How to save RBAC configuration when a Client Master needs to be renamed?

Issue

  • I need to rename a Jenkins Master but I have RBAC setup on the master that needs to be deleted
  • I want to backup RBAC configuration of my client master

Environment

  • CloudBees Jenkins Operations Center
  • CloudBees Jenkins Enterprise

Resolution

Background

  • The RBAC configuration of the root of a Jenkins instance is defined in the $JENKINS_HOME/nectar-rbac.xml file.
  • The RBAC configuration of items of a Jenkins instance is defined in the config.xml of the corresponding item.

Client Masters

If the Jenkins instance is attached to an Operations Center that enforces the Authorization Strategy, the nectar-rbac.xml is maintained by the CJOC. In that case the RBAC settings are actually defined in the config.xml of the Client Master item on CJOC. CJOC pushes the configuration by overriding the Client Master’s nectar-rbac.xml whenever changes are detected.

So in order to backup the RBAC settings of a Client Master with RBAC managed by CJOC, what is important is the config.xml of the Client Master item in CJOC.

Rename a Client Master

You need to purge the CJOC configuration attached to your CJE instance and recreate the client master from scratch following these steps:

  1. Take backup of the config.xml file of the Client Master item (for example $CJOC_HOME/jobs/old-client-master/config.xml)

  2. Release and Delete the Client Master item from CJOC

  3. Stop CJE instance

  4. Delete the following files for CJE (client master) to entirely remove the link to CJOC:

    • $JENKINS_HOME/license.xml
    • $JENKINS_HOME/operations-center-cloud*
    • $JENKINS_HOME/operations-center-client*
    • $JENKINS_HOME/com.cloudbees.opscenter.client.plugin.OperationsCenterRootAction.xml
  5. Disable Security in CJE by editing the $CJE_HOME/config.xml file.

    Locate this line:

    <useSecurity>true</useSecurity>

    And changing it to

    <useSecurity>false</useSecurity>

  6. Start the CJE instance

  7. From CJOC, create a new Client Master item

  8. Configure the Licensing strategy that you want to use

  9. Connect the client master either by push configuration from CJOC or manually from CJE

  10. After the two are connected again, copy the ConnectedMasterProxyGroupContainer property of the backup config.xml:

    <!--Start: We copy the following property --> 
    <com.cloudbees.opscenter.server.rbac.ConnectedMasterProxyGroupContainer plugin="operations-center-rbac@2.7.0.0">
        [...]
    </com.cloudbees.opscenter.server.rbac.ConnectedMasterProxyGroupContainer>
    <!--End: We copy the following property -->
    

    Paste it in the config.xml of the new Client Master item:

    <com.cloudbees.opscenter.server.model.ClientMaster plugin="operations-center-server@2.7.0.0">
      <actions/>
      <id>0</id>
      <encodedName>new-client-master</encodedName>
      <idName>0-new-client-master</idName>
      <timeStamp>1477374936749</timeStamp>
      <grantId>XXX-XXX-XXX-XXX</grantId>
      <approved>true</approved>
      <localEndpoint>http://allan.cje.com:8081/</localEndpoint>
      <identity>XXXXXXXXXXXXXX</identity>
      <properties class="com.cloudbees.opscenter.server.model.ConnectedMaster$PropertyList">
        <com.cloudbees.opscenter.server.metrics.health.ConnectedMasterHealthCheckProperty plugin="operations-center-monitoring@2.7.0.0">
          <enabled>true</enabled>
        </com.cloudbees.opscenter.server.metrics.health.ConnectedMasterHealthCheckProperty>
    
        <!-- Start: We copy from here -->
        <com.cloudbees.opscenter.server.rbac.ConnectedMasterProxyGroupContainer plugin="operations-center-rbac@2.7.0.0">
            [...]
        </com.cloudbees.opscenter.server.rbac.ConnectedMasterProxyGroupContainer>
        <!-- End -->
    
      </properties>
      <state>Approved</state>
    </com.cloudbees.opscenter.server.model.ClientMaster>
    
  11. Reload the Client Master item by appending /reload to the new Client Master item URL (for example $CJOC_URL/job/new-client-master/reload)

  12. Click on Try Posting. This should result in a blank page (sign that the reload worked).

Note: It might take few seconds until the RBAC config is push to the master.

Have more questions? Submit a request

2 Comments

  • 0
    Avatar
    John Seiberling

    The question is how to make it permanent? So, one does not have to repeat this copy pasting every time the server goes down.

  • 0
    Avatar
    Denys Digtiar

    Hi John,

    This guide is for when you want to rename the Client Master. If it just goes down all the configs should remain. They should have been persisted to disk the moment you clicked Save on the configuration page.

Please sign in to leave a comment.