* `JENKINS_ANALYTICS_USER_PASSWORD_PLAIN`: plain password
+    JENKINS_ANALYTICS_AUTH_REALM: unix
+    JENKINS_ANALYTICS_USER_PASSWORD_PLAIN: "your plain password"
+
+##### Authorization
+
+The `jenkins_analytics` role configures authorization using the
+[Matrix Authorization Strategy](https://wiki.jenkins-ci.org/display/JENKINS/Matrix+Authorization+Strategy+Plugin).
+This strategy provides fine-grained control over which permissions are granted to which users or group members.
+
+Currently there are three different levels of user access configured:
+
+* `anonymous`: The `anonymous` user is special in Jenkins, and denotes any unauthenticated user.  By default, no
+  permissions are granted to anonymous users, which forces all users to the login screen.
+* `JENKINS_ANALYTICS_AUTH_ADMINISTRATORS`: list of members who are granted all permissions by default.  The
+  `jenkins` user is automatically added to this list, so that ansible can maintain the Jenkins instance.  
+  See [Security Note](#security-note) below.
+* `JENKINS_ANALYTICS_AUTH_JOB_BUILDERS`: list of members who are granted permissions sufficient for maintaining Jobs,
+  Credentials, and Views.
+
+When `JENKINS_ANALYTICS_AUTH_REALM: github_oauth`, members of the above lists may be GitHub users, organizations, or
+teams.
+
+* `username` - give permissions to a specific GitHub username.
+* `organization` - give permissions to every user that belongs to a specific GitHub organization. Members must be
+  *public members* of the organization for the authorization to work correctly.  Also, the organization itself must
+  allow access by the Github OAuth application, which must be granted by an administrator of the organization.
+  See [Github third-party application restrictions](https://github.com/organizations/open-craft/settings/oauth_application_policy) 
+  for more information.
+* `organization*team` - give permissions to a specific GitHub team of a GitHub organization. Notice that organization
+  and team are separated by an asterisk (`*`).  The Github OAuth plugin documentation doesn't say so, but the team
+  probably needs to be a public team.
+
+For example, this configuration grants job builder access to all of `edx-ops`, and admin access only to members of the
+`jenkins-config-push-pull` team within `edx-ops`.
+
+    JENKINS_ANALYTICS_AUTH_JOB_BUILDERS:
+      - edx-ops
+    JENKINS_ANALYTICS_AUTH_ADMINISTRATORS:
+      - edx-ops*jenkins-config-push-pull
+
+The list of permissions granted to each group is also configurable, but exercise caution when changing.
+
+* `JENKINS_ANALYTICS_AUTH_ANONYMOUS_PERMISSIONS`: Defaults to an empty list, indicating no permissions.
+* `JENKINS_ANALYTICS_AUTH_ADMINISTRATOR_PERMISSIONS`: Defaults to the full list of available Jenkins permissions at time
+  of writing.
+* `JENKINS_ANALYTICS_AUTH_JOB_BUILDER_PERMISSIONS`: By default, job builders are missing Jenkins Admin/Update
+  permissions, as well as access required to administer slave Jenkins instances.  However, they are granted these
+  permissions:
+    - `com.cloudbees.plugins.credentials.CredentialsProvider.*`: Allows management of Jenkins Credentials.
+    - `hudson.model.Hudson.Read`: Grants read access to almost all pages in Jenkins.
+    - `hudson.model.Hudson.RunScripts`: Grants access to the Jenkins Script Console and CLI groovy interface.
+    - `hudson.model.Item.*`: Allows management of Jenkins Jobs.
+    - `hudson.model.Run.*`: Allows management of Jenkins Job Runs.
+    - `hudson.model.View.*`: Allows management of Jenkins Views.
+    - `hudson.scm.SCM.Tag`: Allows users to create a new tag in the source code repository for a given build.
+
+The user/group lists and permissions are joined using matching keys in the `jenkins_auth_users` and
+`jenkins_auth_permissions` structures.  
+
+If additional groups are required, you must add them to both `jenkins_auth_users` and `jenkins_auth_permissions`.  This
+example shows the current 3 groups, plus a fourth group whose members can view Job status:
+
+    jenkins_auth_users:
+      anonymous: 
+        - anonymous
+      administrators: "{{ jenkins_admin_users + JENKINS_ANALYTICS_AUTH_ADMINISTRATORS }}"
+      job_builders: "{{ JENKINS_ANALYTICS_AUTH_JOB_BUILDERS | default([]) }}"
+      job_readers: "{{ JENKINS_ANALYTICS_AUTH_JOB_READERS | default([]) }}"
+
+    jenkins_auth_permissions:
+      anonymous: "{{ JENKINS_ANALYTICS_AUTH_ANONYMOUS_PERMISSIONS }}"
+      administrators: "{{ JENKINS_ANALYTICS_AUTH_ADMINISTRATOR_PERMISSIONS }}"
+      job_builders: "{{ JENKINS_ANALYTICS_AUTH_JOB_BUILDER_PERMISSIONS }}"
+      job_readers:
+        - `hudson.model.Hudson.Read`
+        - `hudson.model.Item.Discover`
+        - `hudson.model.Item.Read`
+        - `hudson.model.View.Read`
+
+###### Security Note
+
+As mentioned above, we append the `jenkins` user to the `JENKINS_ANALYTICS_AUTH_ADMINISTRATORS` list, to allow ansible
+to configure Jenkins via the CLI tool.  However, when `JENKINS_ANALYTICS_AUTH_REALM: github_oauth`, there is a risk that
+the owner of the Github username jenkins use that login to gain admin access to Jenkins.  This would be a risk no matter
+which username we chose for this role.
+
 
 #### Jenkins credentials
 
 Jenkins contains its own credential store. To fill it with credentials,
 we recommend overriding these variables:
 
-* `JENKINS_ANALYTICS_GITHUB_USER`: github username, with read access to the
+* `JENKINS_ANALYTICS_GITHUB_CREDENTIAL_USER`: github username, with read access to the
   secure config and job dsl repos.
-* `JENKINS_ANALYTICS_GITHUB_PASSPHRASE`: optional passphrase, if required for
-  `JENKINS_ANALYTICS_GITHUB_USER`.  Default is `null`.
-* `JENKINS_ANALYTICS_GITHUB_KEY`: private key for the `JENKINS_ANALYTICS_GITHUB_USER`, e.g.
+* `JENKINS_ANALYTICS_GITHUB_CREDENTIAL_PASSPHRASE`: optional passphrase, if required for
+  `JENKINS_ANALYTICS_GITHUB_CREDENTIAL_USER`.  Default is `null`.
+* `JENKINS_ANALYTICS_GITHUB_CREDENTIAL_KEY`: private key for the `JENKINS_ANALYTICS_GITHUB_CREDENTIAL_USER`, e.g.
    `"{{ lookup('file', '/home/you/.ssh/id_rsa') }}"`
 * `ANALYTICS_SCHEDULE_SECURE_REPO_MASTER_SSH_CREDENTIAL_FILE`: path to the ssh
   key file, relative to the `ANALYTICS_SCHEDULE_SECURE_REPO_URL`.
@@ -96,7 +239,7 @@ Default value for `JENKINS_ANALYTICS_CREDENTIALS`, and the variables it depends
         type: ssh-private-key
         passphrase: "{{ JENKINS_ANALYTICS_GITHUB_PASSPHRASE }}"
         description: github access key, generated by ansible
-        privatekey: "{{ JENKINS_ANALYTICS_GITHUB_KEY }}"
+        privatekey: "{{ JENKINS_ANALYTICS_GITHUB_CREDENTIAL_KEY }}"
       - id: "{{ ANALYTICS_SCHEDULE_MASTER_SSH_CREDENTIAL_ID }}"
         scope: GLOBAL
         username: "{{ ANALYTICS_SCHEDULE_MASTER_SSH_CREDENTIAL_USER }}"
@@ -116,11 +259,11 @@ could override `JENKINS_ANALYTICS_CREDENTIALS` like this:
     JENKINS_ANALYTICS_CREDENTIALS:
       - id: "{{ JENKINS_ANALYTICS_GITHUB_CREDENTIAL_ID }}"
         scope: GLOBAL
-        username: "{{ JENKINS_ANALYTICS_GITHUB_USER }}"
+        username: "{{ JENKINS_ANALYTICS_GITHUB_CREDENTIAL_USER }}"
         type: ssh-private-key
-        passphrase: "{{ JENKINS_ANALYTICS_GITHUB_PASSPHRASE }}"
+        passphrase: "{{ JENKINS_ANALYTICS_GITHUB_CREDENTIAL_PASSPHRASE }}"
         description: github access key, generated by ansible
-        privatekey: "{{ JENKINS_ANALYTICS_GITHUB_KEY }}"
+        privatekey: "{{ JENKINS_ANALYTICS_GITHUB_CREDENTIAL_KEY }}"
       - id: "{{ ANALYTICS_SCHEDULE_MASTER_SSH_CREDENTIAL_ID }}"
         scope: GLOBAL
         username: "{{ ANALYTICS_SCHEDULE_MASTER_SSH_CREDENTIAL_USER }}"

playbooks/roles/jenkins_analytics/defaults/main.yml

 ---
+# See README.md for variable descriptions
 
 # Packages required to build edx-analytics-pipeline
 JENKINS_ANALYTICS_EXTRA_PKGS:
   - libpq-dev
   - libffi-dev
 
-# See README.md for variable descriptions
-
+# Change this default password: (see README.md to see how you can do it)
 JENKINS_ANALYTICS_USER_PASSWORD_PLAIN: jenkins
+JENKINS_ANALYTICS_AUTH_REALM: github_oauth
+JENKINS_ANALYTICS_AUTH_ADMINISTRATORS: []
+JENKINS_ANALYTICS_AUTH_JOB_BUILDERS: []
+JENKINS_ANALYTICS_AUTH_ANONYMOUS_PERMISSIONS: []
+JENKINS_ANALYTICS_AUTH_ADMINISTRATOR_PERMISSIONS:
+  - com.cloudbees.plugins.credentials.CredentialsProvider.Create
+  - com.cloudbees.plugins.credentials.CredentialsProvider.Delete
+  - com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains
+  - com.cloudbees.plugins.credentials.CredentialsProvider.Update
+  - com.cloudbees.plugins.credentials.CredentialsProvider.View
+  - hudson.model.Computer.Build
+  - hudson.model.Computer.Configure
+  - hudson.model.Computer.Connect
+  - hudson.model.Computer.Create
+  - hudson.model.Computer.Delete
+  - hudson.model.Computer.Disconnect
+  - hudson.model.Hudson.Administer
+  - hudson.model.Hudson.ConfigureUpdateCenter
+  - hudson.model.Hudson.Read
+  - hudson.model.Hudson.RunScripts
+  - hudson.model.Hudson.UploadPlugins
+  - hudson.model.Item.Build
+  - hudson.model.Item.Cancel
+  - hudson.model.Item.Configure
+  - hudson.model.Item.Create
+  - hudson.model.Item.Delete
+  - hudson.model.Item.Discover
+  - hudson.model.Item.Move
+  - hudson.model.Item.Read
+  - hudson.model.Item.Workspace
+  - hudson.model.Run.Delete
+  - hudson.model.Run.Update
+  - hudson.model.View.Configure
+  - hudson.model.View.Create
+  - hudson.model.View.Delete
+  - hudson.model.View.Read
+  - hudson.scm.SCM.Tag
+JENKINS_ANALYTICS_AUTH_JOB_BUILDER_PERMISSIONS:
+  - com.cloudbees.plugins.credentials.CredentialsProvider.Create
+  - com.cloudbees.plugins.credentials.CredentialsProvider.Delete
+  - com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains
+  - com.cloudbees.plugins.credentials.CredentialsProvider.Update
+  - com.cloudbees.plugins.credentials.CredentialsProvider.View
+  - hudson.model.Hudson.Read
+  - hudson.model.Hudson.RunScripts
+  - hudson.model.Item.Build
+  - hudson.model.Item.Cancel
+  - hudson.model.Item.Configure
+  - hudson.model.Item.Create
+  - hudson.model.Item.Delete
+  - hudson.model.Item.Discover
+  - hudson.model.Item.Move
+  - hudson.model.Item.Read
+  - hudson.model.Item.Workspace
+  - hudson.model.Run.Delete
+  - hudson.model.Run.Update
+  - hudson.model.View.Configure
+  - hudson.model.View.Create
+  - hudson.model.View.Delete
+  - hudson.model.View.Read
+  - hudson.scm.SCM.Tag
+
+JENKINS_ANALYTICS_GITHUB_OAUTH_CLIENT_ID: null
+JENKINS_ANALYTICS_GITHUB_OAUTH_CLIENT_SECRET: null
+JENKINS_ANALYTICS_GITHUB_OAUTH_SCOPES:
+  - read:org
+  - user:email
+JENKINS_ANALYTICS_GITHUB_OAUTH_WEB_URI: 'https://github.com'
+JENKINS_ANALYTICS_GITHUB_OAUTH_API_URI: 'https://api.github.com'
+
 JENKINS_ANALYTICS_GITHUB_CREDENTIAL_ID: 'github-deploy-key'
-JENKINS_ANALYTICS_GITHUB_USER: 'git'
-JENKINS_ANALYTICS_GITHUB_PASSPHRASE: null
+JENKINS_ANALYTICS_GITHUB_CREDENTIAL_USER: 'git'
+JENKINS_ANALYTICS_GITHUB_CREDENTIAL_PASSPHRASE: null
+JENKINS_ANALYTICS_GITHUB_CREDENTIAL_KEY: null
 
 JENKINS_ANALYTICS_CONCURRENT_JOBS_COUNT: 2
 
@@ -36,11 +107,11 @@ ANALYTICS_SCHEDULE_JOBS_DSL_TARGET_JOBS: "jobs/analytics-edx-jenkins.edx.org/*Jo
 JENKINS_ANALYTICS_CREDENTIALS:
   - id: "{{ JENKINS_ANALYTICS_GITHUB_CREDENTIAL_ID }}"
     scope: GLOBAL
-    username: "{{ JENKINS_ANALYTICS_GITHUB_USER }}"
+    username: "{{ JENKINS_ANALYTICS_GITHUB_CREDENTIAL_USER }}"
     type: ssh-private-key
-    passphrase: "{{ JENKINS_ANALYTICS_GITHUB_PASSPHRASE }}"
+    passphrase: "{{ JENKINS_ANALYTICS_GITHUB_CREDENTIAL_PASSPHRASE }}"
     description: github access key, generated by ansible
-    privatekey: "{{ JENKINS_ANALYTICS_GITHUB_KEY }}"
+    privatekey: "{{ JENKINS_ANALYTICS_GITHUB_CREDENTIAL_KEY }}"
   - id: "{{ ANALYTICS_SCHEDULE_MASTER_SSH_CREDENTIAL_ID }}"
     scope: GLOBAL
     username: "{{ ANALYTICS_SCHEDULE_MASTER_SSH_CREDENTIAL_USER }}"
@@ -66,11 +137,38 @@ jenkins_credentials_script: "{{ jenkins_credentials_root }}/addCredentials.groov
 
