Skip to content
Snippets Groups Projects

Adding security considerations (usage of unprivileged accounts)

Merged Sebastian Lopienski requested to merge slopiens/ci-web-deployer:master into master
1 file
+ 10
6
Compare changes
  • Side-by-side
  • Inline
+ 10
6
@@ -2,6 +2,10 @@
Docker image to be used with GitLab CI to deploy web sites or generic files or binaries generated from GitLab repositories to any of the CERN Web services platform including EOS.
## Security considerations
Credentials (username and password) of a CERN account, that is used for deploying website content, will be stored in GitLab variables in clear-text. To limit security impact in case of credential exposure, please use a dedicated secondary or service account, with very limited privileges (write access to that particular web site - but ideally no other privileges). **Do not use your primary CERN account, nor any privileged service account.**
## Version
1.8
@@ -18,21 +22,21 @@ Docker image to be used with GitLab CI to deploy web sites or generic files or b
## Contents
* *deploy-dfs*: Publish in a DFS folder the contents provided. Makes use of environment variables, *Kerberos* for authentication and *smbclient* to interact with DFS.
* `DFS_WEBSITE_USERNAME`: NICE username of the user responsible of the deployment
* `DFS_WEBSITE_PASSWORD`: User's password
* `DFS_WEBSITE_USERNAME`: Name of the account to be used for the deployment (see [Security considerations](#security-considerations) above)
* `DFS_WEBSITE_PASSWORD`: Accounts's password
* `CI_WEBSITE_DIR` (optional): Local folder to where files/folders to be deployed are located. **Default:** `public/`
* `DFS_WEBSITE_NAME`: Name of the DFS website (Example: "test-gitlab-pages" whose URL would be https://test-gitlab-pages.web.cern.ch)
* DFS_WEBSITE_PATH`: Path in DFS to copy the files to. If this is used, `DFS_WEBSITE_NAME` is ignored.
* `DFS_WEBSITE_PATH`: Path in DFS to copy the files to. If this is used, `DFS_WEBSITE_NAME` is ignored.
* `DFS_WEBSITE_DIR` (optional): A subfolder of the DFS web site where to deploy pages (e.g. `mydocs` to publish to https://test-gitlab-pages.web.cern.ch/mydocs). **Default** publish to web site root folder.
* `SMB_PROTOCOL` (optional): Set the SAMBA protocol to be used for the transfer. By default, it is set to `smb3`
* *deploy-eos*: Publish in a EOS folder the contents provided. Makes use of environment variables, *Kerberos* for authentication and *lxplus.cern.ch* as bridge to access to EOS.
* `EOS_ACCOUNT_USERNAME`: NICE username of the user responsible of the EOS deployment. Must have RW access to the EOS folder
* `EOS_ACCOUNT_PASSWORD`: User's password
* `EOS_ACCOUNT_USERNAME`: Name of the account to be used for the deployment (see [Security considerations](#security-considerations) above). Must have RW access to the EOS folder
* `EOS_ACCOUNT_PASSWORD`: Accounts's password
* `CI_OUTPUT_DIR` (optional): Local folder to be rsynced with EOS folder. **Default:** `public/`
* `EOS_PATH`: EOS path where to deploy the contents generated in `CI_OUTPUT_DIR`
* `EOS_MGM_URL` (optional): The MGM URL of the EOS instance. **Default:** `root://eosuser.cern.ch`
* `METHOD` (optional): Method to do the synchronization. It can be `rsync` or `xrdcp`. The rsync method relies on connecting to lxplus, and will make sure that the files deleted in source are also deleted on destination. The account (**EOS_ACCOUNT_USERNAME**) used must be able to log in lxplus. On the other hand xrdcp will directly connect to EOS, but will not delete files on the destination. **Default**: `xrdcp`
* `METHOD` (optional): Method to do the synchronization. It can be `rsync` or `xrdcp`. The rsync method relies on connecting to lxplus, and will make sure that the files deleted in source are also deleted on destination. The account (`EOS_ACCOUNT_USERNAME`) used must be able to log in lxplus. On the other hand xrdcp will directly connect to EOS, but will not delete files on the destination. **Default**: `xrdcp`
## Gitlab-ci exmaple
Loading