Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
limit user access to specific pipeline #106
We have a CI (https://main.bosh-ci.cf-app.com/) that has multiple pipelines and would like to limit specific users to specific pipelines. I hear long term plan is to integrate with UAA but for a short term solution it would be nice to set basic auth creds per pipeline when deploying atc.
We use Pivotal Tracker to provide visibility into what our team is working on. A story for this issue has been automatically created.
The current status is as follows:
This comment, as well as the labels on the issue, will be automatically updated as the status in Tracker changes.
Rather than deploy-time, I'm thinking this should be done via
It also shouldn't go in the pipeline template, since those should be reusable and generic. So maybe something like:
fly set-pipeline-auth \ -p foo \ --basic-auth-username foo \ --basic-auth-password bar \ --github-auth-client-id abcdef \ --github-auth-client-secret 324867jkherj \ --github-auth-user vito
...Which you'd then just stow away in a script somewhere safe for keeping it up to date.
There are other details to think about, i.e. what's the default for new pipelines. Maybe the flags are required as part of
Thinking about this a bit more, I suspect we'll need two tiers of auth:
Teams would be created + updated like so:
fly set-team \ -n my-team \ --basic-auth-username foo \ --basic-auth-password bar
Out of the box, there's a default
Teams can create pipelines, and pipelines are owned by one team. Pipelines are cheap to create and they're encouraged for managing feature branches and concurrently supported versions, so the auth barrier to configuring them should be low.
Teams would also be able to change their own credentials. This would make it easier to manage leaked credentials without relying on a superuser. It also makes the out-of-the-box experience a bit more intuitive; there'd be a default team and you can change its credentials. This would make the AWS box way more useful, too; right now it's wide open with no auth.
The delta from today:
My use case around this is that I have multiple teams with low resource needs. I'd like to be able to provision a Concourse with medium/high resource levels and give individual teams access to their pipelines. Assuming that those with access are acting responsibly, they should be able to share an ATC and many workers without resource contention, but should only be able to modify the pipelines for their team.
Ultimately, I'd like to be in the position where someone in my circle of trust can say "I wish I had Concourse, but deploying it is too hard", and I can say "I know your GitHub team is foo/bar. I've given you a foo-bar pipeline. Have fun."
All stories related to this issue have been accepted, so I'm going to automatically close this issue.
At the time of writing, the following stories have been accepted:
If you feel there is still more to be done, or if you have any questions, leave a comment and we'll reopen if necessary!
On Thu, Aug 25, 2016 at 3:08 PM +1000, "Christopher Brown" firstname.lastname@example.org wrote:
DANG. WHAT'S UP WITH ALL THESE STORIES.