Jump to: navigation, search

Difference between revisions of "Hudson-ci/features/Team Concept"

(Implementation Note)
m (list-teams CLI Command)
(17 intermediate revisions by the same user not shown)
Line 160: Line 160:
 
*When switching between Team administration to/from standard or no administration data (jobs) must not be lost
 
*When switching between Team administration to/from standard or no administration data (jobs) must not be lost
  
== Desirable Features (For Discussion) ==
+
== Desirable Features  ==
  
 
*It would be good if team configurations were preserved even when team feature is not active. Currently, toggling security or switching security realms or authorization methods does not preserve previous configuration data. However, the investment in team configuration is liable to be substantial and responsibility divided among multiple people; it could be very difficult to recover manually.<br>
 
*It would be good if team configurations were preserved even when team feature is not active. Currently, toggling security or switching security realms or authorization methods does not preserve previous configuration data. However, the investment in team configuration is liable to be substantial and responsibility divided among multiple people; it could be very difficult to recover manually.<br>
 
 
  
 
== Implementation Note ==
 
== Implementation Note ==
Line 178: Line 176:
 
Use of <i>may</i> in the following indicates a proposal is on the table but no final decision has been made.
 
Use of <i>may</i> in the following indicates a proposal is on the table but no final decision has been made.
  
=== No job id ==
+
=== No job id ===
  
 
The job id has been removed. Job id and team id no longer appear in a job's config file.
 
The job id has been removed. Job id and team id no longer appear in a job's config file.
Line 186: Line 184:
 
The job name of a team job (except for the public team) is <code><i>team-name</i>.<i>job-part</i></code>, where <code><i>team-name</i></code> is the name of the team and <code><i>job-part</i></code> is the part of the job name that is unique within the team. For a public job, the <code><i>team-name</i>.</code> is omitted; only the <code><i>job-part</i></code> is used. The entire job name must, of course, be globally unique.
 
The job name of a team job (except for the public team) is <code><i>team-name</i>.<i>job-part</i></code>, where <code><i>team-name</i></code> is the name of the team and <code><i>job-part</i></code> is the part of the job name that is unique within the team. For a public job, the <code><i>team-name</i>.</code> is omitted; only the <code><i>job-part</i></code> is used. The entire job name must, of course, be globally unique.
  
The '.' (dot/period) used to separate the parts of a team job name is not a reserved character. It may appear in the names of public jobs and elsewhere in the names of team jobs. Dot is chosen because it is a conventional namespace separator character. However, the presence of a dot does not, of itself, identify the job as belonging to a namespace. Only the creation of a job in a specific team does that; the name follows the membership, not vice versa.
+
The <code>'.'</code> (dot/period) used to separate the parts of a team job name is not a reserved character. It may appear in the names of public jobs and elsewhere in the names of team jobs. Dot is chosen because it is a conventional namespace separator character. However, the presence of a dot does not, of itself, identify the job as belonging to a namespace. Only the creation of a job in a specific team does that; the name follows the membership, not vice versa.
  
The only two places in the UI where the job name appears as <code><i>job-part</i></code> without the team qualifier are in the <b>New Job</b> and <b>Configure Job</b> pages. Both of these are edit contexts
+
The only two places in the UI where the job name appears as <code><i>job-part</i></code> without the team qualifier are in the <b>New Job</b> and <b>Configure Job</b> pages. Both of these are edit contexts; in the latter, an edit causes a job rename.
  
 
To minimize confusion, a check <i>may</i> be added to <b>New Job</b> to discourage names with extra dots, but that would restrict the user while not preventing the creation of such jobs by other means.
 
To minimize confusion, a check <i>may</i> be added to <b>New Job</b> to discourage names with extra dots, but that would restrict the user while not preventing the creation of such jobs by other means.
Line 196: Line 194:
 
Public jobs are folders in <code>HUDSON_HOME/jobs/<i>job-name</i></code>. Team jobs are folders in <code>HUDSON_HOME/teams/<i>team-name</i>/<i>job-name</i></code>. This addresses a user requirement that files for a particular team be isolated to a single folder.
 
