[Jenkins-infra] User management on jenkins-infra Github organisation?

R. Tyler Croy tyler at monkeypox.org
Tue Jan 8 15:01:51 UTC 2019


I mentioned this in our infra meeting yesterday, but this is fine by me as
well.


On Thu, 03 Jan 2019, Olblak wrote:

> Hi Everybody,
> 
> First of all I wish you a happy new Year.
> 
> I am looking for feedback for the best way to manage user permission on
> the Github jenkins-infra organization.
> The current process is "someone" open a jira ticket requesting for
> specific repository permission like INFRA-1925[1] and then a jenkins-
> infra admin validate and grant that permission.
> While I think opening a jira ticket is still important for visibility,
> only few people can grant organization access and so It can take a lot
> of time between the moment the permission is requested and approved and
> it's time consuming to verify if a request is legitimate or not.
> So I am wondering the best way to delegate that decision to SIG
> maintainers without compromising the organization.Therefore I suggest the follow approach:
> 
> One parent team based on the SIG group name with the same maintainer
> than the sig group defined from jenkins.io/sig[2] and with no repository
> permission configured at that level is allowed to configured and managed
> sub teams.And then each child teams is configured with specific members and
> specific repositories permission.The reason why the parent team shouldn't configure repository access, is
> because child team inherit parent repository permission.
> An example is java11-support[3] where baptiste and oleg have admin
> permission on java11-support including child teams. java11-support has
> two child teams, java11-support-maintainer and java11-support-reviewer,
> with respectively write and read permission on different repositories.
> This approach delegates permission management to java11-support
> maintainers.Remark: A maintainer can only add repository that he has access to the team he managed.
> Another element that regularly come back and doesn't make sense to me is
> that we have teams which only have read permission in order to make PR
> reviews but those reviews can't be taken into account when we want to
> merge Pull request with branch protection enabled, as those reviewers
> need write permission.So I wonder if we really need those read only teams .
> More information here[4]
> 
> Cheers,
> 
> 
> ---
> -> gpg --keyserver keys.gnupg.net --recv-key 52210D3D
> ---
> 
> Links:
> 
>   1. https://issues.jenkins-ci.org/browse/INFRA-1925
>   2. https://jenkins.io/sigs/platform/
>   3. https://github.com/orgs/jenkins-infra/teams/java11-support
>   4. https://help.github.com/articles/about-required-reviews-for-pull-requests/

> _______________________________________________
> Jenkins-infra mailing list
> Jenkins-infra at lists.jenkins-ci.org
> http://lists.jenkins-ci.org/mailman/listinfo/jenkins-infra

--
GitHub:  https://github.com/rtyler

GPG Key ID: 0F2298A980EE31ACCA0A7825E5C92681BEF6CEA2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://lists.jenkins-ci.org/pipermail/jenkins-infra/attachments/20190108/3797496c/attachment.asc>


More information about the Jenkins-infra mailing list