 jenkins_connection_retries: 240
 jenkins_connection_delay: 1
-jenkins_auth_realm:
-  name: unix
-  service: su
-  # Change this default password: (see README.md to see how you can do it)
-  plain_password: "{{ JENKINS_ANALYTICS_USER_PASSWORD_PLAIN }}"
+
+jenkins_private_keyfile: "{{ jenkins_home }}/.ssh/id_rsa"
+jenkins_public_keyfile: "{{ jenkins_private_keyfile }}.pub"
+jenkins_admin_users:
+  - "{{ jenkins_user }}"
+
+jenkins_auth_realms_available:
+  unix:
+    name: unix
+    service: su
+    plain_password: "{{ JENKINS_ANALYTICS_USER_PASSWORD_PLAIN }}"
+    username: "{{ jenkins_user }}"
+  github_oauth:
+    name: github_oauth
+    webUri: "{{ JENKINS_ANALYTICS_GITHUB_OAUTH_WEB_URI }}"
+    apiUri: "{{ JENKINS_ANALYTICS_GITHUB_OAUTH_API_URI }}"
+    clientId: "{{ JENKINS_ANALYTICS_GITHUB_OAUTH_CLIENT_ID }}"
+    clientSecret: "{{ JENKINS_ANALYTICS_GITHUB_OAUTH_CLIENT_SECRET }}"
+    oauthScopes: "{{ JENKINS_ANALYTICS_GITHUB_OAUTH_SCOPES }}"
+
+jenkins_auth_realm: "{{ jenkins_auth_realms_available[JENKINS_ANALYTICS_AUTH_REALM] }}"
+
+jenkins_auth_users:
+  anonymous: 
+    - anonymous
+  administrators: "{{ jenkins_admin_users + JENKINS_ANALYTICS_AUTH_ADMINISTRATORS }}"
+  job_builders: "{{ JENKINS_ANALYTICS_AUTH_JOB_BUILDERS | default([]) }}"
+
+jenkins_auth_permissions:
+  anonymous: "{{ JENKINS_ANALYTICS_AUTH_ANONYMOUS_PERMISSIONS }}"
+  administrators: "{{ JENKINS_ANALYTICS_AUTH_ADMINISTRATOR_PERMISSIONS }}"
+  job_builders: "{{ JENKINS_ANALYTICS_AUTH_JOB_BUILDER_PERMISSIONS }}"
 
 # For now only a single seed job is supported, adding more would require
 # Ansible 2.+ or converting _execute_jenkins_cli to a module

playbooks/roles/jenkins_analytics/tasks/execute_jenkins_cli.yaml

 ---
 
-- fail: msg=for now we can execute commands iff jenkins auth realm is unix
-  when: jenkins_auth_realm.name != "unix"
-
 - set_fact:
     jenkins_cli_root: "/tmp/jenkins-cli/{{ ansible_ssh_user }}"
 - set_fact:
     jenkins_cli_jar: "{{ jenkins_cli_root }}/jenkins_cli.jar"
-    jenkins_cli_pass: "{{ jenkins_cli_root }}/jenkins_cli_pass"
 
 - name: create cli dir
   file: name={{ jenkins_cli_root }} state=directory mode="700"
 
-- name: create pass file
-  template: src=jenkins-pass-file.j2 dest={{ jenkins_cli_pass }} mode="600"
-
 - name: Wait for Jenkins CLI
   uri:
     url: "http://localhost:{{ jenkins_port }}/cli/"
@@ -32,14 +25,10 @@
     url: "http://localhost:{{ jenkins_port }}/jnlpJars/jenkins-cli.jar"
     dest: "{{ jenkins_cli_jar }}"
 
-- name: login
-  command: java -jar {{ jenkins_cli_jar }} -s http://localhost:{{ jenkins_port }}
-           login --username={{ jenkins_user }}
-           --password-file={{ jenkins_cli_pass }}
-
 - name: execute command
   shell: >
     {{ jenkins_command_prefix|default('') }} java -jar {{ jenkins_cli_jar }} -s http://localhost:{{ jenkins_port }}
+    -i {{ jenkins_private_keyfile }}
     {{ jenkins_command_string }}
   register: jenkins_command_output
   ignore_errors: "{{ jenkins_ignore_cli_errors|default (False) }}"

playbooks/roles/jenkins_analytics/tasks/main.yml

@@ -7,24 +7,34 @@
   tags:
   - jenkins
 
-- fail: msg=included unix realm by accident
-  when: jenkins_auth_realm.name != "unix"
+- name: Install httplib2 (required by uri module used in this role)
+  pip:
+    name: httplib2
+  tags:
+  - jenkins
+
+# Jenkins authentication/authorization
+
+- fail: msg="invalid auth realm {{ jenkins_auth_realm.name }}"
+  when: jenkins_auth_realm.name != "unix" and jenkins_auth_realm.name != "github_oauth"
   tags:
     - jenkins-auth
 
