 Hello, welcome to the Jenkins UI UX Hackfest. Today, we are doing a demo about Jenkins redundant configuration and system read permission. So, Tim Jacob, one of the leader of this effort and the most active contributor will be showing the demo and he will also show how to contribute. So, Tim, the floor is yours. All right, let me just share my screen. Cool, can you see that? Yes. All right, well, thanks everyone for coming. So, I'm just going to show, well, I'll introduce you to the feature, tell you what's been done so far and then I will take you through a bit of a demo. So, there'll be a user demo to begin with about what the feature is, what's there and then I'll take you through how to actually add this feature to more plugins and more hawk components. So, what it is. So, the beginning of this was for the configurations code plugin, trying to introduce what's known as a read-only UI so that users are able to see everything but not make changes. So, it's very useful if you want your users to contribute to a configuration of storage, a configuration of storage stored centrally somewhere. It's also useful if you want them to take full ownership of their build. So, not just what's going on with build but other factors that could have caused issues. So, they can see system logs, they can see configuration on Jenkins and whether perhaps changing an option could help them and they can also see what they would have to change in order to contribute it back or just give suggestions on the administrator. Another thing you can see is you can actually see who does have access to what in the Jenkins instance. So, you'll be able to see the security configuration which says that Joe is an administrator and he's the person to go and talk to to get help with the issue that you're currently having. So, what have we got included so far? So, initially it was released in 2.222 and just before the previous LTS went in with two initial pages, the Configure System page which is where the majority of the system configuration is and also the System Configuration page. So, that's the one that is the table on there which has a whole bunch of configuration values aren't. Between 2.222 and 2.238, we've added approximately eight more pages which has the majority of the core components. So, the majority of the ones that people need should all have been released as of Monday. The Plug and Manager Cloud configuration was recently added to the system. We have support in one plugin, the configuration is code with progress open to a couple more plugins currently. And one thing that this changed recently was initially it was just going to be about the system configuration because there was already the extended read permission to give job configuration. But as part of this, we improved the code so that there'd be a read-only view for jobs rather than just the standard inputs. And we also extended this to agents so that users with the agent extended read permission are able to see agents, see the Accent Agents Configuration, see the Agents Logs, pretty much everything available. And that's just been released in the latest weekly, 2.238. So it is currently a beta feature, so it's not on by default, but there's a meta plugin which is called the extended read permission plugin which will activate it if you install it. Okay, so I'm just gonna get started with a demo of the feature and then we'll go on to seeing how to do it. So can you see my managed Jenkins screen? Yes. All right, so this is just a Jenkins 2.238 which I just downloaded off the Jenkins website. I've done nothing to it other than just to configure. So if I go to configure global security, I will see that there's a number of permissions here. This is using the matrix auth plugin, but what we can't see is any of the extended read permissions. So you'd expect to see system right here, here and here for the extended read permissions. So what I'm gonna do first is I'm going to install the extended read permission plugin. So that should just take a few seconds. The very small plugin and that's done. So if I go to configure global security now, I will see that system read has appeared and I'll also see agent extended read and job extended read. So I've got a user, so I'm currently logged in as my admin user. I've also got another user called reader and I'm gonna grant reader system read, job read, job extended read and agent extended read. So I'll just give you a quick tour of what a system read user can see. So this is initially logged in. I've got two builds, one pipeline and probably one freestyle build, we'll see. So this is viewing a job configuration form. I'll show you again in a second, but there's very little configured on this build. Let's see if there's anything else in the other one. One change here is that there's a few configuration label rather than a configure just to try to indicate that it's not something that you can change. Okay, please don't have anything configured on them. That's okay. We go to manage Jenkins and then configure system. So one thing I wanted to highlight is that, so this is supposed to indicate to you that it's read only. It's done in a few ways. What's the one where possible? Form inputs have been removed and just changed to output plain text. So you see here, there's no input field and it's just text. And also we've been trying to explicitly indicate whether a field's set or not. And in some cases we have preserved the input because there's just technical issues really with this some complicated JavaScript which is used to show and hide some of the nested fields. And it's very dependent on there being an input there of a specific type. So the ones that work have been disabled. Okay, these ones that seem to work. But in general, in general you should see inputs either textual or disabled and you'll see that the save and apply buttons are not here. So we've removed all of those. If I go back to the manage Jenkins page. So these are all of the views that are available to you. It's not all of them. So there's a, I'll go back to administer just for a second. So this is the total number but most of the important ones are there and some more of them are coming hopefully during Hackfest. There's been a couple of requests already. And the last bit is the agents extended read. So I've just configured an agent which doesn't have anything actually set up. You can come in here and you can click for your configuration on the agent and see what's been set up. And you see that these inputs here are actually disabled properly. So you can't click on them and you can go and view the agent's log. This agent's never connected so there's not actually anything there. And you can see some monitoring information and status information. So hopefully that will be useful. That's pretty much a quick tour. So you can see, you can see plugin updates and you can also, this is one of the few actions which you can do as System Read is you can check for plugin updates in general. All actions have been disabled and it's read only but you can't cause any issues with this button. It just updates the cache basically. And you can see that there's a number of plugins that could do with an update which maybe through configuring, maybe through like a Docker image or it may be that an admin comes in here once every week or two and come in and update them depending on how you're set up. But you can come here and you can see what plugins are available and probably more importantly, what plugins are installed and what their version is. And you can see that I've installed a personal version of the configuration as code and just the number of plugins they're installed which hopefully will be useful in certain situations. I think that's pretty much all you're welcome to explore. Last one is just security. So I can see, I'm not on the latest version of Matrix Auth, but so the latest version of Matrix Auth will not show any of these controls but in general, you can see who has access which should hopefully be useful. So now it's time to go over to the code side of it. The first thing I wanna show is there's some, well, let me go back here. There's a blog post that was announced yesterday, I believe. So if you just wanna have a introduction to read through just go to the Jenkins.io website and it's called read only Jenkins configuration and it's currently the latest blog. So it's just going over what I've shown you, gives you the permission names, some background, some screenshots and how to use it. So if you want to refer back to how to get set up, you can refer here and some example configuration as code which will define a role for you and it has all the read roles that you will need. But what I came here to show you really is that there's a how to guide that I've written that will hopefully help any developers trying to update either their plugins or the Jenkins core to support this. So the way that most of these read only views have been done is based on a property that's set at the page level of whether it's in read only mode or not, just based on the user's permission. Then the form tags adapt, which I'll show you an example of that in the code. So if I go to text. Text field, Xbox or Jelly. So we've got this possible read only field wrapper, which is for simple fields that, so when it's read only mode, it outputs, it will output either the value as a text entry or just not applicable. Otherwise it will output the actual value that would be used if it's not read only. So that's used in a few places for simple fields, but if you have more complicated rendering then you won't be able to do that. And also this is only available from 2.222-ish, which means that if you're updating a plugin you probably can't use this wrapper if you want to stay compatible. You'll have to directly check whether it's in read only mode or not. But this is a good example of where to look. If you look at the form tags in Jenkins Core, so you can find those in, let me just collapse these. So you can find these in core, source main resources, libform. And so we've got, we've got fields like number, password, radio, radio block, submit, text box, validate button. So these are examples of certain form tags that are provided by the Jenkins Core form library. And so most plugins use these. So a lot of, I believe 95 plus percent of plugins don't need to make any changes. And out of the box they will look read only. They may need some adaptions on top to hide buttons that don't make sense in a read only context. But so that's the main setup really. I've given examples in both groovy and jelly as there's groovy based views which have less examples normally. So that should hopefully help. There's also a couple of examples of partial read only views. So I won't go too much into detail on it. So basically there's a concept of, there's a permission called Jenkins slash manage which allows you to edit certain permissions but not others. And if you can buy a system read, there's a way to only set read only to certain fields. The jelly tag is the same. It's the same. It's the same. It's the same. It's the same. It's the same. It's the same. It's the same. The jelly tags allow you to nest. Basically it's the closest parent that sets read only mode. So you can set read only mode at the top and then you can un-set it in the child. So if it's unlikely you'll come across that. But there's an example of how to do that. And here's an example of many different types. So what I'm going to show you, one, so we're going to do this in a plugin and it will likely be related to this section here, allowing access to a view. Views are quite often protected by permission checks at the jelly level and sometimes at the code level as well. So I think let's just get to it and you can use this as a guide to refer to. So I've picked a plugin. It's called the Docker plugin. I've just checked out this repo. I need to set it up so that I can run it from my IDE. So I use IntelliJ and I just set it up with a Maven run. And then I