Closed Bug 541551 Opened 15 years ago Closed 14 years ago

Secure Hudson and make it public

Categories

(mozilla.org Graveyard :: Server Operations, task)

Product:
mozilla.org Graveyard
Component:
Server Operations
Platform:
All
Other
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: clouserw, Assigned: fox2mike)

Details

I thought I filed this already but I don't see it.

We should add authentication for changing anything to hudson and then put it on the internet.

Authentication can be achieved by checking the "enable security" checkbox.  However, auth needs to come from somewhere and LDAP sounds like the best place so I'm leaving this for IT.  Very short docs at https://hudson.dev.java.net/security.html

Once that is done it will be read-only for anonymous users and at that point it should get a public IP.  Note that whatever network it ends up on, it needs to continue to be able to access network resources including qa-selenium, svn.mozilla.org, github.com, the pile of sites/protocols in requirements.txt, and eventually git.mo.
Assignee: server-ops → shyam
What is the ETA on this?
Wil, I'm looking at first week of March or so, since there's a bunch of other things going on as well. Is that alright? or you have more pressing needs here?
that sounds alright
Whiteboard: [ETA 03/05/2010]
Okay, LDAP logins on hudson should now be working.  Your username is your LDAP login (e-mail address).  However, it is still a clear text login.  I would put a front end https apache instance, and proxy requests back to the hudson port before opening it to the world.

With the current LDAP setup, any anonymous user can look at the builds, etc.

Only users in the mptvpn (configurable) LDAP group are allowed to login and once they login they can configure all aspects of the system.
http://img.skitch.com/20100302-11bp4giyfkc71t61q1nty35xti.png

I logged in with LDAP, which was successful according to the top nav bar.  But it's still asking for me to log in.
It gives you the links on the left side to manage/configure hudson, so you are definitely logged in.  As to why it think you need to login again, I am not sure.  I noticed that you already had a user account within Hudson.  I am not sure if you created that, or if it automatically configured you as a user because you had checked something in.  My guess is that that has something to do with it.  Try logging off, clearing any cookies it might have set and try again?  I  just tested this again, and it does not give me that double login screen.

If you still see the problem, its probably a hudson bug.
I think those auth settings are alright.  Can you setup the apache proxy with SSL?
Any updates?
Tom/Wil,

POA on this - I'll migrate sm-hudson01 (from the sandbox network) to dm-hudson01 (public facing dmz) and then make sure nothing is functionally broken before I setup SSL/Apache and open it up.

I plan to move this tomorrow and once that's done and you guys can verify we have it working as it should, I'll do the rest.

Apologies for the delay.
Alright, so sm-hudson01 has moved from the sandbox (vlan 76) to the pubdmz (vlan 74). We kept the same name so as to not cause more confusion/config changes on the box and on hudson.

Can you trigger a few builds/check if things are working well? And list out what's broken and I'll get around to fixing those.

Then we'll push apache in front and open it up.
I took the opportunity to pull in system updates, which included a hudson update and a new kernel as well.
I haven't found anything broken so far. I think it looks good.
Awesome.

Now, one more step is in place. Proxying has been enabled, so http://sm-hudson01.mozilla.org/ will now display hudson and /pypi/ will still show all the pypi stuff.

Verify this works as normal/expected? No failures?

Final step - assign a public IP and redirect everything to SSL, just to make sure we don't have any auth over plain-text.
Also, what's the public facing domain you'd like for this? hudson.addons.mozilla.org? or addons.hudson.mozilla.org?

I also see some sumo stuff in there, might want to remove that and ask SUMO to ask for their own hudson server :)
> Now, one more step is in place. Proxying has been enabled, so
> http://sm-hudson01.mozilla.org/ will now display hudson and /pypi/ will still
> show all the pypi stuff.
> 
> Verify this works as normal/expected? No failures?

Well, hudson itself still thinks it's on port 8080, so generated URLS (eg. from the IRC bot) contain http and the port.  A redirect for both wfm though.

> Also, what's the public facing domain you'd like for this?
> hudson.addons.mozilla.org? or addons.hudson.mozilla.org?
> 
> I also see some sumo stuff in there, might want to remove that and ask SUMO to
> ask for their own hudson server :)

Just hudson.mozilla.org?  Or hudson.webdev.m.o if you want to namespace it some more.  AMO was the first project on here, but I want to get the rest of webdev on it too.
/me does a little happy dance :D

I happily present http://hudson.mozilla.org/ 

Everything but /pypi/ goes over https. If the app can handle it, I'd like that to go over https too, but I thought I'd ask you guys first. 

As always, run your checks, make sure nothing is h0rked and reopen if you need anything else?
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Whiteboard: [ETA 03/05/2010]
Thanks!  This looks good to me.
After a little chat over IRC with jbalogh and ianbicking, /pypi/ is also over https now.
Product: mozilla.org → mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.