[users at bb.net] Private builders?

Pierre Tardy tardyp at gmail.com
Wed Jul 15 07:54:58 UTC 2020 

Hi Ryan,

You can tweak the authorization rules to prevent any read of forbidden logs
from the rest API. This is a bit complex to set up but doable.

This will end-up implementing the following missing endpoint matcher.
https://github.com/tardyp/buildbot/blob/5c86cb3bf2c716800f4d6f738c5aa9c0e6583dea/master/buildbot/www/authz/endpointmatchers.py#L193

Please note that this method is not fully secure as the endpoint matcher
are not enforced at the websocket side. This means you can still access
some data by registering to events in the websocket.
The best way to protect a read access to you buildbot is to setup a reverse
proxy like oauth2proxy in front of buildbot

Regards
Pierre


Le lun. 13 juil. 2020 à 07:08, Ryan Schmidt <buildbot at ryandesign.com> a
écrit :

>
>
> On Jul 9, 2020, at 04:51, Roland van Laar wrote:
>
> > On 2020-07-09 03:51, Ryan Schmidt wrote:
> >> Hi,
> >>
> >> Is it possible to have a single buildmaster in which some workers are
> public (their build logs can be seen by anybody) while other workers are
> private (their logs can only be seen by specific logged in users)?
> > Do you mean workers, or specific builders?
> >
> > A Worker is a vm/machine on which the builders run.
> > A builder is a buildfactory, which contains the executable steps of a
> build.
> >
> > What is the data you want to protect from publicity?
>
> I want to set up three builders on a new worker. All of the builders on
> that worker should be protected. I want to be able to see the logs of those
> build myself when I log in to the buildmaster web interface, and I want to
> be able to grant specific other users access to do that, but the general
> public accessing the buildmaster and any other logged in user should not be
> able to see those logs. There are also other workers that have instances of
> those builders; they are and should remain public.
>
>
> >> My assumption is that this is not possible and that I should set up a
> second private buildmaster.
> > There's not a configuration flag that can be used.
> > It is possible to write the necessary code for it.
>
> Do you mean adding code to my configuration or modifying the buildbot
> code? Any other pointers you can offer? If it's not going to be very
> straightforward I'll probably go with my separate private buildmaster plan,
> since my familiarity with buildbot source code and python in general is
> fairly low.
>
> _______________________________________________
> users mailing list
> users at buildbot.net
> https://lists.buildbot.net/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.buildbot.net/pipermail/users/attachments/20200715/f974d81b/attachment.html>

More information about the users mailing list