use the HPI run command line and the quick build profile. And then just set a couple of settings here. I'll set a non-default port as I'm already running on port ID80. I also set that so that it doesn't pop up and annoy me. And the first thing to look at is the POM file. So this was released in 2.0.2.2. So I'm going to want to test it on a version that has that. It's currently using 2.60. So for testing purposes, I'm just going to update that to the latest version, but I won't check that in as this will be compatible. In both directions. The next thing that I need to do is when you're updating the version, you normally need to use a more recent version of the parent POM. So I probably won't check this one again, but I'll just use it so that it works for me locally. And the last thing... Well, first, the next thing here is let's just start it up and see what it looks like. Basically, you're looking for anywhere where Jenkins.administer is in the code. And so this is in a getTarget method. So getTarget is basically a proxy that gets called in the request chain when you're requesting a page. So there's the sort of hack, sort of intended behavior where you can just set the proxy and add a permission for the whole path. So this is what this is doing. We just started up. It should be almost started. We're getting Trilliard completion problems. Perfect. It's likely to be a bigger change in there, but good luck. Well, but that particular plugin was extracted out about 2.205, 2.204. So you're dependent on 2.222, right here, Tim? I went for 2.238, just so it's... Oh, even newer, great. Just to show the weekly. It's starting now. I started this up earlier and I didn't know that problem, but here we go. We're up now. What did I choose? Okay, so yeah. So this is the right thing that I'm running. So what we're doing here is we're going to make the docker plugin available. So if I go to configure global security, we're going to notice that I'm using the folder authorization strategy, which is actually going to show it. So let's just change that. The matrix-based security admin. Administer. So what we're going to see here is that, again, we don't have system read, but this is the plugin that's based on an old core version that doesn't have system read available. So what we need to do in this case is we need to add a dependency to the extended read permission plugin. And that has a shim that allows us to access to... I'll show you the code just so it makes sense. And we'll just restart on there. So basically it tries to load the system read permission, and if it can't load it, it falls back to the administer permission. So on versions of Jenkins Core that have system read, then you get system read, and on versions that don't have it, it'll just be administer. So we need that installed. We need that installed in order to work with old core versions. So we found out that what we're looking for is a management link, which is what we found before. So anything on the slash manage page, which was those tiles on it, will extend from a management link. And access to a management link is governed by what's called the get required permission method. And by default, that is Jenkins to administer. So we're going to need to override that to be system read permission to system read. And what we're also going to see is that, in that search before, I found a get target method, which is looking for to administer. So we just need to change that to be called get required permission. That will fix that error. Check that for now. Cool. So I think that should probably be all we need. And I'm just going to, since all those methods were declared, I'm just going to hotspot that code into my running instance, because I'm attached with a debugger. And while that's happening, just primes. Oh, you see there, 74 classes reloaded or green. So that means that the two code changes have been hotswapped in. You can only do a hotswap if you're modifying code. You can't do it if you're adding new methods or fields or deleting methods. But if you can do it in line, it can make Jenkins development a lot quicker. So I'm just going to do system read. And this user here is going to get system read. He's also going to need overall read, as it's not granted by default. And that should be all the system. And you see here the Docker plugin has shown up now. If I click on it, I can view it. So that's quite unusual. Normally this would require a change to be done in the view. So let's go have a look at why that is. So this is the Docker management index.jelly. And if we look here in that layout tag permission, we see that it's loading it from the management link here. So it's actually just calling getRequiredPermission on this management link. So this is the first plugin I've seen this in. So it's nice we don't actually have to change it. It worried me a little bit when I first saw it. But it seems to work fine. And there we go. We've now added system read support to the Docker plugin. So Tim, I didn't quite get why you didn't have to alter that class in the Java code that had the dotted minister reference that you just showed. It was just because it was dotted minister. It already had then granted. Was granted system read permission? Which bit do you mean for the? So the call to get required permission that you just referenced. Yeah, that. Oh, okay. I must have misread it. I thought it said system thought it said administer my mistake. No, it was originally super.getRequiredPermission, which I just added earlier. So they have a hotspot in. And then I just changed it to be system read permission there. Yep. Any questions from the demo? Yeah, I was just surprised about the choice of the plugin because yeah, Docker plugin is like one of the complex plugins. And in order to make it efficient, you would need other plugins. For example, cloud stats plugin on other areas, which will also need to be accessible as system read. I did pick cloud stats plugin first. But unfortunately or unfortunately, someone else has