Issue
-
I need to rename a Jenkins controller but I have RBAC setup on the controller that needs to be deleted
-
I want to backup RBAC configuration of my client controller
Resolution
Background
-
The RBAC configuration of the root of a Jenkins instance is defined in the
$JENKINS_HOME/nectar-rbac.xmlfile. -
The RBAC configuration of items of a Jenkins instance is defined in the
config.xmlof the corresponding item.
Client controllers
If the Jenkins instance is attached to an Operations Center that enforces the Authorization Strategy, the nectar-rbac.xml is maintained by the CJOC. In that case the RBAC settings are actually defined in the config.xml of the Client controller item on CJOC. CJOC pushes the configuration by overriding the Client controller’s nectar-rbac.xml whenever changes are detected.
So in order to backup the RBAC settings of a Client controller with RBAC managed by CJOC, what is important is the config.xml of the Client controller item in CJOC.
Rename a Client controller
You need to purge the CJOC configuration attached to your CJE instance and recreate the client controller from scratch following these steps:
-
Take backup of the
config.xmlfile of the Client controller item (for example$CJOC_HOME/jobs/old-client-master/config.xml) -
ReleaseandDeletethe Client controller item from CJOC -
Stop CJE instance
-
Delete the following files for CJE (client controller) to entirely remove the link to CJOC:
-
$JENKINS_HOME/license.xml
-
$JENKINS_HOME/operations-center-cloud*
-
$JENKINS_HOME/operations-center-client*
-
$JENKINS_HOME/com.cloudbees.opscenter.client.plugin.OperationsCenterRootAction.xml
-
-
Disable Security in CJE by editing the
$CJE_HOME/config.xmlfile.Locate this line:
<useSecurity>true</useSecurity>
And changing it to
<useSecurity>false</useSecurity>
-
Start the CJE instance
-
From CJOC, create a new Client controller item
-
Configure the Licensing strategy that you want to use
-
Connect the client controller either by push configuration from CJOC or manually from CJE
-
After the two are connected again, copy the
ConnectedMasterProxyGroupContainerproperty of the backupconfig.xml:<!--Start: We copy the following property --> <com.cloudbees.opscenter.server.rbac.ConnectedMasterProxyGroupContainer plugin="operations-center-rbac@2.7.0.0"> [...] </com.cloudbees.opscenter.server.rbac.ConnectedMasterProxyGroupContainer> <!--End: We copy the following property -->Paste it in the
config.xmlof the new Client controller item:<com.cloudbees.opscenter.server.model.ClientMaster plugin="operations-center-server@2.7.0.0"> <actions/> <id>0</id> <encodedName>new-client-controller</encodedName> <idName>0-new-client-controller</idName> <timeStamp>1477374936749</timeStamp> <grantId>XXX-XXX-XXX-XXX</grantId> <approved>true</approved> <localEndpoint>https://allan.cje.com:8081/</localEndpoint> <identity>XXXXXXXXXXXXXX</identity> <properties class="com.cloudbees.opscenter.server.model.ConnectedMaster$PropertyList"> <com.cloudbees.opscenter.server.metrics.health.ConnectedMasterHealthCheckProperty plugin="operations-center-monitoring@2.7.0.0"> <enabled>true</enabled> </com.cloudbees.opscenter.server.metrics.health.ConnectedMasterHealthCheckProperty> <!-- Start: We copy from here --> <com.cloudbees.opscenter.server.rbac.ConnectedMasterProxyGroupContainer plugin="operations-center-rbac@2.7.0.0"> [...] </com.cloudbees.opscenter.server.rbac.ConnectedMasterProxyGroupContainer> <!-- End --> </properties> <state>Approved</state> </com.cloudbees.opscenter.server.model.ClientMaster> -
Reload the Client controller item by appending
/reloadto the new Client controller item URL (for example$CJOC_URL/job/new-client-master/reload) -
Click on Try Posting. This should result in a blank page (sign that the reload worked).
| It might take few seconds until the RBAC config is push to the controller. |