Opened 5 years ago

Last modified 9 months ago

#52455 new enhancement

Buildbot: use GitHub authentication

Reported by: ryandesign (Ryan Schmidt) Owned by: admin@…
Priority: Low Milestone:
Component: buildbot/mpbb Version:
Keywords: buildbot Cc: neverpanic (Clemens Lang), mojca (Mojca Miklavec), raimue (Rainer Müller), larryv (Lawrence Velázquez), mkae (Marko Käning)
Port:

Description

Our Buildbot installation should allow developers to log in with their GitHub account, rather than maintaining a separate username and password.

Buildbot 0.8 has no built-in support for this. Buildbot 0.9 does but I don't want to upgrade to 0.9 at this time.

Buildbot 0.8 can be configured to trust the user information provided to it by a reverse proxy:

http://docs.buildbot.net/0.8.14/manual/cfg-statustargets.html#http-based-authentication-by-frontend-server

The MacPorts Buildbot currently runs WebStatus behind a simple nginx reverse proxy.

It was suggested on the Buildbot mailing list that we should try to use this:

https://github.com/bitly/oauth2_proxy

We would need to add a MacPorts port for it.

Change History (7)

comment:1 Changed 4 years ago by ryandesign (Ryan Schmidt)

Has duplicate #52693.

comment:2 Changed 4 years ago by mkae (Marko Käning)

Cc: mkae added

comment:3 Changed 4 years ago by mojca (Mojca Miklavec)

Keywords: buildbot added

comment:4 Changed 3 years ago by neverpanic (Clemens Lang)

Component: server/hostingbuildbot/mpbb

comment:5 in reply to:  description Changed 9 months ago by ryandesign (Ryan Schmidt)

Replying to ryandesign:

Buildbot 0.8 has no built-in support for this. Buildbot 0.9 does but I don't want to upgrade to 0.9 at this time.

I'm working on trying out buildbot 2: #56044.

I have GitHub authentication working there. But for now I want to lock it down to only authorized users, and it turns out Buildbot's built-in authorization restrictions aren't that great, and it's still suggested to use oauth2-proxy with it for better security: https://github.com/buildbot/buildbot/issues/5433

It was suggested on the Buildbot mailing list that we should try to use this:

https://github.com/bitly/oauth2_proxy

We would need to add a MacPorts port for it.

This has been done: #60948

comment:6 Changed 9 months ago by neverpanic (Clemens Lang)

Note that that URL is outdated. The current upstream for oauth2_proxy is at https://github.com/oauth2-proxy/oauth2-proxy.

We are running multiple instances of oauth2_proxy on braeburn, for https://infra.macports.org/ and https://paste.macports.org/. Let me know if you need help configuring it.

comment:7 in reply to:  6 Changed 9 months ago by ryandesign (Ryan Schmidt)

Replying to neverpanic:

Note that that URL is outdated. The current upstream for oauth2_proxy is at https://github.com/oauth2-proxy/oauth2-proxy.

Right, we got the new version in the port.

We are running multiple instances of oauth2_proxy on braeburn, for https://infra.macports.org/ and https://paste.macports.org/. Let me know if you need help configuring it.

Too many configuration options. 😫 I'll look at it later.

Note: See TracTickets for help on using tickets.