-- fail: msg=Please change default password for jenkins user
-  when: jenkins_auth_realm.plain_password == 'jenkins'
+- fail: msg="Please change default password for jenkins user"
+  when: jenkins_auth_realm.name == "unix" and jenkins_auth_realm.plain_password == jenkins_auth_realm.username
   tags:
     - jenkins-auth
 
-- name: Install httplib2 (required by uri module used in this role)
-  pip:
-    name: httplib2
+- fail: msg="Please change default github oauth client key and secret"
+  when: jenkins_auth_realm.name == "github_oauth" and ((not jenkins_auth_realm.clientId) or (not jenkins_auth_realm.clientSecret))
+  tags:
+    - jenkins-auth
 
 - name: generate jenkins user password
   shell: "openssl passwd -1 '{{ jenkins_auth_realm.plain_password | quote }}'"
   register: jenkins_user_password_hash
   no_log: True
+  when: jenkins_auth_realm.name == "unix"
   tags:
     - jenkins-auth
 
@@ -33,7 +43,17 @@
     state: present
     groups: shadow
     append: yes
+    password: '!' # locked
+    update_password: always
+    generate_ssh_key: yes
+    ssh_key_file: "{{ jenkins_private_keyfile }}"
+  tags:
+    - jenkins-auth
+
+- user:
+    name: "{{ jenkins_user }}"
     password: "{{ jenkins_user_password_hash.stdout }}"
+  when: jenkins_auth_realm.name == "unix"
   tags:
     - jenkins-auth
 
@@ -46,6 +66,40 @@
   tags:
     - jenkins-auth
 
+- name: jenkins user config dir
+  file:
+    name: "{{ jenkins_home }}/users/{{ jenkins_user }}"
+    state: directory
+    owner: "{{ jenkins_user }}"
+    group: "{{ jenkins_group }}"
+  tags:
+    - jenkins-auth
+
+- name: template jenkins user config.xml
+  template:
+    src: jenkins.user.config.xml
+    dest: "{{ jenkins_home }}/users/{{ jenkins_user }}/config.xml"
+    owner: "{{ jenkins_user }}"
+    group: "{{ jenkins_group }}"
+    force: no  # don't overwrite if already there
+  tags:
+    - jenkins-auth
+
+- name: fetch jenkins user public key
+  shell: "cat {{ jenkins_public_keyfile }}"
+  register: jenkins_public_key
+  tags:
+    - jenkins-auth
+
+- name: add jenkins user public key
+  lineinfile:
+    dest: "{{ jenkins_home }}/users/{{ jenkins_user }}/config.xml"
+    state: present
+    regexp: "^\\s*<authorizedKeys>"
+    line: "<authorizedKeys>{{ jenkins_public_key.stdout }}</authorizedKeys>"
+  tags:
+    - jenkins-auth
+
 # Unconditionally restart Jenkins, this has two side-effects:
 # 1. Jenkins uses new auth realm
 # 2. We guarantee that jenkins is started (this is not certain
@@ -62,7 +116,7 @@
 - name: create credentials dir
   file: name={{ jenkins_credentials_root }} state=directory
   tags:
-    - jenkins-auth
+    - jenkins-credentials
 
 - name: upload groovy script
   template:
@@ -70,7 +124,7 @@
     dest: "{{ jenkins_credentials_script }}"
     mode: "600"
   tags:
-    - jenkins-auth
+    - jenkins-credentials
 
 - name: upload credentials file
   template:
@@ -79,19 +133,19 @@
     mode: "600"
     owner: "{{ jenkins_user }}"
   tags:
-    - jenkins-auth
+    - jenkins-credentials
 
 - name: add credentials
   include: execute_jenkins_cli.yaml
   vars:
     jenkins_command_string: "groovy {{ jenkins_credentials_script }}"
   tags:
-    - jenkins-auth
+    - jenkins-credentials
 
