Use a sudoers file for jenkins sudo rights

This way we can start with the file in place on all single-use slaves, and then remove the file at the beginning of jobs that should not be able to sudo (for example, unit test jobs). Change-Id: I37aabdba89d00b45365126c8f776ae6ef8357c8f
2014-02-11 13:52:01 -08:00 · 2014-02-11 13:52:01 -08:00 · 200ce362a2
parent 5277291ff2
commit 200ce362a2
3 changed files with 12 additions and 9 deletions
--- a/modules/jenkins/files/jenkins-sudo.sudo
+++ b/modules/jenkins/files/jenkins-sudo.sudo
@ -0,0 +1 @@
+jenkins ALL=(root) NOPASSWD:ALL
--- a/modules/jenkins/manifests/jenkinsuser.pp
+++ b/modules/jenkins/manifests/jenkinsuser.pp
@ -3,19 +3,12 @@
 class jenkins::jenkinsuser(
  $ssh_key = '',
  $ensure = present,
-  $sudo = false,
 ) {

  group { 'jenkins':
    ensure => present,
  }

-  if ($sudo == true) {
-    $groups = ['sudo', 'admin']
-  } else {
-    $groups = []
-  }
-
  user { 'jenkins':
    ensure     => present,
    comment    => 'Jenkins User',
@ -23,7 +16,7 @@ class jenkins::jenkinsuser(
    gid        => 'jenkins',
    shell      => '/bin/bash',
    membership => 'minimum',
-    groups     => $groups,
+    groups     => [],
    require    => Group['jenkins'],
  }

--- a/modules/jenkins/manifests/slave.pp
+++ b/modules/jenkins/manifests/slave.pp
@ -15,7 +15,6 @@ class jenkins::slave(
  if ($user == true) {
    class { 'jenkins::jenkinsuser':
      ensure  => present,
-      sudo    => $sudo,
      ssh_key => $ssh_key,
    }
  }
@ -354,6 +353,16 @@ class jenkins::slave(
    source  => 'puppet:///modules/jenkins/slave_scripts',
  }

+  if ($sudo == true) {
+    file { '/etc/sudoers.d/jenkins-sudo':
+      ensure => present,
+      source => 'puppet:///modules/jenkins/jenkins-sudo.sudo',
+      owner  => 'root',
+      group  => 'root',
+      mode   => '0440',
+    }
+  }
+
  file { '/etc/sudoers.d/jenkins-sudo-grep':
    ensure => present,
    source => 'puppet:///modules/jenkins/jenkins-sudo-grep.sudo',