Develocity Access Control for Build Cache Migration Guide

Build Cache node access control configured via Cache access control is deprecated.

Use this guide to migrate to Develocity access control for Build Cache access.

Before You Begin

  • Ensure you can view the existing Build Cache access control configuration (in the UI or in the Build Cache node configuration file).

  • Ensure you have access to manage users and access control in Develocity.

Migrate Named Users

Named users are the non-anonymous users defined in the Build Cache node Cache access control settings.

Example of Named Users
Example of Named Users

The same settings can also be found in Build Cache node configuration files, for example:

cache:
  accessControl:
    users:
      ci-user:
        password: "«salt-hash-string»"
        level: "readwrite"

For details, see the Cache access control section of the Build Cache Node User Manual.

These users correspond to local Develocity users. For details, see local user management.

For each named user, ensure a corresponding local Develocity user exists. If you need to create one, see Create a local user.

 Passwords assigned to any local Develocity user aren’t used for Build Cache authentication. They’re only used for accessing the user settings to generate an access key for the user.

A common scenario is that all developers and CI agents already have a Develocity account (with generated access keys) to use other Develocity features. In that case, it’s only necessary to ensure that the existing user accounts have the correct user roles assigned to grant the desired level of access to the Build Cache.

When assigning user roles, re-use the following predefined roles:

  • CI Agent - for users that should be able to read and write Build Cache data

  • Developer - for users that should only be able to read Build Cache data

For details about predefined roles and permissions, see Predefined roles.

Configure Access Keys for Builds

User-based authentication requires users to provide their assigned usernames and passwords when accessing the Build Cache. Those credentials need to be replaced by a generated access key to grant access to the Build Cache.

If a user doesn’t already have an access key, it can be generated by following these steps:

  1. Log in to a Develocity instance using named user credentials.

  2. Navigate to My Settings  Access keys.

  3. Click Generate.

  4. Optionally enter a key title and click Generate.

  5. Copy the generated access key.

After reconfiguring builds to use access keys (described in the following sections), delete the corresponding legacy user definition from the Build Cache access control page.

Gradle Builds

Develocity Build Cache Connector

For Gradle builds, apply the Develocity Build Cache Connector. The access key configured for the Develocity Gradle plugin is inherited automatically for Build Cache access.

Built-in HTTP Connector

If you cannot apply the Develocity Build Cache connector, configure the built-in HTTP Build Cache connector to use an access key:

  1. Set the username to be empty. The configuration should maintain a defined username, even if no value is provided.

  2. Set the password to the access key value.

Maven Builds

See the Authenticating with Develocity section of the Develocity Maven Extension User Manual for details.

Bazel Builds

See the Authenticating section of the Develocity Bazel Configuration Guide for details.

Migrate Anonymous User Permissions

Anonymous user permissions are represented by the (anonymous) username in the “Cache access control” settings:

Anonymous User Permissions Configuration Overview
Anonymous User Permissions Configuration Overview

The same settings can also be found in Build Cache node configuration files, for example:

cache:
  accessControl:
    anonymousLevel: "read"
    level: "readwrite"

For details, see the Cache access control section of the Build Cache Node User Manual.

The Build Cache permissions correspond to the following Develocity permissions configured on Administration  Access control  Anonymous access:

  • Read Build Cache data

  • Read and write Build Cache data

 For details about supported permissions, see Permissions and roles.

For details about anonymous access and the Build Cache related permissions, see Anonymous access and permissions.

The mapping between those permissions is presented in the table below:

Anonymous Build Cache permission Develocity permission

None

(no Build Cache related permission granted)

Read

  • Read Build Cache data

  • Read Build Cache data and write Bazel CAS data

Read and write

  • Read Build Cache data

  • Read Build Cache data and write Bazel CAS data

  • Read and write Build Cache data

After migrating the anonymous permissions to be managed by Develocity, set the original anonymous Build Cache permission back to its default value (“None”).

Clear Deprecation Warnings

Develocity will display a warning notice for every Build Cache node (and separately for the “Built-in” Build Cache) that applies deprecated access control settings.

The message will disappear when the node’s configuration is restored to its default state:

  1. The anonymous user access is disabled (set to “None”).

  2. There are no Build Cache users defined in the Build Cache access control section.