 - name: clean up
   file: name={{ jenkins_credentials_root }} state=absent
   tags:
-    - jenkins-auth
+    - jenkins-credentials
 
 # Upload seed job
 

playbooks/roles/jenkins_analytics/templates/jenkins-pass-file.j2

-{{ jenkins_auth_realm.plain_password }}
\ No newline at end of file

playbooks/roles/jenkins_analytics/templates/jenkins.config.main.xml

@@ -5,46 +5,27 @@
   <numExecutors>{{ JENKINS_ANALYTICS_CONCURRENT_JOBS_COUNT }}</numExecutors>
   <mode>NORMAL</mode>
   <useSecurity>true</useSecurity>
-  {% if jenkins_auth_realm.name == "unix" %}
-   <authorizationStrategy class="hudson.security.GlobalMatrixAuthorizationStrategy">
-    <permission>com.cloudbees.plugins.credentials.CredentialsProvider.Create:jenkins</permission>
-    <permission>com.cloudbees.plugins.credentials.CredentialsProvider.Delete:jenkins</permission>
-    <permission>com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains:jenkins</permission>
-    <permission>com.cloudbees.plugins.credentials.CredentialsProvider.Update:jenkins</permission>
-    <permission>com.cloudbees.plugins.credentials.CredentialsProvider.View:jenkins</permission>
-    <permission>hudson.model.Computer.Build:jenkins</permission>
-    <permission>hudson.model.Computer.Configure:jenkins</permission>
-    <permission>hudson.model.Computer.Connect:jenkins</permission>
-    <permission>hudson.model.Computer.Create:jenkins</permission>
-    <permission>hudson.model.Computer.Delete:jenkins</permission>
-    <permission>hudson.model.Computer.Disconnect:jenkins</permission>
-    <permission>hudson.model.Hudson.Administer:jenkins</permission>
-    <permission>hudson.model.Hudson.ConfigureUpdateCenter:jenkins</permission>
-    <permission>hudson.model.Hudson.Read:jenkins</permission>
-    <permission>hudson.model.Hudson.RunScripts:jenkins</permission>
-    <permission>hudson.model.Hudson.UploadPlugins:jenkins</permission>
-    <permission>hudson.model.Item.Build:jenkins</permission>
-    <permission>hudson.model.Item.Cancel:jenkins</permission>
-    <permission>hudson.model.Item.Configure:jenkins</permission>
-    <permission>hudson.model.Item.Create:jenkins</permission>
-    <permission>hudson.model.Item.Delete:jenkins</permission>
-    <permission>hudson.model.Item.Discover:anonymous</permission>
-    <permission>hudson.model.Item.Discover:jenkins</permission>
-    <permission>hudson.model.Item.Move:jenkins</permission>
-    <permission>hudson.model.Item.Read:anonymous</permission>
-    <permission>hudson.model.Item.Read:jenkins</permission>
-    <permission>hudson.model.Item.Workspace:jenkins</permission>
-    <permission>hudson.model.Run.Delete:jenkins</permission>
-    <permission>hudson.model.Run.Update:jenkins</permission>
-    <permission>hudson.model.View.Configure:jenkins</permission>
-    <permission>hudson.model.View.Create:jenkins</permission>
-    <permission>hudson.model.View.Delete:jenkins</permission>
-    <permission>hudson.model.View.Read:jenkins</permission>
-    <permission>hudson.scm.SCM.Tag:jenkins</permission>
+  <authorizationStrategy class="hudson.security.GlobalMatrixAuthorizationStrategy">
+  {% for permission_group, permissions in jenkins_auth_permissions.iteritems() %}
+    {% for permission in permissions %}
+      {% for user in jenkins_auth_users[permission_group] | default([]) %}
+      <permission>{{ permission }}:{{ user }}</permission>
+      {% endfor %}
+    {% endfor %}
+  {% endfor %}
   </authorizationStrategy>
+  {% if jenkins_auth_realm.name == "unix" %}
   <securityRealm class="hudson.security.PAMSecurityRealm" plugin="pam-auth@1.2">
     <serviceName>{{ jenkins_auth_realm.service }}</serviceName>
   </securityRealm>
+  {% elif jenkins_auth_realm.name == "github_oauth" %}
+  <securityRealm class="org.jenkinsci.plugins.GithubSecurityRealm">
+    <githubWebUri>{{ jenkins_auth_realm.webUri }}</githubWebUri>
+    <githubApiUri>{{ jenkins_auth_realm.apiUri }}</githubApiUri>
+    <clientID>{{ jenkins_auth_realm.clientId }}</clientID>
+    <clientSecret>{{ jenkins_auth_realm.clientSecret }}</clientSecret>
+    <oauthScopes>{{ jenkins_auth_realm.oauthScopes|join(',') }}</oauthScopes>
+  </securityRealm>
   {% endif %}
   <disableRememberMe>false</disableRememberMe>
   <projectNamingStrategy class="jenkins.model.ProjectNamingStrategy$DefaultProjectNamingStrategy"/>

