[JIRA] [workflow-plugin] (JENKINS-27134) Permission for input approval, or choice of Jenkins-specific group as submitter

53 views
Skip to first unread message

jglick@cloudbees.com (JIRA)

unread,
Mar 23, 2016, 3:04:03 PM3/23/16
to jenkinsc...@googlegroups.com
Jesse Glick updated an issue
 
Jenkins / Improvement JENKINS-27134
Permission for input approval, or choice of Jenkins-specific group as submitter
Change By: Jesse Glick
Summary: Permission for input approval , or choice of Jenkins-specific group as submitter
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265)
Atlassian logo

pwolf@cloudbees.com (JIRA)

unread,
Jun 6, 2016, 11:20:03 AM6/6/16
to jenkinsc...@googlegroups.com
Patrick Wolf updated an issue
Change By: Patrick Wolf
Labels: api  followup  permissions

dbeck@cloudbees.com (JIRA)

unread,
Jul 30, 2016, 11:55:01 AM7/30/16
to jenkinsc...@googlegroups.com
Daniel Beck updated an issue
Change By: Daniel Beck
Labels: api followup new-permission permissions
This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c)
Atlassian logo

jglick@cloudbees.com (JIRA)

unread,
Aug 29, 2016, 1:33:02 PM8/29/16
to jenkinsc...@googlegroups.com
Jesse Glick updated an issue
Change By: Jesse Glick
Component/s: pipeline-input-step-plugin
Component/s: pipeline

jenkins@uhp-software.com (JIRA)

unread,
Sep 28, 2016, 9:26:05 AM9/28/16
to jenkinsc...@googlegroups.com
UHP commented on Improvement JENKINS-27134
 
Re: Permission for input approval, or choice of Jenkins-specific group as submitter

Is this also connected to the Role Strategy Plugin?
Or is it already possible to use a role defined with the Role Strategy Plugin as submitter?

jglick@cloudbees.com (JIRA)

unread,
Sep 30, 2016, 12:11:05 PM9/30/16
to jenkinsc...@googlegroups.com

If either of the extension points I proposed in my last comment were defined, then the Role Strategy plugin could in principle implement it. A CloudBees employee working on this would presumably focus on implementing it in the RBAC plugin that is included in CJP, though it would not be a bad idea to try two implementations to vet the API design for poor assumptions.

I would tend to prefer the first one as it is more generic. The practical difficulty is that actually defining it in core would prevent uptake from plugins (both pipeline-input-step, the caller, and implementers such as nectar-rbac or role-strategy) for months after this was merged, unless we use some tricks such as commenting out @Override in the implementations and having the caller look it up reflectively pending a newer core dep.

sam.mxracer@gmail.com (JIRA)

unread,
Oct 5, 2016, 3:33:02 PM10/5/16
to jenkinsc...@googlegroups.com

This proposal is not good for how my team works. We don't want "one person or group of people" to approve all parts of the pipeline. There's a whole approval process at my place of work (like Dev deployer, QA teams deploying, and an entire separate permission for production deployments). The current behavior is good enough. I don't see any advantage as to why you'd want this to be a specific permission unless you plan on creating a multi-permission structure for each individual input step (which to me sounds like overkill compared to the current behavior).

sam.mxracer@gmail.com (JIRA)

unread,
Oct 5, 2016, 3:33:02 PM10/5/16
to jenkinsc...@googlegroups.com
Sam Gleske edited a comment on Improvement JENKINS-27134
-1 vote

This proposal is not good for how my team works.  We don't want "one person or group of people" to approve all parts of the pipeline.  There's a whole approval process at my place of work (like Dev deployer, QA teams deploying, and an entire separate permission for production deployments).  The current behavior is good enough.  I don't see any advantage as to why you'd want this to be a specific permission unless you plan on creating a multi-permission structure for each individual input step (which to me sounds like overkill compared to the current behavior).

sam.mxracer@gmail.com (JIRA)

unread,
Oct 5, 2016, 3:34:02 PM10/5/16
to jenkinsc...@googlegroups.com
Sam Gleske edited a comment on Improvement JENKINS-27134
-1 vote

This proposal is not good for how my team works.  We don't want " one person or a group of people " to approve all parts of the pipeline.  There's a whole approval process at my place of work (like Dev deployer, QA teams deploying, and an entire separate permission for production deployments).  The current behavior is good enough.  I don't see any advantage as to why you'd want this to be a specific permission unless you plan on creating a multi-permission structure for each individual input step (which to me sounds like overkill compared to the current behavior).

