Defining my own project type

66 views
Skip to first unread message

Miguelangel Fernandez

unread,
Jan 11, 2018, 6:02:55 AM1/11/18
to Jenkins Developers
Hi everyone,

I have a very specific use case. All my Jenkins users must be allowed to create jobs that do a very specific thing. Not generic jobs. But jobs that are all created from the same template.

I use the Job DSL plugin to create these jobs, and the jobs created all use the same pipeline code.

Now, I'd like to remove the users' permission to create any other type of job except this one. So that when the user clicks "New Item" the Freestyle, Pipeline, Maven, etc options are hidden or disabled and only my new job type can be chosen.

What's the best way to go about this? My plan is as follows:

  • What's the appropriate extension point to define a new job type? Or what's a good plugin to look at to get an idea?
  • How do I disable or hide all other project types? I'm thinking I'll need to define my own Permissions.
  • How can I hook into my existing DSL job so that the creation of my job will fire the seeder I already have?

Thank you,


Jesse Glick

unread,
Jan 12, 2018, 5:30:52 PM1/12/18
to Jenkins Dev
On Thu, Jan 11, 2018 at 6:02 AM, Miguelangel Fernandez
<miguela...@gmail.com> wrote:
> what's a
> good plugin to look at to get an idea?

For what it’s worth: the CloudBees Templates plugin, along with the
Folders Plus plugin, allows precisely your use case. (Templatized jobs
are not a new item type; rather, the template UI conceals the standard
creation and configuration options.)

Writing a similar feature from scratch would be, well, a lot of work.
Most admins would instead just use Job DSL and deny Job/Create and
Job/Configure to regular users, requiring all modifications to be done
as change requests to DSL sources.

Miguelangel Fernandez

unread,
Jan 15, 2018, 10:47:08 AM1/15/18
to Jenkins Developers
Thank you for the advice, Jesse.
The Templates Plugin is a feature of Cloudbees Jenkins, not a free open-source plugin. I don't have the budget for CloudBees Jenkins so I've started trying my hand at developing my own project type -which is the first of the items I've outlined above. Doing well so far -and having fun at it. I'd appreciate some pointers on implementing the other two:
  • Disable Freestyle, Folder and Pipeline jobs from the "New Item" view.
  • Fire a Job DSL script from my plugin's java code.

Thank you,

Daniel Beck

unread,
Jan 15, 2018, 11:52:18 AM1/15/18
to jenkin...@googlegroups.com

> On 15. Jan 2018, at 16:47, Miguelangel Fernandez <miguela...@gmail.com> wrote:
>
> • Disable Freestyle, Folder and Pipeline jobs from the "New Item" view.

https://github.com/daniel-beck/hide-maven-plugin/ does something similar and should be adaptable for this.

But note that this does not mean such projects cannot be created; POSTing a config.xml still works, as does copying existing projects.

Jesse Glick

unread,
Jan 15, 2018, 11:54:08 AM1/15/18
to Jenkins Dev
Right, you can use `DescriptorVisibilityFilter` if you are in a collegial environment.

Robert Sandell

unread,
Jan 16, 2018, 5:20:19 AM1/16/18
to jenkin...@googlegroups.com
A much more involved alternative would be to implement your own AuthorizationStrategy and deny regular users create permission on specific TopLevelItemdescriptor types.

-V

2018-01-15 17:54 GMT+01:00 Jesse Glick <jgl...@cloudbees.com>:
Right, you can use `DescriptorVisibilityFilter` if you are in a collegial environment.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr0YJiyrd6xPUu3jB4sqPH02qbA7vSxqPJkiomBC89gP9g%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.



--
Robert Sandell
Software Engineer
CloudBees, Inc.
CloudBees-Logo.png
Twitter: robert_sandell

Miguelangel Fernandez

unread,
Jan 17, 2018, 6:22:46 PM1/17/18
to Jenkins Developers
Great stuff guys.
As Daniel and Jesse suggested I've extended DescriptorVisibilityFilter the same way the Hide Maven Plugin does. This is a great first step.
Now I want to try Robert's idea to see whether I can make this a bit more granular and disable it only for certain user groups.
I had no idea I could do stuff like this with Jenkins, so thank you all of the awesome advice.


Jesse Glick

unread,
Jan 18, 2018, 12:51:24 PM1/18/18
to Jenkins Dev
On Wed, Jan 17, 2018 at 6:22 PM, Miguelangel Fernandez
<miguela...@gmail.com> wrote:
> I've extended DescriptorVisibilityFilter the
> same way the Hide Maven Plugin does.

Remember this just hides the link in the GUI. It has no effect on
CLI/REST usages, etc.

Miguelangel Fernandez

unread,
Jan 24, 2018, 8:21:34 AM1/24/18
to Jenkins Developers
Sure thing, Jesse. Thank you for pointing that out. I'll keep that in mind.
Do you know of a way to also disable these project types for CLI/REST usages? What should I look into? Any pointer in the general direction would be helpful.

Miguelangel Fernandez

unread,
Jan 24, 2018, 8:28:26 AM1/24/18
to Jenkins Developers
Doesn't Robert's suggestion address the CLI/REST issue?
If I extend it and use it in my own authorization strategy, I can deny create permission for the descriptor types of type freestyle, pipeline, etc.
But then again, I I've read that descriptors only define and bind the UI displayed, correct? Do the CLI and REST endpoints also depend on descriptors?

http://javadoc.jenkins-ci.org/hudson/security/ACL.html#hasCreatePermission-org.acegisecurity.Authentication-hudson.model.ItemGroup-hudson.model.TopLevelItemDescriptor-

public boolean hasCreatePermission(@Nonnull
                                   org.acegisecurity.Authentication a,
                                   @Nonnull
                                   ItemGroup c,
                                   @Nonnull
                                   TopLevelItemDescriptor d)
Checks if the given principal has the permission to create top level items within the specified item group.



On Thursday, 18 January 2018 18:51:24 UTC+1, Jesse Glick wrote:

Jesse Glick

unread,
Jan 24, 2018, 12:52:55 PM1/24/18
to Jenkins Dev
On Wed, Jan 24, 2018 at 8:28 AM, Miguelangel Fernandez
<miguela...@gmail.com> wrote:
> Doesn't Robert's suggestion address the CLI/REST issue?

Probably; try it.
Reply all
Reply to author
Forward
0 new messages