playbooks/roles/jenkins_analytics/templates/jenkins.user.config.xml

+<?xml version='1.0' encoding='UTF-8'?>
+<user>
+  <fullName>{{ jenkins_user }}</fullName>
+  <description></description>
+  <properties>
+    <jenkins.security.ApiTokenProperty>
+      <apiToken></apiToken>
+    </jenkins.security.ApiTokenProperty>
+    <com.cloudbees.plugins.credentials.UserCredentialsProvider_-UserCredentialsProperty plugin="credentials@1.24">
+      <domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash">
+        <entry>
+          <com.cloudbees.plugins.credentials.domains.Domain>
+            <specifications/>
+          </com.cloudbees.plugins.credentials.domains.Domain>
+          <java.util.concurrent.CopyOnWriteArrayList/>
+        </entry>
+      </domainCredentialsMap>
+    </com.cloudbees.plugins.credentials.UserCredentialsProvider_-UserCredentialsProperty>
+    <hudson.tasks.Mailer_-UserProperty plugin="mailer@1.11">
+      <emailAddress></emailAddress>
+    </hudson.tasks.Mailer_-UserProperty>
+    <jenkins.security.LastGrantedAuthoritiesProperty>
+      <roles>
+        <string>edx</string>
+        <string>shadow</string>
+        <string>jenkins</string>
+        <string>authenticated</string>
+      </roles>
+      <timestamp>1457073573763</timestamp>
+    </jenkins.security.LastGrantedAuthoritiesProperty>
+    <hudson.model.MyViewsProperty>
+      <primaryViewName></primaryViewName>
+      <views>
+        <hudson.model.AllView>
+          <owner class="hudson.model.MyViewsProperty" reference="../../.."/>
+          <name>All</name>
+          <filterExecutors>false</filterExecutors>
+          <filterQueue>false</filterQueue>
+          <properties class="hudson.model.View$PropertyList"/>
+        </hudson.model.AllView>
+      </views>
+    </hudson.model.MyViewsProperty>
+    <hudson.model.PaneStatusProperties>
+      <collapsed/>
+    </hudson.model.PaneStatusProperties>
+    <org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl>
+      <authorizedKeys></authorizedKeys>
+    </org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl>
+    <hudson.search.UserSearchProperty>
+      <insensitiveSearch>false</insensitiveSearch>
+    </hudson.search.UserSearchProperty>
+  </properties>
+</user>

playbooks/roles/jenkins_master/defaults/main.yml

@@ -35,7 +35,7 @@ jenkins_plugins:
     - { name: "git-client", version: "1.19.0"}
     - { name: "github", version: "1.14.0" }
     - { name: "github-api", version: "1.69" }
-    - { name: "github-oauth", version: "0.20" }
+    - { name: "github-oauth", version: "0.22.3" }
     - { name: "github-sqs-plugin", version: "1.5" }
     - { name: "gradle", version: "1.24" }
     - { name: "grails", version: "1.7" }