<div dir="ltr">Hi Ryan,<div><br></div><div>You can tweak the authorization rules to prevent any read of forbidden logs from the rest API. This is a bit complex to set up but doable.</div><div><br></div><div>This will end-up implementing the following missing endpoint matcher.</div><div><a href="https://github.com/tardyp/buildbot/blob/5c86cb3bf2c716800f4d6f738c5aa9c0e6583dea/master/buildbot/www/authz/endpointmatchers.py#L193">https://github.com/tardyp/buildbot/blob/5c86cb3bf2c716800f4d6f738c5aa9c0e6583dea/master/buildbot/www/authz/endpointmatchers.py#L193</a></div><div><br></div><div>Please note that this method is not fully secure as the endpoint matcher are not enforced at the websocket side. This means you can still access some data by registering to events in the websocket.</div><div>The best way to protect a read access to you buildbot is to setup a reverse proxy like oauth2proxy in front of buildbot</div><div><br></div><div>Regards<br clear="all"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature">Pierre</div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Le lun. 13 juil. 2020 à 07:08, Ryan Schmidt <<a href="mailto:buildbot@ryandesign.com">buildbot@ryandesign.com</a>> a écrit :<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
<br>
On Jul 9, 2020, at 04:51, Roland van Laar wrote:<br>
<br>
> On 2020-07-09 03:51, Ryan Schmidt wrote:<br>
>> Hi,<br>
>> <br>
>> Is it possible to have a single buildmaster in which some workers are public (their build logs can be seen by anybody) while other workers are private (their logs can only be seen by specific logged in users)?<br>
> Do you mean workers, or specific builders?<br>
> <br>
> A Worker is a vm/machine on which the builders run.<br>
> A builder is a buildfactory, which contains the executable steps of a build.<br>
> <br>
> What is the data you want to protect from publicity?<br>
<br>
I want to set up three builders on a new worker. All of the builders on that worker should be protected. I want to be able to see the logs of those build myself when I log in to the buildmaster web interface, and I want to be able to grant specific other users access to do that, but the general public accessing the buildmaster and any other logged in user should not be able to see those logs. There are also other workers that have instances of those builders; they are and should remain public.<br>
<br>
<br>
>> My assumption is that this is not possible and that I should set up a second private buildmaster.<br>
> There's not a configuration flag that can be used.<br>
> It is possible to write the necessary code for it.<br>
<br>
Do you mean adding code to my configuration or modifying the buildbot code? Any other pointers you can offer? If it's not going to be very straightforward I'll probably go with my separate private buildmaster plan, since my familiarity with buildbot source code and python in general is fairly low.<br>
<br>
_______________________________________________<br>
users mailing list<br>
<a href="mailto:users@buildbot.net" target="_blank">users@buildbot.net</a><br>
<a href="https://lists.buildbot.net/mailman/listinfo/users" rel="noreferrer" target="_blank">https://lists.buildbot.net/mailman/listinfo/users</a><br>
</blockquote></div>