Public jobs are folders in <code>HUDSON_HOME/jobs/<i>job-name</i></code>. Team jobs are folders in <code>HUDSON_HOME/teams/<i>team-name</i>/<i>job-name</i></code>. This addresses a user requirement that files for a particular team be isolated to a single folder.
  
There <i>may</i> be an option to locate a team job in <code>HUDSON_HOME/jobs/<i>job-name</i></code>, set when the team is created.
+
There <i>may</i> be an option to co-locate a team job with public jobs, in <code>HUDSON_HOME/jobs/<i>job-name</i></code>. The option would be set when a job is created. There <i>may</i> be a way to change the default of this option in the Hudson system configuration. Turning co-locate on makes it more likely that plugins that examine job files or back them up continue to work without modification. Turning it off satisfies the separate folder requirement, which not all users may have. The option would pave the way for entirely user-configurable individual job location, not contemplated in this release.
  
=== Locating Jobs ===
 
  
If the dot in a job name is not significant, how is
 
  
 
=== TeamManager ===
 
=== TeamManager ===
Line 217: Line 213:
 
* The <b>New Job</b> page may have an option to select a team in either of these cases.
 
* The <b>New Job</b> page may have an option to select a team in either of these cases.
 
* The CLI commands dealing with job management may have an added, optional argument to designate a target team.
 
