Azure devops 服务连接和中心管道
[英]Azure devops service connection and central pipeline
问题描述
I have a requirement of giving multiple teams access to a shared resource in azure. I therefore want to limit how people can publish changes to the shared resource.
我需要让多个团队访问 azure 中的共享资源。因此我想限制人们如何发布对共享资源的更改。
The idea is to limit the use of a service connection to a specific pipeline, as per this documentation .这个想法是根据此文档将服务连接的使用限制到特定管道。 However if the pipeline is stored in their own repo the developer could change it.但是,如果管道存储在他们自己的仓库中,开发人员可以更改它。 This would not give me enough control.这不会给我足够的控制权。 I therefore found that it was possible using a template from a central repo .因此,我发现可以使用来自中央仓库的模板。 Using a shared repo, would then allow me to have a service connection solely for the template?使用共享存储库,是否会允许我仅针对模板建立服务连接?
So how I imagine doing the above is I need to grant project X a service connection for my BuildTemplates Repo.因此,我如何想象执行上述操作是我需要为我的 BuildTemplates Repo 授予项目 X 服务连接。 But this is basically just access to the repo and to be able to use the shared templates.但这基本上只是访问存储库并能够使用共享模板。 Then in BuildTemplates repo I can have a service connection for my template A.然后在 BuildTemplates 存储库中,我可以为我的模板 A 建立服务连接。
Now the developer in project X - creates her deployments and configurations for her pipeline with her own service connection scoped for her resources.现在项目 X 中的开发人员使用她自己的服务连接为她的资源创建她的管道的部署和配置。 Then she inherits a template from BuildTemplates Repo and passes relevant parameters for the template A.然后她从BuildTemplates Repo继承了一个模板,并为模板A传递了相关参数。
She cannot alter the template pipeline A and only the template pipeline A can publish to the shared resource, because of the scoped service connection.由于作用域服务连接,她无法更改模板管道 A,并且只有模板管道 A 可以发布到共享资源。 I can therefore create relevant guards for the shared azure resource in the template pipeline A - so I restrict how developer X can publish to my shared azure resource.因此,我可以在模板管道 A 中为共享的 azure 资源创建相关的守卫——因此我限制了开发人员 X 如何发布到我的共享的 azure 资源。
- does this make sense and is it viable?这有意义吗?可行吗?
- The pipeline part in A cannot be edited by developer in X? A 中的管道部分不能由 X 中的开发人员编辑?
- The service connection in A will not propagate out so developer in X can use it in an inappropriate way? A 中的服务连接不会传播出去,因此 X 中的开发人员可以以不适当的方式使用它?
Update更新
The above solution does not seem to be viable since the pipeline template is executed in the source branch scope.上述解决方案似乎不可行,因为管道模板是在源分支 scope 中执行的。
Proposed Solution建议的解决方案
The benefits I see with the above suggestion doe not seem possible, because of the issues.由于这些问题,我从上述建议中看到的好处似乎是不可能的。 However one can utilise pipeline triggers, as a viable solution.但是,可以利用管道触发器作为一种可行的解决方案。 This however results in a new issue.然而,这会导致一个新问题。 When a pipeline is triggered by Developer Y in Y's repository and it succeeds.当 Y 的存储库中的开发人员 Y 触发管道并成功时。 Then a trigger is made in MAIN repository and the pipeline in MAIN fails eg, because the artifacts from Y introduced an Issue.然后在 MAIN 存储库中创建一个触发器,并且 MAIN 中的管道失败,例如,因为来自 Y 的工件引入了一个问题。 How does developer Y get notified about the issues in MAIN pipeline?开发人员 Y 如何获得有关 MAIN 管道中问题的通知?
1 个解决方案
解决方案1
0 2022-02-10 03:19:13
Here is my solution, in same Azure organization, we can create a Azure Project, then create a repo to save common pipeline template.这是我的解决方案,在同一个 Azure 组织中,我们可以创建一个 Azure 项目,然后创建一个 repo 来保存通用管道模板。 All the repos in other Azure project can access this pipeline template.其他 Azure 项目中的所有 repos 都可以访问此管道模板。
UserProject/UserRepo/azure-pipelines.yml UserProject/UserRepo/azure-pipelines.yml
trigger:
branches:
include:
- master
paths:
exclude:
- nuget.config
- README.md
- azure-pipelines.yml
- .gitignore
resources:
repositories:
- repository: devops-tools
type: git
name: PipelineTemplateProject/CommonPipeline
ref: 'refs/heads/master'
jobs:
- template: template-pipeline.yml@devops-tools
PipelineTemplateProject/CommonPipeline/template-pipeline.yml PipelineTemplateProject/CommonPipeline/模板-pipeline.yml
Since the inline script of pipeline has 5000 characters limitation, you can put your script(not only powershell, but also other languages) in PipelineTemplateProject/CommonPipeline/scripts/test.ps1由于管道的内联脚本有5000个字符的限制,您可以将脚本(不仅是powershell,还包括其他语言)放在 PipelineTemplateProject/CommonPipeline/scripts/test.ps1
# Common Pipeline Template
jobs:
- job: Test_Job
pool:
name: AgentPoolName
steps:
- script: |
echo "$(Build.RequestedForEmail)"
echo "$(Build.RequestedFor)"
git config user.email "$(Build.RequestedForEmail)"
git config user.name "$(Build.RequestedFor)"
git config --global http.sslbackend schannel
echo '------------------------------------'
git clone -c http.extraheader="AUTHORIZATION: bearer $(System.AccessToken)" -b $(ToolsRepoBranch) --single-branch --depth=1 "https://PipelineTemplateProject/_git/CommonPipeline" DevOps_Tools
echo '------------------------------------'
displayName: 'Clone DevOps_Tools'
- task: PowerShell@2
displayName: 'Pipeline Debug'
inputs:
targetType: 'inline'
script: 'Get-ChildItem -Path Env:\ | Format-List'
condition: always()
- task: PowerShell@2
displayName: 'Run Powershell Scripts'
inputs:
targetType: filePath
filePath: 'DevOps_Tools/scripts/test.ps1'
arguments: "$(System.AccessToken)"
Notes: Organization Setting - Settings - Disable Limit job authorization scope to current project for release pipelines备注:Organization Setting - Settings - Disable Limit job authorization scope to current project for release pipelines
Organization Setting - Settings - Limit job authorization scope to current project for non-release pipelines Organization Setting - Settings - Limit job authorization scope to current project 对于非发布管道
Check some option in project setting as well.还要检查项目设置中的一些选项。
So the normal user only access their own repo, cannot access DevOps project, and DevOps owner can edit template pipeline only.所以普通用户只能访问自己的 repo,不能访问 DevOps 项目,DevOps 所有者只能编辑模板管道。
For the notification issue, I use an Email extention "rvo.SendEmailTask.send-email-build-task.SendEmail@1"对于通知问题,我使用 Email 扩展名“rvo.SendEmailTask.send-email-build-task.SendEmail@1”
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.