Nicer JCasC syntax for defining permissions #145
Conversation
...st/resources/org/jenkinsci/plugins/matrixauth/integrations/casc/configuration-as-code-v3.yml
Outdated
Show resolved
Hide resolved
|
@timja Just in case, any thoughts about this? |
|
It looks good to me, just some tests to sort out by the looks of it? (a bunch of commented unit tests) |
...org/jenkinsci/plugins/matrixauth/integrations/casc/ExportTest/ExportTest-exportTest-node.yml
Outdated
Show resolved
Hide resolved
| assertEquals( | ||
| toStringFromYamlFile( | ||
| this, | ||
| "/org/jenkinsci/plugins/matrixauth/integrations/casc/ExportTest/ExportTest-exportTestLegacy-global.yml"), |
There was a problem hiding this comment.
the classpath entry should be relative, I would have thought ExportTest-exportTestLegacy-global.yml would work but this stuff can be a real pain sometimes and very hard to debug
There was a problem hiding this comment.
I wanted these files in the folder corresponding to the class, not in the folder for the package. (Kinda redundant with the file name now though 🤔 )
There was a problem hiding this comment.
ExportTest/exportTestLegacy-global.yml would work then I think?
There was a problem hiding this comment.
Huh. Never tried that. Javadoc indicates this could work.
|
Hi, I saw the breaking-change warning in the 3.2 release notes. jenkins:
authorizationStrategy:
azureAdMatrix:
permissions:
- "USER:Overall/Administer:My Account (356726a4-2127-4e27-a763-483511f9aee1)"I think JCasC for node permissions might even break completely until azure-ad-plugin is updated, as OpenShift Login also depends on matrix-auth but I don't know what kind of JCasC structure it uses or what methods it calls. |
|
FWIW I've attempted to maintain backward compatibility with older versions of the JCasC syntax (the YAML part, not the Job DSL Groovy part) and it should work with those older configs, but I still recommend caution when updating. The Job DSL and Pipeline syntaxes aren't as configurable and those are fully incompatible.
With regards to |
|
I see; then the referenced classes of matrix-auth will need to be essentially forked into azure-ad so that it doesn't rely on private APIs. |
|
@daniel-beck Do you happen to know if any other plugins, in particular (What's that "law" that anything will become depended upon by someone 😓.) |
|
@PiersRBME, there is no "SuppressRestrictedWarnings" in the https://github.com/jenkinsci/oic-auth-plugin/ and https://github.com/jenkinsci/saml-plugin/ repositories, not even in history. |
|
@PiersRBME They don't show up on https://plugins.jenkins.io/matrix-auth/dependencies/ as dependants, so do not use any APIs of this plugin, except of those defined in core. Looks to me like y'all need staging environments 😉 |
|
(in progress for AzureAD) |
|
Yeah, have non-prod envs and was able to check and update the CASC format - it is clearer. But, yeah backwards compat is hard. Someone somewhere will come to rely on everything, private or not. To an outsider a change in one plugin that breaks another is an irritation (at best) -- that the dev of one doesn't care about breaking the other at all is not much comfort, whatever the reason! |
|
Not done yet but I've opened a draft PR: jenkinsci/azure-ad-plugin#460 |
.../jenkinsci/plugins/matrixauth/integrations/casc/MatrixAuthorizationStrategyConfigurator.java
Show resolved
Hide resolved
Alternative to #111 with (IMO) nicer structure.
Complements #144 (which is for Job DSL / Pipeline).
Feedback welcome.