sam.mxracer@gmail.com (JIRA)

unread,
Oct 5, 2016, 3:37:02 PM10/5/16
to jenkinsc...@googlegroups.com
Sam Gleske edited a comment on Improvement JENKINS-27134
-1 vote

This proposal is not good for how my team works.  We don't want one person or a group of people to approve all parts of the pipeline.  There's a whole approval process at my place of work (like Dev deployer, QA teams deploying, and an entire separate permission for production deployments).  The current behavior is good enough.  I don't see any advantage as to why you'd want this to be a specific permission unless you plan on creating a multi-permission structure for each individual input step (which to me sounds like overkill compared to the current behavior).


My team does not use RBAC in Jenkins Enterprise.  How would this affect other authorization strategies?

jglick@cloudbees.com (JIRA)

unread,
Oct 7, 2016, 12:35:02 PM10/7/16
to jenkinsc...@googlegroups.com

I don't see any advantage as to why you'd want this to be a specific permission

Nor is that currently being proposed. The proposal is simply to extend the permitted values of “submitter” to include not just user IDs and external (e.g., LDAP) groups, but also “Jenkins-local” groups defined by any authorization strategy implementing a new SPI.

The current behavior is good enough.

Great, then you need not worry.

jglick@cloudbees.com (JIRA)

unread,
Oct 7, 2016, 12:37:07 PM10/7/16
to jenkinsc...@googlegroups.com

actually defining it in core would prevent uptake from plugins

stephenconnolly proposes some mechanism TBD whereby the API could be defined in core for the long term, with a copy in some plugin permitting it to be used in the near term without a new core dependency. This has been done in the past for certain other APIs, though it can be tricky depending on the case.

jeanpierrefouche@gmail.com (JIRA)

unread,
Apr 22, 2020, 8:22:03 AM4/22/20
to jenkinsc...@googlegroups.com

Please would you be able to address the issue with RBAC stated in the description?

i.e. 

"Currently the input step allows you to specify a submitter, which may be a user ID or an external group ("granted authority"). This does not work well with authorization strategies, especially those that allow you to group together users inside Jenkins, such as (but not limited to) nectar-rbac in Jenkins Enterprise by CloudBees."

I find that the 'submitter' attribute does not work on the input step.  We are using Keycloak role-based AuthorizationStrategy.  (Our code has not changed, but we recently changed from a matrix based authorisation strategy to Keycloak).

 

 
This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38)
Atlassian logo

jeanpierrefouche@gmail.com (JIRA)

unread,
Apr 22, 2020, 8:31:06 AM4/22/20
to jenkinsc...@googlegroups.com
Jean-Pierre Fouche edited a comment on Improvement JENKINS-27134
Please would you be able to address the issue with RBAC stated in the description?

i.e. 
{code:java}
"Currently the input step allows you to specify a submitter, which may be a user ID or an external group ("granted authority"). This does not work well with authorization strategies, especially those that allow you to group together users inside Jenkins, such as (but not limited to) nectar-rbac in Jenkins Enterprise by CloudBees."{code}
I find that the 'submitter' attribute does not work on the input step.  We are using Keycloak role-based AuthorizationStrategy.  (Our code for the input step has not changed, but we recently changed Jenkins setup from a matrix based authorisation strategy to Keycloak).

 

 

jeanpierrefouche@gmail.com (JIRA)

unread,
Apr 22, 2020, 8:35:04 AM4/22/20
to jenkinsc...@googlegroups.com
Jean-Pierre Fouche edited a comment on Improvement JENKINS-27134
Please would you be able to address the issue with RBAC stated in the description?

i.e. 
{code:java}
"Currently the input step allows you to specify a submitter, which may be a user ID or an external group ("granted authority"). This does not work well with authorization strategies, especially those that allow you to group together users inside Jenkins, such as (but not limited to) nectar-rbac in Jenkins Enterprise by CloudBees."{code}
I find that the 'submitter' attribute does not work on the input step.  We are using Keycloak role-based AuthorizationStrategy.  (Our code for the input step has not changed, but we recently changed Jenkins setup from a matrix based authorisation strategy to Keycloak).