sent a progress to make it compatible yesterday. So decided this morning I needed to choose a new plugin. And so this one. Yeah. So do you plan to finish it for all controls in the plugin? Because it's also pretty big. What other controls are there? This is the one I saw. But I don't really know this plugin. Yes. So there is cloud configuration. Also, there is agent, which will likely work out of the box with agent permission. So yeah, I'm just trying to remember what else was configurable in this plugin because I also haven't used it for a while. Maybe I'm wrong and this plugin is actually not that big when it comes to jelly files. So yeah, it includes a lot of pipeline documentation. So yeah, it also includes various connectors and other things. But all of that should be available from this web interface. So there should be no additional changes under the hood. But yeah, there is a lot of different connectors, strategies, et cetera. And in my case, this plugin was the main reason to move to GCask on my own instances. Because configuring it was quite difficult. Yeah, I'll try to take a look. Clouds should work out of the box, although it doesn't seem to be finding it for some reason. Yeah, so right now I'm working on a bit of my configuration as code demo. And this demo includes Docker plugin. So assuming that you will stage your fix, I will be happy to pick it up from incremental so from elsewhere. And then we can see it on the fully configured setup. Cool. Just moving on from there. So what's next is the Jenkins 12548 is epic. We've got about a dozen or so feature requests that are open. So we've had another contributor pick up a couple of them during HackFest. And the rest of them are all open for anyone to pick up. And we'd love it if you would take a look at it. And also we'd love feature requests or enhancement or bugs. So just testing all of that was well welcome. We're currently using this epic or if you do it during HackFest, you can just report it to the HackFest GitHub repo and we'll help route those to the right place. So with this was initially implemented in just plugins. Sorry, just Jenkins Core. And this would be a good time for any plugins that need support to be added to it. The UI and user experiences while it's functional, it could certainly be improved. And there's a couple of those issues that are related to that. If anyone has some UI experience, we'd much appreciate if you'd be able to take a look at it. We have a GitHub project which has a few pull requests open or merged. So we've got three open pull requests and we've got three merged that need releasing. So if there's any maintainers out there who want to be able to release those, that would be helpful for us as well. But so CloudStats has actually been merged already. So that's quite useful. Yeah, the whole strategy, I guess the bull is on my side. Yeah, I'll try to cut the release. There were some issues in the recent whole strategy versions, but I don't think that this change will make it any worse. So I will take a look. And yeah, just what I was saying before, create more feature requests and bugs so that we can get it over the line. How to contribute. So we're interested in people testing. We're interested in any feedback. And so these slides will be shared afterwards. And you'll be able to get to these links. And the links are also available in the HackFest document that Oleg shared in the HackFest channel recently. And you can use them depending on which of the easiest for you to find. Or you should be able to find them on Jesus. You can use them quite easily. And it's just some more references. And that's everything for me. Do we have any questions? Yes. So the approximate timeline for this feature. It's rather common. We have a new LCS baseline landing. Next month. And after that we will have LCS baseline in September. So at this, our ideal goal is to have everything delivered by September. If you see a plugin, which is. Like in support for the only permission. So if you see a use case where you could make it better. Feedback would be much appreciated so that we could coordinate this effort and deliver a great user experience for the next releases. Tim, is there any guidance you want to offer as I'm considering how we phrase the two dot two hundred thirty five release notes, the change log. So it's not, it won't have the full system read experience, but it does have some of the changes. Are there any, is there any guidance you want to give me there on how we should describe that, how we should introduce it. So it's got, it's got all of the, it's got all system read except for cloud of what's been done so far. And so it's missing, so it's missing something, the agent extended read, which is part of the reader only Jenkins as a whole. So it's, but it's just cloud that's missing. We managed to get everything except for the one, one full request done. So yeah, system read beta is mostly complete. So good. So then we want to encourage people to test the two dot two hundred thirty five release candidate and look at system read in that context. It's a reliable place to, they don't even have to go all the way to two thirty eight to, to have a reasonable experience with system read. Yeah. So yeah, probably a grant permission to talk to participants. There was no questions in the corner, but just in case somebody wants to ask something, please do so. If you have any feedback, it will be much appreciated. Okay. If not, yeah, thanks a lot team for the presentation. And let's try to facilitate some contributions around this story. So on the morning we had a discussion about how we could help contributors and how we could help them to navigate through the stories and project ideas we have published. So if you want to ask something about contributing or if you want to just share your feedback, please let us know in the chat. Or I stop the recording and we can discuss it now ahead of five hours, which are scheduled in 20 minutes, but we can spend some time now as well.