LDAP Group Authentication/Roles/Permissions

46 views
Skip to first unread message

Funkycybermonk

unread,
Nov 8, 2023, 11:33:39 AM11/8/23
to go-cd
Hello!

I'm trying to manage a pool of users that is going to change over time and their permissions across multiple GoCD servers. (regional server split)

I can add a group into permissions using the LDAP plugin, but it doesn't seem initially like the user permissions are inherited or managed by that group membership. Is it possible to do group based permissions from AD or does it have to be per-user?

I'm trying to minimize work since we'll have to manually replicate the roles and permissions across several servers. 

Thanks!

Chad Wilson

unread,
Nov 8, 2023, 2:09:28 PM11/8/23
to go...@googlegroups.com
There are multiple LDAP plugins, so it depends which one you are referring to. Sounds like you might want to look at https://github.com/gocd/gocd-ldap-authorization-plugin rather than the bundled 'authentication-only' version?

-Chad


--
You received this message because you are subscribed to the Google Groups "go-cd" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-cd+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/go-cd/4183dab6-4dad-4fd3-9055-01333843d0dbn%40googlegroups.com.

chan...@gmail.com

unread,
Nov 8, 2023, 3:00:04 PM11/8/23
to go...@googlegroups.com

Thanks! I’ll take a look. We are using the bundled version.

--
You received this message because you are subscribed to a topic in the Google Groups "go-cd" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/go-cd/YXdA8U4UNEY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to go-cd+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/go-cd/CAA1RwH8fUnhEOODV7im%2BVU_xkTfkTEDkmpvsz_bhmDGcLrfWJA%40mail.gmail.com.

chan...@gmail.com

unread,
Nov 22, 2023, 9:11:47 AM11/22/23
to go...@googlegroups.com

Do you know if this plugin allows any configuration for static agent modify/admin permissions? Its doing exactly what I was looking for and mapping permissions from roles, and also applying the role permissions for pipeline groups. I’m trying to see if I can give certain users permissions to add resource tags or assign environments to agents without giving them full admin access to the server.

 

Thanks!

Chad Wilson

unread,
Nov 22, 2023, 12:41:58 PM11/22/23
to go...@googlegroups.com
Editing agent attributes via the UI requires wider server administration permissions. Don't think there is anything finer grained specifically for agent administration.

Generally speaking, to automate tagging resources and environments to agents it is done on the agent side configuration itself via "auto registration": https://docs.gocd.org/current/advanced_usage/agent_auto_register.html.

You can then subsequently control which jobs are allowed to use which logical environments and resources (i.e which agents they are able to be scheduled on) when using pipelines as code on the permissions for a config repository - but I do not believe that finer grained control is available if users use the GoCD UI or APIs to edit their pipelines/jobs (i.e they have direct edit/admin permissions for pipeline groups).

-Chad

Chantry Conkle

unread,
Nov 22, 2023, 12:53:34 PM11/22/23
to go-cd
Thanks! 

To view this discussion on the web visit https://groups.google.com/d/msgid/go-cd/CAA1RwH8-uVFze56viifrbiYTUStdp6%2BG87EmZQadv4dyy6Q3yA%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages