jenkins advanced user right
58 views
Skip to first unread message
iostrym
Nov 30, 2015, 4:48:57 AM11/30/15
to Jenkins Users
Hello,
Is it possible to give right for some users to create and configure their job without being able to modify some jobs.
Typically, have one job area for one project and another job area for another project. And use from one project that can't modify job for the other project.
Is this possible ?
Stephen Connolly
Nov 30, 2015, 5:04:34 AM11/30/15
to jenkins...@googlegroups.com
Yes. You need to use an authorization strategy that allows permissions to differ per item, e.g.
* Project matrix
* Role strategy
* CloudBees RBAC (proprietary)
--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/c843b0cd-778b-4960-aafe-1371b7686c62%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
iostrym
Nov 30, 2015, 5:36:44 AM11/30/15
to Jenkins Users
Thanks,
Are you saying that I use to install a specific plug-in to do that ? it is not nativelly inside Jenkins ?
is there a more widely user plugin beyong all these ?
Best regards,
Indra Gunawan (ingunawa)
Nov 30, 2015, 9:57:08 PM11/30/15
to jenkins...@googlegroups.com
Use Cloudbee Folder, and Role based Plugin. Define specific role based on the regex of each of name of folder for projects/jobs. One category of jobs each in a separate folder.
--
iostrym
Dec 1, 2015, 5:01:09 AM12/1/15
to Jenkins Users, ingu...@cisco.com
Thanks.
role based plugin don't work without cloudbee folder ? I had a quick look at role based plugin but hte problem is that all existing right for each user (around 30) will be lost with this plugin. It seems that we will have to redo all right for each user. right ?
I also discover that at job creation it is possible to "protect" the job and add right for specific user but it is quite fastiduous if there are several user to give access.
In the same subject, what about "slave protection" ? If I add a slave, is it possible to be sure that a job from another group of user (another project) won't use that slave ? I don't find any slave protection. Even if the slave is not configured to be used "as much as possible", it seems to be still possible for a user to select my slave for his job. (and execute a rm * -rf on my machine...)
Best regards,
Stephen Connolly
Dec 1, 2015, 5:06:00 AM12/1/15
to jenkins...@googlegroups.com, ingu...@cisco.com
On 1 December 2015 at 10:01, iostrym <arman...@gmail.com> wrote:
Thanks.role based plugin don't work without cloudbee folder ? I had a quick look at role based plugin but hte problem is that all existing right for each user (around 30) will be lost with this plugin. It seems that we will have to redo all right for each user. right ?I also discover that at job creation it is possible to "protect" the job and add right for specific user but it is quite fastiduous if there are several user to give access.
Ahem...
[Puts on CloudBees Employee Hat]
Really sounds like you are looking for some of the enterprise features in CloudBees Jenkins Enterprise:
* CloudBees RBAC plugin supports importing your current Matrix or Project Matrix security settings so you can migrate to an fully RBAC model piecewise
* CloudBees RBAC plugin allows for creation of local groups that make per-project role assignment easier
* CloudBees RBAC plugin allows delegation of RBAC management for specific items to a subset of users
* CloudBees Folders plus allows restriction of some slaves to jobs within specific folders
* etc
[Removes CloudBees Employee Hat]
--In the same subject, what about "slave protection" ? If I add a slave, is it possible to be sure that a job from another group of user (another project) won't use that slave ? I don't find any slave protection. Even if the slave is not configured to be used "as much as possible", it seems to be still possible for a user to select my slave for his job. (and execute a rm * -rf on my machine...)Best regards,
Le mardi 1 décembre 2015 03:57:08 UTC+1, Indra Gunawan (ingunawa) a écrit :Use Cloudbee Folder, and Role based Plugin. Define specific role based on the regex of each of name of folder for projects/jobs. One category of jobs each in a separate folder.
From: <jenkins...@googlegroups.com> on behalf of iostrym <arman...@gmail.com>
Reply-To: "jenkins...@googlegroups.com" <jenkins...@googlegroups.com>
Date: Monday, November 30, 2015 at 1:48 AM
To: "jenkins...@googlegroups.com" <jenkins...@googlegroups.com>
Subject: jenkins advanced user right
Hello,--
Is it possible to give right for some users to create and configure their job without being able to modify some jobs.
Typically, have one job area for one project and another job area for another project. And use from one project that can't modify job for the other project.
Is this possible ?
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/c843b0cd-778b-4960-aafe-1371b7686c62%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/5eeb1923-d6cc-4a36-b93a-7ff47c119f95%40googlegroups.com.
iostrym
Dec 1, 2015, 6:57:59 AM12/1/15
to Jenkins Users, ingu...@cisco.com
thanks a lot. but it will be difficult for us to buy such a plugin.
anyone else know if there is a free plug in to lock some slave for some users or one user ?
Indra Gunawan (ingunawa)
Dec 11, 2015, 1:00:19 PM12/11/15
to iostrym, Jenkins Users
You can look up this plugin : https://wiki.jenkins-ci.org/display/JENKINS/Job+Restrictions+Plugin to restrict execution on a node/slave. It adds restriction in the node’s
configuration page.
Please let me know because I am interested in it too.
In my earlier comment, I meant one can use free Cloudbee folder and free Role Strategy to define who can access what jobs. The Jobs belonging to team A need to be in a Folder “A”, team B puts their jobs in Folder “B”.
Then, user can define Project Role for folder “A” with regex and assign only user-ids in Team A this role.
The Anonymous and authenticated role are stripped of any permission to read any of the job.
Sadly with Role Strategy assigning role to AD group does not work I think. So individual user-id in LDAP need to be added the role “A” or role “B”.
All of these are possible using ClouldBee RBAC plugin.
Please correct me if I am wrong, Stephen?
Thanks.
-Indra
Stephen Connolly
Dec 11, 2015, 1:36:31 PM12/11/15
to jenkins...@googlegroups.com
All that is easy with the CloudBees RBAC plugin, but given that I wrote it originally I would say that wouldn't I ;-)
--
Sent from my phone
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/D2904B5B.3DC29%25ingunawa%40cisco.com.
For more options, visit https://groups.google.com/d/optout.
--
Sent from my phone
Reply all
Reply to author
Forward
0 new messages