feat: enable Lix admins to admin the Buildbot properly
This removes the need for a proxy and rely on the `groups` property of the `userDetails` passed at the authentication layer. To add a certain role, add the group `buildbot-$role` to that user via Keycloak. Signed-off-by: Raito Bezarius <raito@lix.systems>
This commit is contained in:
parent
45135d249b
commit
efa7a950c3
|
@ -17,7 +17,6 @@ from buildbot.process.properties import Interpolate, Properties
|
|||
from buildbot.process.results import ALL_RESULTS, statusToString
|
||||
from buildbot.steps.trigger import Trigger
|
||||
from buildbot.util import asyncSleep
|
||||
from buildbot.www.authz.endpointmatchers import EndpointMatcherBase, Match
|
||||
from buildbot.www.oauth2 import OAuth2Auth
|
||||
from buildbot.changes.gerritchangesource import GerritChangeSource
|
||||
from buildbot.reporters.utils import getURLForBuild
|
||||
|
@ -901,3 +900,18 @@ class GerritNixConfigurator(ConfiguratorBase):
|
|||
|
||||
if "auth" not in config["www"]:
|
||||
config["www"]["auth"] = LixSystemsOAuth2('buildbot', read_secret_file('buildbot-oauth2-secret'), autologin=True)
|
||||
|
||||
if "authz" not in config["www"]:
|
||||
config["www"]["authz"] = util.Authz(
|
||||
allowRules=[
|
||||
util.AnyEndpointMatcher(role="admins", defaultDeny=False),
|
||||
util.StopBuildEndpointMatcher(role="owner"),
|
||||
util.AnyControlEndpointMatcher(role="admins"),
|
||||
],
|
||||
roleMatcher=[
|
||||
# A user must have buildbot-<something> to have the role <something>
|
||||
# e.g. buildbot-admins to be admin.
|
||||
util.RolesFromGroups(groupPrefix="buildbot-"),
|
||||
util.RolesFromOwner(role="owner")
|
||||
],
|
||||
)
|
||||
|
|
Loading…
Reference in a new issue