 
Code below.   Expected result is that if there is a *user* in  Keycloak, it should verify that the logged in user matches.  Similarly, if there is a *group* in Keycloak, the logged in user should be a member of the specified group.
{code:java}
isApproved = input(
        id: 'applyPlan',
        message: 'Approve?',
        submitter: 'someuser', // <== 'does not query Keycloak; ignores this
         parameters: [choice(
                choices: ['No', 'Yes'],
                description: config.description,
                name: config.name)]
) == 'Yes'
{code}
 

 

jeanpierrefouche@gmail.com (JIRA)

unread,
Apr 22, 2020, 8:36:06 AM4/22/20
to jenkinsc...@googlegroups.com
Jean-Pierre Fouche edited a comment on Improvement JENKINS-27134
Please would you be able to address the issue with RBAC stated in the description?

i.e. 
{code:java}
"Currently the input step allows you to specify a submitter, which may be a user ID or an external group ("granted authority"). This does not work well with authorization strategies, especially those that allow you to group together users inside Jenkins, such as (but not limited to) nectar-rbac in Jenkins Enterprise by CloudBees."{code}
I find that the 'submitter' attribute does not work on the input step.  We are using Keycloak role-based AuthorizationStrategy.  (Our code for the input step has not changed, but we recently changed Jenkins setup from a matrix based authorisation strategy to Keycloak).

 

Code below.  Expected result is that if there is a *user* in  Keycloak, it should verify that the logged in user matches.  Similarly, if there is a *group* in Keycloak, the logged in user should be a member of the specified group.
{code:java}
isApproved = input(
        id: ' applyPlan someId ',

        message: 'Approve?',
        submitter: 'someuser', // <== 'does not query Keycloak; ignores this
         parameters: [choice(
                choices: ['No', 'Yes'],
                description: 'some description',
                name: 'some name')]
) == 'Yes'
{code}
 

 

jeanpierrefouche@gmail.com (JIRA)

unread,
Apr 22, 2020, 8:36:06 AM4/22/20
to jenkinsc...@googlegroups.com
Jean-Pierre Fouche edited a comment on Improvement JENKINS-27134
Please would you be able to address the issue with RBAC stated in the description?

i.e. 
{code:java}
"Currently the input step allows you to specify a submitter, which may be a user ID or an external group ("granted authority"). This does not work well with authorization strategies, especially those that allow you to group together users inside Jenkins, such as (but not limited to) nectar-rbac in Jenkins Enterprise by CloudBees."{code}
I find that the 'submitter' attribute does not work on the input step.  We are using Keycloak role-based AuthorizationStrategy.  (Our code for the input step has not changed, but we recently changed Jenkins setup from a matrix based authorisation strategy to Keycloak).

 

Code below.  Expected result is that if there is a *user* in  Keycloak, it should verify that the logged in user matches.  Similarly, if there is a *group* in Keycloak, the logged in user should be a member of the specified group.
{code:java}
isApproved = input(
        id: 'applyPlan',

        message: 'Approve?',
        submitter: 'someuser', // <== 'does not query Keycloak; ignores this
         parameters: [choice(
                choices: ['No', 'Yes'],
                description: config. 'some description ' ,
                name: config. 'some name ' )]
) == 'Yes'
{code}
 

 

jeanpierrefouche@gmail.com (JIRA)

unread,
Apr 22, 2020, 8:42:03 AM4/22/20
to jenkinsc...@googlegroups.com
Jean-Pierre Fouche edited a comment on Improvement JENKINS-27134
Please would you be able to address the issue with RBAC stated in the description?

i.e. 
{code:java}
"Currently the input step allows you to specify a submitter, which may be a user ID or an external group ("granted authority"). This does not work well with authorization strategies, especially those that allow you to group together users inside Jenkins, such as (but not limited to) nectar-rbac in Jenkins Enterprise by CloudBees."{code}
I find that the 'submitter' attribute does not work on the input step.  We are using Keycloak role-based AuthorizationStrategy.  (Our code for the input step has not changed, but we recently changed Jenkins setup from a matrix based authorisation strategy to Keycloak).

 

Code below.  Expected result is that if there is a * user * in  Keycloak, it should verify that the logged in user matches.  Similarly, if there is a * group * in Keycloak, the logged in user should be a member of the specified group.

{code:java}
isApproved = input(
        id: 'someId',

        message: 'Approve?',
        submitter: 'someuser', // <== 'does not query Keycloak; ignores this
         parameters: [choice(
                choices: ['No', 'Yes'],
                description: 'some description',
                name: 'some name')]
) == 'Yes'
{code}
 

 
Reply all
Reply to author
Forward
0 new messages