Test SSO with openshift-login plugin for Jenkins with Openshift 1.4
Now we use SAML for SSO
But there is an openshift-login plugin in the upstream image. This should use OAuth to get credentials from OPenshift, which itself gets them from SSO. So we might be able to use that.
How to use: enable from Jenkins itself (global security) or set env OPENSHIFT_ENABLE_OAUTH
to true: the plugin will enable itself.
To have it work we also need to set OpenShift Redirect URL
to https://openshift-dev.cern.ch
However our jenkins
serviceaccount does not seem to be authorized to created tokens on behalf of users: (on 1.2 at least)
https://openshift-dev.cern.ch/oauth/authorize?client_id=system:serviceaccount:test-jenkins-cern-running:jenkins&redirect_uri=https://test-jenkins-cern-running.web.cern.ch/securityRealm/finishLogin&response_type=code&scope=user:info%20user:check-access&state=MWFmOWVhMjktM2YyZS00
{"error":"unauthorized_client","error_description":"The client is not authorized to request a token using this method.","state":"MWFmOWVhMjktM2YyZS00"}
But it could simply require openshift 1.3, or we need to grant extra permissions to the jenkins serviceaccount (also the plugin may not be able to correctly guess the redirect URL for the same reason). There should be further improvements in 1.4, maybe wait until we have it to give it a try.
There is also the problem of e-groups: OAuth will not send list of e-groups. Instead (whether groups are used in Openshift or not) users will get permissions in Jenkins based on their access level to the namespace where Jenkins is running as per https://github.com/openshift/jenkins#jenkins-admin-user
This complicates e-group integration. Though in theory we could import all e-groups in Openshift and modify the plugin to pass the group membership list to Jenkins