* The CLI commands dealing with job management may have an added, optional argument to designate a target team.
 +
 +
=== Public Means Public Visibility ===
 +
 +
Any user, even the anonymous user, can see public jobs, their build status and history, build logs, etc. Anonymous users, however, cannot configure the jobs or start a build.
 +
 +
If you don't like this behavior and want to keep all team jobs private, see following section, Shared Teams.
 +
 +
=== Shared Teams and Roles ===
 +
 +
The team authorization strategy respects roles.
 +
 +
To create a shared team, create a team, e.g., named <code>Shared</code>, and make all users members of the shared team with only read access. If the Shared team has no admins, only the sys admin will be able to manage jobs in <code>Shared</code>. This is equivalent to the public team but only visible to team members or admins.
 +
 +
This scheme can be generalized to multiple groups of teams; each group can have their own shared group which is not visible to other groups.
 +
 +
Obviously, administration as described above would be tedious. It is easier to use a security manager that allows you to define roles, like LDAP. Then all team users can be assigned a "shared" role, and only the role needs to be added to a shared team folder.
 +
 +
Note that with the built-in Hudson security manager, all logged in users have the Authority/role "authenticated".
 +
 +
=== list-teams CLI Command ===
 +
 +
The list-teams CLI Command allows a command line user to discover the team access permissions of the user or of users in teams the user administers. No user has access to more information than is provided by the Hudson UI, except that an individual user who is not an admin may not be aware of all the details.
 +
<pre>
 +
java -jar &lt;path-to&gt;/hudson-cli.jar list-teams [--username &lt;username&gt; --password &lt;password&gt;]
 +
                                              [-u &lt;user-list&gt;] [-format plain|xml|csv]
 +
</pre>
 +
 +
The <code>--username</code> and <code>--password</code> can be specified on the command, in a preceding login command or in any of the ways that username and password can be passed to simple HTML authentication. If there is no identified user, the response is for the anonymous user.
 +
 +
The <code>-u</code> or <code>--users</code> option allows an admin user to request information about users in teams the logged in user administers. The system administrator can ask about any or all team users. The <code>user-list</code> may be specified as a comma-separated list of user names, e.g. "bill" or "bart,betty". "*" includes all administered team users, including the current user. If any of the names in the list is not an administered user, the command fails.
 +
 +
The <code>-format</code> option allows selection of <code>xml</code>, <code>csv</code> or <code>plain</code> report format. The default is <code>plain</code>. (<code>-format</code> is used rather than <code>--format</code> for compatibility with the <code>list-changes</code> command.)
 +
 +
For example, <code>list-teams</code> with no arguments always produces:
 +
<pre>
 +
$ ... list-teams
 +
public  Read
 +
</pre>
 +
Because even the anonymous user can see public jobs and build information.
 +
<pre>
 +
$ ... list-teams --username bart --password secret
 +
A      Build Configure Create Delete ExtendedRead Read WipeOut Workspace
 +
B      Admin Build Configure Create Delete ExtendedRead Read WipeOut Workspace
 +
public  Read
 +
</pre>
 +
Shows that bart is a member of two teams with all permissions, except bart is admin only in team B. Like all users, bart has Read access to public team jobs.
 +
 +
The same result in columnar, csv format:
 +
<pre>
 +
$ ... list-teams --username bart --password secret -format csv
 +
Team,Admin,Build,Configure,Create,Delete,ExtendedRead,Read,WipeOut,Workspace
 +
A,-,X,X,X,X,X,X,X
 +
B,X,X,X,X,X,X,X,X
 +
public,-,-,-,-,-,-,X,-
 +
</pre>
 +
Finally, the result for users administered by bart, in all three formats. Plain:
 +
<pre>
 +
$ ... list-teams --username bart --password bart -u "*"
 +
bart B  Admin Build Configure Create Delete ExtendedRead Read WipeOut Workspace
 +
biff B  Build Configure Create ExtendedRead Read Workspace
 +
bill B  Build Configure Create Delete ExtendedRead Read WipeOut Workspace
 +
</pre>
 +
CSV:
 +
<pre>
 +
$ ... list-teams --username bart --password secret -format csv -u "*"
 +
User,Team,Admin,Build,Configure,Create,Delete,ExtendedRead,Read,WipeOut,Workspace
 +
bart,B,X,X,X,X,X,X,X,X
 +
biff,B,-,X,X,X,-,X,X,-
 +
bill,B,-,X,X,X,X,X,X,X
 +
</pre>
 +
And the ever-tedious XML:
 +
<pre>
 +
$ ... list-teams --username bart --password bart -format xml -u "*"
 +
<users>
 +
  <user>
 +
    <name>bart</name>
 +
    <teams>
 +
      <team>
 +
        <name>B</name>
 +
        <permissions>
 +
          <permission>Admin</permission>
 +
          <permission>Build</permission>
 +
          <permission>Configure</permission>
 +
          <permission>Create</permission>
 +
          <permission>Delete</permission>
 +
          <permission>ExtendedRead</permission>
 +
          <permission>Read</permission>
 +
          <permission>WipeOut</permission>
 +
          <permission>Workspace</permission>
 +
        </permissions>
 +
      </team>
 +
    </teams>
 +
  </user>
 +
  <user>
 +
    <name>biff</name>
 +
    <teams>
 +
      <team>
 +
        <name>B</name>
 +
        <permissions>
 +
          <permission>Build</permission>
 +
          <permission>Configure</permission>
 +
          <permission>Create</permission>
 +
          <permission>ExtendedRead</permission>
 +
          <permission>Read</permission>
 +
          <permission>Workspace</permission>
 +
        </permissions>
 +
      </team>
 +
    </teams>
 +
  </user>
 +
  <user>
 +
    <name>bill</name>
 +
    <teams>
 +
      <team>
 +
        <name>B</name>
 +
        <permissions>
 +
          <permission>Build</permission>
 +
          <permission>Configure</permission>
 +
          <permission>Create</permission>
 +
          <permission>Delete</permission>
 +
          <permission>ExtendedRead</permission>
 +
          <permission>Read</permission>
 +
          <permission>WipeOut</permission>
 +
          <permission>Workspace</permission>
 +
        </permissions>
 +
      </team>
 +
    </teams>
 +
  </user>
 +
</users>
 +
</pre>
 +
 +
Since bart is admin only in team B, only user information about team B is shown. A system admin, however, can see all users in all teams.
 +
<pre>
 +
$ ... list-teams --username admin --password supersecret -u "*" -format csv
 +
User,Team,Admin,Build,Configure,Create,Delete,ExtendedRead,Read,WipeOut,Workspace
 +
bart,A,-,X,X,X,X,X,X,X
 +
bart,B,X,X,X,X,X,X,X,X
 +
bart,public,-,-,-,-,-,-,X,-
 +
biff,A,-,X,-,-,-,-,X,-
 +
biff,public,-,-,-,-,-,-,X,-
 +
bill,A,X,X,X,X,X,X,X,X
 +
bill,B,-,X,X,X,X,X,X,X
 +
bill,public,-,-,-,-,-,-,X,-
 +
</pre>
 +
 +
=== Team White Paper (Work In Progress) ===
 +
 +
[[Hudson-ci/features/Team Feature White Paper|White Paper]]

