[Urgent] Maven repo credentials

(Cintia Del Rio) #1

Hi everyone,

cc @jwnasambu, @dkayiwa, @burke , @whiscard

If your CI or your user in our maven repo stopped working, there’s a reasonable explanation.

We recently had a credentials leak there. As we have so many users there by now, it’s a little bit hard to keep track of things.

I disabled all the users that weren’t obvious why access is needed.

I did two things on each user:

  • disabled UI access
  • removed permissions

I will send an email for each one.

If you are affected your CI stopped working, please tell us here and the access will be immediately reenabled (but CI users won’t have UI access to jfrog). As releases should be done by CI, this is a must.

If you believe you have any reason to need personal permissions to certain repositories (and you are /dev/4 or /dev/5) just raise your hand, tell the repo and the reason, and it will be readily reenabled.

Please @dkayiwa and @whiscard, help me when I will be sleeping, to make sure we recover access only for the people needing.

If you are not a /dev/4 and you need access, I will need a much better explanation why your release cannot be done via CI.

(Cintia Del Rio) #2

Please do not grant permission to jfrog for new people. Let’s try to keep that access controlled.

(Daniel Kayiwa) #3

Thanks @cintiadr for this update!

(Wesley Brown) #4

@cintiadr We were given access to jfrog to be able to release our modules (the OpenHMIS modules) in a similar fashion to how we did with the old nexus repository. This could include access for myself, @whiscard, and maybe @insiderish; I am not sure who all was given access.

If there is another method for us to be able to include our modules that we should be using, please just let us know.

(Cintia Del Rio) #5

I’m not sure if you are using our CI (ci.openmrs.org) or other, but the best way is to always release things from CI. Let me know if you need a CI user.

(Wesley Brown) #6

We use our own CI (teamcity.openhmisafrica.org) but never automated publishing our modules into the OpenMRS repo. Is there any guidance on how we can push our releases to the jfrog repo that using our own CI?

(Cintia Del Rio) #7

Turns out I never created it because I think no one else was using it. We do have docs on how to configure it in our own Bamboo, but adding it your CI shouldn’t be so hard.

I’m going to write docs on how to do that, and leverage the release scripts we are using. Also you’d have a ‘service’ account, so anyone with access to CI would be able to deploy a release without having to ask for personal credentials :slight_smile:

Regardless, for now I granted access back to you (and added @whiscard just in case). I don’t think @insiderish had an account before.

(Cintia Del Rio) #8

So @ibewes, I created https://wiki.openmrs.org/display/docs/Configuring+Release+plans+from+other+CIs

Apparently, I do have another two groups (PIH and UgandaEMR) who semi-regularly release modules and use other CIs.

(Wesley Brown) #9

Thanks! We will review this and try to get it set up on our end.

(Daniel Kayiwa) #10

@cintiadr do you think we should also update this page and explicitly say that releases should be done via CI? https://wiki.openmrs.org/display/docs/Module+Release

(Cintia Del Rio) #11

Well, @dkayiwa, that documentation covers modules not deployed to our jfrog repository.

So, it’s either a module released by CI (and to our jfrog), or people can use that wiki page and deploy to their bintray.

(Cintia Del Rio) #12

What’s very important from now on is to not grant access to our jfrog.

Community modules should be released via ci.openmrs.org; modules that are not maintained by the community should go to a personal bintray.

The only gray-area are the groups (e.g. PIH, UgandaEMR) that already had their modules deployed to our jfrog repo. I do want them to eventually configure the releases from their CI, but I know that for now they might need.

(Kaweesi Joseph) #13

hi, i probably need access, seems somehow after a restart after clearing part of my tmp directory, i can’t even run openmrs using the sdk, i need to setup a true encrypted password in ~/.m2/settings-security.xml

(Stephen Senkomago Musoke) #14

@k.joseph You do not need Jfrog access to use the SDK, as its all public repos.

What error are you getting?

(Kaweesi Joseph) #15
[DEBUG] Failed to decrypt password for server bintray-sdk: org.sonatype.plexus.components.sec.dispatcher.SecDispatcherException: java.io.FileNotFoundException: ~/.m2/settings-security.xml (No such file or directory)

i have created the file but not sure what master password is expected for bintray-sdk

(Stephen Senkomago Musoke) #16

What if you removed the encrypted password settings from your .m2/settings.xml

(Kaweesi Joseph) #17

i don’t think i have that defined any where https://gist.github.com/kaweesi/5cb26849660353917c24eae77c384420

(Stephen Senkomago Musoke) #18

Try changing ${env.BINTRAY_USER} and ${env.BINTRAY_API_KEY} to your unencrypted username and password

(Cintia Del Rio) #19

As mentioned by @ssmusoke, all our packages are public and do not require authentication to download.

My question would be: why do you need to add https://dl.bintray.com/openmrs/maven/ to your settings.xml?

(Kaweesi Joseph) #20

well, but then which account would that be if u are saying no account it required and its public?