Project-based authorization strategy: permitting users to configure specific jobs

380 views
Skip to first unread message

Jason LeMauk

unread,
Jul 14, 2017, 11:05:05 AM7/14/17
to jenkins...@googlegroups.com

I am trying to setup a project-based matrix authorization strategy for our Jenkins instance. The current security realm is Jenkins own user database. I want to have two tiers of users; Global Administrators as well as Project Level Users.

Because you must grant a user the overall global read permission in order to view any jobs, in the ACL matrix for each project I have checked the option to ‘Block inheritance of global authorization matrix’ in order to prevent users from viewing jobs which they have not explicitly been assigned a read permission on the project level. This seems to work great for limiting what jobs users are able to see.

Some of these users I want to assign the permissions necessary to configure jobs. As ‘Block inheritance of global authorization matrix’ is checked for each project, I have assigned the configure permission in the global ACL matrix as well as on the project level.

Global Level ACL Matrix

Project Level ACL Matrix

When I attempt to configure the project as the user assigned the configure permission for jobs on the global as well as project level, I receive an error that the user does not have the necessary permissions to configure the project:

What may be going on here? From what I understand this is the intended use of the project-based matrix authorization strategy. Am I misunderstanding how this authorization strategy is used? Thanks in advance for any guidance!

Daniel Beck

unread,
Jul 17, 2017, 1:15:02 PM7/17/17
to jenkins...@googlegroups.com

> On 14. Jul 2017, at 17:04, Jason LeMauk <jason....@csquaredsystems.com> wrote:
>
> Because you must grant a user the overall global read permission in order to view any jobs, in the ACL matrix for each project I have checked the option to ‘Block inheritance of global authorization matrix’ in order to prevent users from viewing jobs which they have not explicitly been assigned a read permission on the project level. This seems to work great for limiting what jobs users are able to see.

Not an answer to your question, but note that Overall/Read is separate from Job/Read; to achieve the same behavior you just need Overall/Read globally, then grant Job/Read per job you wish to grant access to.

IOW, remove Job/Read globally, and you won't need 'block inheritance'.

Which approach is superior depends on which is the more common case.

Artur Szostak

unread,
Jul 20, 2017, 6:59:16 AM7/20/17
to jenkins...@googlegroups.com
I think you will be better off looking at using: https://wiki.jenkins.io/display/JENKINS/Role+Strategy+Plugin
It provides more fine grained level of control you needs as soon as your are talking about multiple tiers of users.
I will be moving to using the role based strategy for this very reason on our next upgrade.

Cheers

Artur
________________________________________
From: jenkins...@googlegroups.com <jenkins...@googlegroups.com> on behalf of Jason LeMauk <jason....@csquaredsystems.com>
Sent: 14 July 2017 17:04:47
To: jenkins...@googlegroups.com
Subject: Project-based authorization strategy: permitting users to configure specific jobs

I am trying to setup a project-based matrix authorization strategy for our Jenkins instance. The current security realm is Jenkins own user database. I want to have two tiers of users; Global Administrators as well as Project Level Users.
Because you must grant a user the overall global read permission in order to view any jobs, in the ACL matrix for each project I have checked the option to ‘Block inheritance of global authorization matrix’ in order to prevent users from viewing jobs which they have not explicitly been assigned a read permission on the project level. This seems to work great for limiting what jobs users are able to see.
Some of these users I want to assign the permissions necessary to configure jobs. As ‘Block inheritance of global authorization matrix’ is checked for each project, I have assigned the configure permission in the global ACL matrix as well as on the project level.
Global Level ACL Matrix
[cid:image0...@01D2FC91.00266760]
Project Level ACL Matrix
[cid:image0...@01D2FC91.00266760]
When I attempt to configure the project as the user assigned the configure permission for jobs on the global as well as project level, I receive an error that the user does not have the necessary permissions to configure the project:
[cid:image0...@01D2FC91.00266760]
What may be going on here? From what I understand this is the intended use of the project-based matrix authorization strategy. Am I misunderstanding how this authorization strategy is used? Thanks in advance for any guidance!

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com<mailto:jenkinsci-use...@googlegroups.com>.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/BY2PR12MB0599A4AD61BACCB5E8115D6B89AD0%40BY2PR12MB0599.namprd12.prod.outlook.com<https://groups.google.com/d/msgid/jenkinsci-users/BY2PR12MB0599A4AD61BACCB5E8115D6B89AD0%40BY2PR12MB0599.namprd12.prod.outlook.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.
image001.png
image002.png
image003.png
Reply all
Reply to author
Forward
0 new messages