Revision as of 20:37, 23 July 2013

The idea is to implement the concept of team so that several authentication and authorization can be assigned to that team. This helps multiple software project teams can use a single Hudson, but each team won't mess with other teams jobs.  See also the Team Concept User view page.

Concept

System admin

Every Hudson instance will have at least one Sys Admin. Each Sys Admin will have Hudson wide authorization. Some of the main responsibilities are

  • Set up team and adding a team admin
  • All  higher level administrations like installing plugin, setting up security, and configuring the system

Team Admin

Every team will have at least one team admin . Team admin has less power. Each Team Admin will have team wided authorization.  Some of the main responsibilities are

  • Add and remove team members
  • Setting permission for team members

Team member

Each team will have one or more members.  The authorizations are

  • Can create and configure job if team admin admits
  • Can set a job as public so that other teams can see it
  • Can delete any job if team admin admits or only delete the self created job
  • Can delete any job builds if team admin admits or only delete the self created job builds
  • Can run any team job and public job

Authorization  Schemes

The three authorization schemes  required are

  • System Admin Authorization
  • Team Admin Authorization
  • Team Member Authorization

Job scope

There are two scopes

Public Scope

  • Any one can view this job
  • Only Sys Admin can delete this job
  • Only Sys Admin can configure this job
  • Only Sys Admin can run this job

Team Scope

  • Only team members can view team private jobs
  • Only certain team members can manually run
  • Only certain team members can edit configuration
  • Only certain team members can delete job
  • Only certain team members can delete job build

Job Visibility

The visibility of a job can be set to

public

  • Any one can view this job
  • Only members can configure, run and delete the job

Team private

  • Only visible to team members

Particular team can only view their jobs and any public jobs.  Anonymous users can view jobs only allowed to view as public

 

Capabilities

Capability System Admin Team Admin Team Member
Create system admin Y - -
Create team admin Y Team -
Create team member Y Team -
View team job Y Team Team
Create team job Y Team <Team>
Delete team job Y Team Self-created or <Team>
Configure team job Y Team Self-created or <Team>
Run team job Y Team Self-created or <Team>
Set team job public Y Team <Team>

Legend:

Scope Means
Y All teams
- Not allowed
Team Only within the same team
<Team> Only within the same team if capability granted by system or team admin
Self-created Only if created by that team member

Requirements

  • Team concept must be implemnted as an Authorization scheme and easily switchable to other authorization scheme
  • Multiple teams must be able to use same name for a job.
  • Jobs must be saved in team specific folders
  • Build History should show only the jobs accessible to the current user
  • The people dashboard should display only the team members of the current user
  • Build executor status must display jobs of the current user team
  • If a team is deleted, then all its jobs must become global jobs, so that System Admin can assign them to other teams
  • When switching between Team administration to/from standard or no administration data (jobs) must not be lost

Desirable Features

  • It would be good if team configurations were preserved even when team feature is not active. Currently, toggling security or switching security realms or authorization methods does not preserve previous configuration data. However, the investment in team configuration is liable to be substantial and responsibility divided among multiple people; it could be very difficult to recover manually.

Implementation Note

In order to support jobs with same name on multiple teams, all jobs are associated with an id. The is a fully qualified name "team.jobName" for team jobs or "jobName" for public (non-team or team sysAdmin) jobs. So the URL would look like the following

TeamJobAcessUrl.png

When the Team Manager is enabled, all job names used in Command Line, must have the fully qualified Name (Eg. myTeam.myJob) for team jobs or unqualified name (e.g., myJob) for public jobs.

