Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Feature Request] Ability to use github teams as admins #2043

Closed
kylebyerly-hp opened this issue May 16, 2017 · 7 comments
Closed

[Feature Request] Ability to use github teams as admins #2043

kylebyerly-hp opened this issue May 16, 2017 · 7 comments
Milestone

Comments

@kylebyerly-hp
Copy link

I would like to be able to use github teams for the admins over github users. I was not able to do so with drone v0.5.0 and github enterprise (I tried org/team and org/team and org\/team just in case there were escaping issues, but suspect teams are simply not enabled).

@msuterski
Copy link

I second this. It's easier to manage groups over deploying new drone instances.

@ptagr
Copy link

ptagr commented Aug 3, 2017

+1.

@tonglil
Copy link

tonglil commented Aug 11, 2017

Or even just to specify one team (vs checking multiple teams/etc):

DRONE_ADMIN_TEAM=org/my-team
DRONE_ADMIN_USERS=janedoe,johnsmith

Let the integration driver handle:

  • Mapping the value of the env var to the actual semantic of that platform
  • Calling APIs to fetch the users from that platform
  • Union list of users and users in the team

Might have to think about:

  • How to concat fetched users and users listed in DRONE_ADMIN_USERS
  • Periodicity of refreshing list of users from the team (since teams can change)

@bradrydzewski
Copy link

I am looking at 2 options:

  1. provide a sidecar image that can regularly poll an organization and automatically add / remove / update users via the API. I will host a simple version of this utility in the Drone org and teams that need something more complex will be able to fork and modify as needed.

  2. allow an authorization plugin that invokes a microserver when a user authenticates. This microservice will receive the user details and the http response will dictate whether or not the user account is authorized to proceed, and what role (e.g. admin) they should assume.

I am leaning toward the second option, since this is what we are doing with secrets, registry credentials, pipeline approvals, etc.

@bradrydzewski bradrydzewski added this to the v1.0.0 milestone Aug 23, 2018
@tboerger
Copy link

The second approach really matches best the upcoming capabilities.

@bradrydzewski bradrydzewski modified the milestones: v1.0.0, v1.1.0 Apr 9, 2019
@bradrydzewski bradrydzewski added this to the v1.x.x milestone Apr 19, 2019
@bradrydzewski
Copy link

Drone supports basic admission plugins for new user login. I need to update the code to also invoke the admission endpoint for existing user login. I also need to create a boilr template for admission plugins. Once these are complete it should allow the creation of a plugin to satisfy this use case.

@bradrydzewski bradrydzewski modified the milestones: v1.x.x, 1.5.0 Sep 17, 2019
@bradrydzewski
Copy link

This is now possible in the latest build. We pushed support for admission extensions that allow you to customization system access and admin access.

We published an boilr project to help create admission extensions:
https://github.com/drone/boilr-admission

We created a sample extension that grants access to organization members, grants admin access to organization admins, and (optionally) grants admin access to members of a designated team:
https://github.com/drone/drone-admit-members

This requires the latest build and will be included in the 1.5.0 tagged release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants