Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Split repo trusted setting #4025

Open
wants to merge 33 commits into
base: main
Choose a base branch
from
Open

Split repo trusted setting #4025

wants to merge 33 commits into from

Conversation

qwerty287
Copy link
Contributor

related to #3758

@qwerty287 qwerty287 added the feature add new functionality label Aug 11, 2024
@woodpecker-bot
Copy link
Collaborator

woodpecker-bot commented Aug 16, 2024
edited
Loading

Deploying preview to https://woodpecker-ci-woodpecker-pr-4025.surge.sh

@qwerty287 qwerty287 marked this pull request as ready for review August 18, 2024 18:11
@qwerty287 qwerty287 requested a review from a team August 18, 2024 18:11
@qwerty287
Copy link
Contributor Author

Actually you can start taking a look here. There are probably still some issues but for the general concept.

This is currently a breaking change (changes API), we could either get it into 3.0 or make it non-breaking, what do you prefer?

zc-devs
zc-devs reviewed Aug 19, 2024
View reviewed changes
Copy link
Contributor

@zc-devs zc-devs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

get it into 3.0

server/store/datastore/migration/035_split_trusted.go Outdated Show resolved Hide resolved
@qwerty287 qwerty287 added this to the 3.0.0 milestone Aug 29, 2024
@qwerty287 qwerty287 added the breaking will break existing installations if no manual action happens label Aug 29, 2024
@anbraten
Copy link
Member

I am not really a fan of this split. Although I kinda see the general idea behind it, it complicates the CI (not really interested to move towards Jenkins and similar tools) and it shifts the security guidelines from the agent admin to the repo admin. Therefore multiple agents aren't able to provide different settings.

@qwerty287
Copy link
Contributor Author

it shifts the security guidelines from the agent admin to the repo admin.

Repo admins can't change this setting if they're not a server admin and usually the server admin is also the agent admin I think.

Therefore multiple agents aren't able to provide different settings.

That's a general issue, but it's impossible to deal differently with our current structure. You would need to change the whole system and give the agents more capabilities (for example, the server must not parse the YAML anymore. This must be done by agents as well).

Also, this issue is not different from how it works now. Enabling trusted is currently also on repo-level and this PR does not give any way to get more privileges than before.

6543
6543 requested changes Sep 5, 2024
View reviewed changes
Copy link
Member

@6543 6543 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

migration fail related !!!

https://ci.woodpecker-ci.org/repos/3780/pipeline/20192/36

anbraten
anbraten requested changes Sep 6, 2024
View reviewed changes
Copy link
Member

@anbraten anbraten left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not confined by the benefit of splitting the setting.

@anbraten
Copy link
Member

anbraten commented Sep 6, 2024

Repo admins can't change this setting if they're not a server admin and usually the server admin is also the agent admin I think.

Isn't that the reason why this is currently an agent config (at least for the kubernetes options). It would only make sense for smaller deployments where server admins are agent admins as well I guess. For larger teams / orgs with or when supporting #267 those options would be quite unimportant.

@zc-devs
Copy link
Contributor

zc-devs commented Sep 6, 2024
edited
Loading

this is currently an agent config (at least for the kubernetes options)

Where?

this issue is not different from how it works now. Enabling trusted is currently also on repo-level and this PR does not give any way to get more privileges than before

@qwerty287
Copy link
Contributor Author

Where?

You mean the "feature gates"?

Tbh I think this somehow would be a mess. Or we refactor our whole structure, e.g. the agent would have to parse the YAML and not the server. Also, having it on a repo level additionally can still be helpful as you might have repos that shouldn't be able to use some features.

@zc-devs
Copy link
Contributor

zc-devs commented Sep 6, 2024

You mean the "feature gates"?

I was asking. @anbraten, what did you mean by agent config? Could you provide an example?

Agent's feature gates != settings per a repo.

having it on a repo level additionally can still be helpful as you might have repos that shouldn't be able to use some features

it complicates the CI

The same way as trusted does.

not really interested to move towards Jenkins and similar tools

Could you elaborate?

it shifts the security guidelines from the agent admin to the repo admin

To the server/instance admin, if I understand correctly. The same as trusted. And doesn't shift, but adds per repo settings.

@6543
Copy link
Member

6543 commented Sep 15, 2024

Maybe using ALTER TABLE DROP COLUMN will help. server/store/datastore/migration/common.go:dropTableColumns(...)

Offtop: I thought, ORM/migration tool should do this magic. Seems, I was wrong :)

ORM dont just drop data ... you have to specify that

@6543
Copy link
Member

6543 commented Sep 15, 2024

As for the current structure I'm quite happy as it works (some strings atached...) but to cover the concerns ... an agent admin should be able to optionally overwrite security related things set by the server, if veasable like e.g. deny to mount volumes pointing to non docker volumes e.g. to the host ...

But that has to be a backemd option as each backend has different security considderations

@qwerty287
Copy link
Contributor Author

Yes, and it is a totally different part than this PR.

@qwerty287 qwerty287 requested a review from 6543 September 25, 2024 04:50
6543
6543 reviewed Sep 30, 2024
View reviewed changes
cli/exec/flags.go Outdated Show resolved Hide resolved
6543
6543 reviewed Sep 30, 2024
View reviewed changes
cli/exec/flags.go Outdated Show resolved Hide resolved
6543
6543 reviewed Sep 30, 2024
View reviewed changes
cli/exec/flags.go Outdated Show resolved Hide resolved
@anbraten
Copy link
Member

anbraten commented Sep 30, 2024
edited
Loading

As we moved resource settings #3174 to the agent and as we will have #3539, I still think we should move such settings to the agent. My current idea would be to use filters like allows.volumes=true instead, so only agents supporting volumes would pick up your workflow.

@qwerty287
Copy link
Contributor Author

I understand your point, but it is not as flexible as it is currently. If you currently have a few repos that are trusted and some not, you was able to do that with one agent. With this new system, this wouldn't be possible anymore.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zc-devs zc-devs zc-devs left review comments

@6543 6543 6543 approved these changes

@anbraten anbraten Awaiting requested review from anbraten

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
breaking will break existing installations if no manual action happens feature add new functionality
Projects
None yet
Milestone
3.0.0
Development

Successfully merging this pull request may close these issues.
5 participants
@qwerty287 @woodpecker-bot @anbraten @zc-devs @6543