Implementation Update

Use of may in the following indicates a proposal is on the table but no final decision has been made.

No job id

The job id has been removed. Job id and team id no longer appear in a job's config file.

Job name

The job name of a team job (except for the public team) is team-name.job-part, where team-name is the name of the team and job-part is the part of the job name that is unique within the team. For a public job, the team-name. is omitted; only the job-part is used. The entire job name must, of course, be globally unique.

The '.' (dot/period) used to separate the parts of a team job name is not a reserved character. It may appear in the names of public jobs and elsewhere in the names of team jobs. Dot is chosen because it is a conventional namespace separator character. However, the presence of a dot does not, of itself, identify the job as belonging to a namespace. Only the creation of a job in a specific team does that; the name follows the membership, not vice versa.

The only two places in the UI where the job name appears as job-part without the team qualifier are in the New Job and Configure Job pages. Both of these are edit contexts; in the latter, an edit causes a job rename.

To minimize confusion, a check may be added to New Job to discourage names with extra dots, but that would restrict the user while not preventing the creation of such jobs by other means.

Job Location

Public jobs are folders in HUDSON_HOME/jobs/job-name. Team jobs are folders in HUDSON_HOME/teams/team-name/job-name. This addresses a user requirement that files for a particular team be isolated to a single folder.

There may be an option to co-locate a team job with public jobs, in HUDSON_HOME/jobs/job-name. The option would be set when a job is created. There may be a way to change the default of this option in the Hudson system configuration. Turning co-locate on makes it more likely that plugins that examine job files or back them up continue to work without modification. Turning it off satisfies the separate folder requirement, which not all users may have. The option would pave the way for entirely user-configurable individual job location, not contemplated in this release.


TeamManager

Formerly TeamManager was only available when team was enabled. To allow team jobs to be visible and usable even if team is temporarily disabled - a user requirement - the TeamManager will be available and active at all times, independent of whether team validation is in use. If team validation is disabled, it will behave as if all users are members of the public team. Otherwise, it will assign users to their correct team(s).

You may be wondering how, if the team namespace qualification in a job name is not reserved and team jobs might appear in different locations depending on configuration, how are team jobs located? When any job is created, it is assigned to the current user's team. When a job is loaded or saved, Hudson asks the TeamManager and uses the location assigned to the team.

There are two exceptions to this rule:

  • A user may be a member of more than one team.
  • The sys admin user is considered to be a member of all teams, including the public team.

To deal with this, two changes may be required:

  • The New Job page may have an option to select a team in either of these cases.
  • The CLI commands dealing with job management may have an added, optional argument to designate a target team.

Public Means Public Visibility

Any user, even the anonymous user, can see public jobs, their build status and history, build logs, etc. Anonymous users, however, cannot configure the jobs or start a build.

If you don't like this behavior and want to keep all team jobs private, see following section, Shared Teams.

Shared Teams and Roles

The team authorization strategy respects roles.

To create a shared team, create a team, e.g., named Shared, and make all users members of the shared team with only read access. If the Shared team has no admins, only the sys admin will be able to manage jobs in Shared. This is equivalent to the public team but only visible to team members or admins.

This scheme can be generalized to multiple groups of teams; each group can have their own shared group which is not visible to other groups.

Obviously, administration as described above would be tedious. It is easier to use a security manager that allows you to define roles, like LDAP. Then all team users can be assigned a "shared" role, and only the role needs to be added to a shared team folder.

Note that with the built-in Hudson security manager, all logged in users have the Authority/role "authenticated".

list-teams CLI Command

The list-teams CLI Command allows a command line user to discover the team access permissions of the user or of users in teams the user administers. No user has access to more information than is provided by the Hudson UI, except that an individual user who is not an admin may not be aware of all the details.

java -jar <path-to>/hudson-cli.jar list-teams [--username <username> --password <password>] 
                                              [-u <user-list>] [-format plain|xml|csv]

The --username and --password can be specified on the command, in a preceding login command or in any of the ways that username and password can be passed to simple HTML authentication. If there is no identified user, the response is for the anonymous user.

