Merge "Only release-engineering can promote release images"
diff --git a/docker-mirror-images.groovy b/docker-mirror-images.groovy
index 0de5590..e2db99e 100644
--- a/docker-mirror-images.groovy
+++ b/docker-mirror-images.groovy
@@ -39,12 +39,12 @@
def getImageInfo(String imageName) {
String unique_image_id = sh(
- script: "docker inspect --format='{{index .RepoDigests 0}}' '${imageName}'",
- returnStdout: true,
+ script: "docker inspect --format='{{index .RepoDigests 0}}' '${imageName}'",
+ returnStdout: true,
).trim()
String imageSha256 = unique_image_id.tokenize(':')[1]
common.infoMsg("Docker ${imageName} image sha256 is ${imageSha256}")
- return [ 'id': unique_image_id, 'sha256': imageSha256 ]
+ return ['id': unique_image_id, 'sha256': imageSha256]
}
def imageURL(String registry, String imageName, String sha256) {
@@ -61,6 +61,20 @@
}
}
+def userInGroups(groups) {
+ def userIdCause = currentBuild.rawBuild.getCause(hudson.model.Cause$UserIdCause)
+ if (userIdCause) {
+ String currentUserName = userIdCause.getUserName()
+ @SuppressWarnings('UnnecessaryCollectCall')
+ ArrayList authorities = Jenkins.instance.securityRealm.loadUserByUsername(currentUserName).getAuthorities().each {
+ it.toString()
+ }
+ return (authorities.intersect(groups).size()) > 0
+ }
+ common.warningMsg('can\'t read userIdCause for current build')
+ return false
+}
+
timeout(time: 4, unit: 'HOURS') {
node(slaveNode) {
def user = ''
@@ -69,6 +83,19 @@
}
currentBuild.description = "${user}: [${env.SOURCE_IMAGE_TAG} => ${env.IMAGE_TAG}]\n${env.IMAGE_LIST}"
try {
+ // Check if user can run this job
+ allowedGroups = ['release-engineering']
+ releaseTags = ['proposed', 'release', 'testing', '2018', '2019', '2020']
+ tags = [env.SOURCE_IMAGE_TAG, env.IMAGE_TAG]
+ tagInRelease = tags.any { tag -> releaseTags.any { tag.contains(it) } }
+ if (tagInRelease) {
+ if (!userInGroups(allowedGroups)) {
+ error: "You - ${currentUserName} - don't have permissions to run this job with tags ${tags}!"
+ } else {
+ echo "User `${currentUserName}` belongs to group `${env.JENKINS_ADMIN_GROUP}`. Proceeding..."
+ }
+ }
+
stage("Mirror Docker Images") {
def images = IMAGE_LIST.tokenize('\n')
@@ -122,8 +149,8 @@
def unique_image_id = tgtImageInfo['id']
def tgtImgUrl = imageURL(targetRegistry, targetImageFull, tgt_image_sha256) - '/manifest.json'
artifactoryProperties = [
- 'com.mirantis.targetTag' : env.IMAGE_TAG,
- 'com.mirantis.uniqueImageId': unique_image_id,
+ 'com.mirantis.targetTag': env.IMAGE_TAG,
+ 'com.mirantis.uniqueImageId': unique_image_id,
]
if (external) {
artifactoryProperties << ['com.mirantis.externalImage': external]
@@ -138,7 +165,7 @@
}
// %5C - backslash symbol is needed
historyProperties.add("${buildTime}%5C=${sourceImage}")
- artifactoryProperties << [ 'com.mirantis.versionHistory': historyProperties.join(',') ]
+ artifactoryProperties << ['com.mirantis.versionHistory': historyProperties.join(',')]
common.infoMsg("artifactoryProperties=> ${artifactoryProperties}")
common.retry(3, 5) {
mcp_artifactory.setProperties(tgtImgUrl, artifactoryProperties)