Can access to “Configure Global Security” be restricted while allowing other admin access?
30 views
Skip to first unread message
Nick Howard
Dec 13, 2019, 9:37:41 AM12/13/19
to Jenkins Users
Right now I'm the only developer at the company I work for and I have unrestricted access to Jenkins, but we need to tighten down permissions. Is there a way to setup a new user that would be able to maintain the users and user permissions? That user would then remove my ability to make changes in the "Configure Global Security" screen. But I still need other admin ability, like adding plugins, or configuring the system.
I suppose I shouldn't be able to edit the project based security settings in the job either, but I'm almost certain that isn't possible.
Right now we're using Project-based Matrix Authorization Strategy, if that matters.
Is that possible? From what I've tested I don't think it is, but I haven't done a ton with Jenkins.
Thanks,
Nick
James Nord
Dec 13, 2019, 11:43:25 AM12/13/19
to Jenkins Users
Hi Nick,
Finally with regards to editing security of Jobs, I am not sure about Project-based Matrix Authorization Strategy, or the other open source alternatives (but I would guess there is a way), if not I know CloudBees Core can provide this last peice of the puzzle (disclaimer: as you can tell from my email I work for CloudBees).
it's not currently possible with Jenkins. (but even if you could the users can still do anything including changing security permissions by running a script in the console or uploading a plugin).
Part of what you are asking will be addressed by https://github.com/jenkinsci/jep/pull/249 / https://github.com/jenkinsci/jenkins/pull/4374 (and a likely follow up to allow installations of plugins without CONFIG or ADMINISTER).
The second part "adding plugins" is always dangerous, given an installed plugin has unlimited access inside Jenkins (and we allow anyone to host a plugin on request) if you do not lock down your update center then those users would be again able to run arbitrary code by installing a evil plugin that they maintain - thus even if a new permission existed you would also need to have a curated UpdateCenter to only allow those users the ability to install plugins (and versions) that you have deemed safe/secure if you want a desire system.
Finally with regards to editing security of Jobs, I am not sure about Project-based Matrix Authorization Strategy, or the other open source alternatives (but I would guess there is a way), if not I know CloudBees Core can provide this last peice of the puzzle (disclaimer: as you can tell from my email I work for CloudBees).
Regards
/James
Nick Howard
Dec 14, 2019, 10:23:01 AM12/14/19
to Jenkins Users
Hi James,
Thanks for help, it is much appreciated. Based on what you've said and on what else I've read I think we're probably going to move away from Jenkins for at least part of our CI/CD process. We have to have tighter control of permissions. I'll take a look at CloudBees Core, but in other jobs I've used Azure Devops and I think we might go that route. Kind of hate to say that.
Thanks,
Nick
Reply all
Reply to author
Forward
0 new messages