As a volunteer who contributes puppet patches, I want to use the puppet-compiler to verify my patches do the right thing and don't break anything inadvertently.
To run the puppet compiler, one needs the 'Job/Build' permission in jenkins. From https://wikitech.wikimedia.org/wiki/LDAP/Groups it seems this is granted to all wmf employees (by giving them access to general jenkins administration). It doesn't seem to be granted to anyone else (but that isn't really documented, just viewable from the permissions settings in jenkins itself, which I cannot see).
This means I currently have to ask on the patch or IRC to find someone who runs it for me. This wastes both my time (by having to find someone to do it, often having to ask multiple times until anybody responds) and the time of whoever runs it.
I assume jenkins offers the possibility to use a more fine-grained way to assign a user the build permission only for that job (as opposed to for every job or the do whatever you like in jenkins permission granted to ldap/wmf).
- find out how to assign the build permission only for that job
- figure out what the security impact is of enabling someone to use the puppet compiler form
- based on that, decide which group to add that permission to (all logged in users, ldap/nda, some new group with a lower entry barrier than nda but a higher one than creating a account, ...)