The -u or --users option allows an admin user to request information about users in teams the logged in user administers. The system administrator can ask about any or all team users. The user-list may be specified as a comma-separated list of user names, e.g. "bill" or "bart,betty". "*" includes all administered team users, including the current user. If any of the names in the list is not an administered user, the command fails.

The -format option allows selection of xml, csv or plain report format. The default is plain. (-format is used rather than --format for compatibility with the list-changes command.)

For example, list-teams with no arguments always produces:

$ ... list-teams
public  Read

Because even the anonymous user can see public jobs and build information.

$ ... list-teams --username bart --password secret
A       Build Configure Create Delete ExtendedRead Read WipeOut Workspace
B       Admin Build Configure Create Delete ExtendedRead Read WipeOut Workspace
public  Read

Shows that bart is a member of two teams with all permissions, except bart is admin only in team B. Like all users, bart has Read access to public team jobs.

The same result in columnar, csv format:

$ ... list-teams --username bart --password secret -format csv
Team,Admin,Build,Configure,Create,Delete,ExtendedRead,Read,WipeOut,Workspace
A,-,X,X,X,X,X,X,X
B,X,X,X,X,X,X,X,X
public,-,-,-,-,-,-,X,-

Finally, the result for users administered by bart, in all three formats. Plain:

$ ... list-teams --username bart --password bart -u "*"
bart B  Admin Build Configure Create Delete ExtendedRead Read WipeOut Workspace
biff B  Build Configure Create ExtendedRead Read Workspace
bill B  Build Configure Create Delete ExtendedRead Read WipeOut Workspace

CSV:

$ ... list-teams --username bart --password secret -format csv -u "*"
User,Team,Admin,Build,Configure,Create,Delete,ExtendedRead,Read,WipeOut,Workspace
bart,B,X,X,X,X,X,X,X,X
biff,B,-,X,X,X,-,X,X,-
bill,B,-,X,X,X,X,X,X,X

And the ever-tedious XML:

$ ... list-teams --username bart --password bart -format xml -u "*"
<users>
  <user>
    <name>bart</name>
    <teams>
      <team>
        <name>B</name>
        <permissions>
          <permission>Admin</permission>
          <permission>Build</permission>
          <permission>Configure</permission>
          <permission>Create</permission>
          <permission>Delete</permission>
          <permission>ExtendedRead</permission>
          <permission>Read</permission>
          <permission>WipeOut</permission>
          <permission>Workspace</permission>
        </permissions>
      </team>
    </teams>
  </user>
  <user>
    <name>biff</name>
    <teams>
      <team>
        <name>B</name>
        <permissions>
          <permission>Build</permission>
          <permission>Configure</permission>
          <permission>Create</permission>
          <permission>ExtendedRead</permission>
          <permission>Read</permission>
          <permission>Workspace</permission>
        </permissions>
      </team>
    </teams>
  </user>
  <user>
    <name>bill</name>
    <teams>
      <team>
        <name>B</name>
        <permissions>
          <permission>Build</permission>
          <permission>Configure</permission>
          <permission>Create</permission>
          <permission>Delete</permission>
          <permission>ExtendedRead</permission>
          <permission>Read</permission>
          <permission>WipeOut</permission>
          <permission>Workspace</permission>
        </permissions>
      </team>
    </teams>
  </user>
</users>

Since bart is admin only in team B, only user information about team B is shown. A system admin, however, can see all users in all teams.

$ ... list-teams --username admin --password supersecret -u "*" -format csv
User,Team,Admin,Build,Configure,Create,Delete,ExtendedRead,Read,WipeOut,Workspace
bart,A,-,X,X,X,X,X,X,X
bart,B,X,X,X,X,X,X,X,X
bart,public,-,-,-,-,-,-,X,-
biff,A,-,X,-,-,-,-,X,-
biff,public,-,-,-,-,-,-,X,-
bill,A,X,X,X,X,X,X,X,X
bill,B,-,X,X,X,X,X,X,X
bill,public,-,-,-,-,-,-,X,-

Team White Paper (Work In Progress)

White Paper