Support crowd auth for Jenkins (while retaining "own user db" support).

4 files changed, 28 insertions, 2 deletions

diff --git a/ansible-deploy/jenkins.yml b/ansible-deploy/jenkins.yml
index 17cb3dd..ffed10e 100644
--- a/ansible-deploy/jenkins.yml
+++ b/ansible-deploy/jenkins.yml
@@ -7,6 +7,8 @@
     - jenkins_version: 1.509.2
     - site_name: android-build.linaro.org
     - ssl_cert: /etc/ssl/private/android-build.linaro.org.crt
+  vars_files:
+    - ../ansible-private-vars/main.yml
   roles:
     - common
     - apache
diff --git a/ansible-deploy/roles/jenkins/tasks/main.yml b/ansible-deploy/roles/jenkins/tasks/main.yml
index 3bd5bca..8d97d65 100644
--- a/ansible-deploy/roles/jenkins/tasks/main.yml
+++ b/ansible-deploy/roles/jenkins/tasks/main.yml
@@ -20,10 +20,17 @@
               line='JENKINS_ARGS="\1 --prefix=/jenkins"'
               dest=/etc/default/jenkins backrefs=yes
   sudo: yes
-- name: Set up minimal Jenkins configuration
+- name: Set up minimal Jenkins configuration skeleton
   # This requires recursive copy patch
   copy: backup=yes src=jenkins-config/ dest=/var/lib/jenkins/ owner=jenkins
   sudo: yes
+  notify:
+      - Restart Jenkins
+- name: Set up Jenkins config file
+  template: backup=yes src=jenkins-config/config.xml dest=/var/lib/jenkins/ owner=jenkins
+  sudo: yes
+  notify:
+      - Restart Jenkins
 - name: Create Jenkins plugin dir
   file: state=directory path=~jenkins/plugins/ owner=jenkins
   sudo: yes
diff --git a/ansible-deploy/roles/jenkins/files/jenkins-config/config.xml b/ansible-deploy/roles/jenkins/templates/jenkins-config/config.xml
index 4efa391..3952708 100644
--- a/ansible-deploy/roles/jenkins/files/jenkins-config/config.xml
+++ b/ansible-deploy/roles/jenkins/templates/jenkins-config/config.xml
@@ -4,8 +4,9 @@
   <numExecutors>0</numExecutors>
   <mode>NORMAL</mode>
   <useSecurity>true</useSecurity>
-  <authorizationStrategy class="hudson.security.GlobalMatrixAuthorizationStrategy">
+  <authorizationStrategy class="hudson.security.ProjectMatrixAuthorizationStrategy">
     <permission>hudson.model.Hudson.Administer:admin</permission>
+    <permission>hudson.model.Hudson.Administer:infrastructure</permission>
     <permission>hudson.model.Hudson.Read:anonymous</permission>
     <permission>hudson.model.Hudson.Read:frontend</permission>
     <permission>hudson.model.Item.Build:frontend</permission>
@@ -15,9 +16,23 @@
     <permission>hudson.model.Item.Read:anonymous</permission>
     <permission>hudson.model.Item.Read:frontend</permission>
   </authorizationStrategy>
+{% if jenkins_auth == "native" %}
   <securityRealm class="hudson.security.HudsonPrivateSecurityRealm">
     <disableSignup>false</disableSignup>
   </securityRealm>
+{% elif jenkins_auth == "crowd" %}
+  <securityRealm class="de.theit.jenkins.crowd.CrowdSecurityRealm" plugin="crowd2@1.6-SNAPSHOT">
+    <url>https://login.linaro.org:8443/crowd</url>
+    <applicationName>{{crowd_user}}</applicationName>
+    <password>{{crowd_passwd}}</password>
+    <group>linaro-android-builders</group>
+    <nestedGroups>false</nestedGroups>
+    <useSSO>false</useSSO>
+    <sessionValidationInterval>10</sessionValidationInterval>
+  </securityRealm>
+{% else %}
+    {{ fail("Unknown jenkins_auth value: " + jenkins_auth) }}
+{% endif %}
   <markupFormatter class="hudson.markup.RawHtmlMarkupFormatter"/>
   <jdks/>
   <viewsTabBar class="hudson.views.DefaultViewsTabBar"/>
diff --git a/ansible-deploy/roles/jenkins/vars/main.yml b/ansible-deploy/roles/jenkins/vars/main.yml
index 264ce61..b7888fd 100644
--- a/ansible-deploy/roles/jenkins/vars/main.yml
+++ b/ansible-deploy/roles/jenkins/vars/main.yml
@@ -4,3 +4,5 @@ jenkins_plugins:
     - http://people.linaro.org/~paul.sokolovsky/jenkins/crowd2-1.6-SNAPSHOT-20130816.hpi
     - http://updates.jenkins-ci.org/download/plugins/greenballs/1.12/greenballs.hpi
     - http://updates.jenkins-ci.org/download/plugins/build-timeout/1.8/build-timeout.hpi
+# "native" or "crowd"
+jenkins_auth: crowd