[Matrix-auth & Folders] How to properly restrict a user to get access only to a job in a (sub)folder

17 views
Skip to first unread message

geoffroy...@gmail.com

unread,
Dec 20, 2018, 12:13:18 PM12/20/18
to Jenkins Users
Hello

i'm a bit struggling for one use case i have, maybe someone could share its experience on such scenario.

Jobs structure:
  • FolderA
    • SubFolderA
      • jobA1
      • jobA2
    • SubFolderB
      • jobB1

Use caseq:
  1. user1 has read access to all jobs
  2. user2 has only read access to jobA2

By default, authorizations are inherited from parent ACL. It is very handy to avoid redefining all authorizations for each item level.
However, i am not able to find a way to keep this inherited behavior while granting some authorizations at lower (job) level.
  • If i configure user1 authorization at FolderA level, then with inheritance it will have access to everything
  • If i configure user2 authorization at jobA2 level, then it cannot access jobA2 because upper-level authorizations are not defined (ie. user2 does not have access to FolderA & SubFolderA)
Is there a way to address those 2 scenarios while still relying on inheritance to ease authorization definitions? If not, does it means i have to redefine at each level all authorizations (ie. no parent ACL inheritance) to achieve that?

What about an implicit "Folder PassThrough" authorization that would be automatically granted to all parents items when authorizing a user to access a lower-level item?
In that case, if i configure user2 authorization at jobA2 level, then it could "PassThrough" FolderA and SubFolderA and eventually get access to jobA2 on the UI.

Not sure if it is clear, anyway any help will be appreciated ;)
BR

geoffroy...@gmail.com

unread,
Jan 16, 2019, 8:33:01 AM1/16/19
to Jenkins Users
Hello
any suggestion to move forward on this topic?
Thanks in advance

Brian Ray

unread,
Mar 24, 2019, 12:05:25 PM3/24/19
to Jenkins Users
I'm guessing you use the Role Strategy plugin. We use it with the Active Directory plugin for authentication. To make a long story short I don't think there's a way, at least with Role Strategy, to set up an ACL hierarchy. We have had to set up multiple roles (ACLs) on the folders and then on jobs.

The one labor-saving grace is that via AD groups we've been able to assign roles to groups instead of individual users. Sometimes we do give individual users special privileges and in that sense we get some small bit of hierarchical effect. But by virtue of user membership in AD groups, not via some relationship between the the roles targeting folders and jobs.

If you come across a solution I'd be curious to learn of it.

Good luck.

Brian Ray

unread,
Mar 24, 2019, 12:13:26 PM3/24/19
to Jenkins Users
My tired eyes. I just re-read the subject line mentioning Matrix Auth.

I do recommend "upgrading" from Matrix Auth to Role Strategy. That eliminated a lot of pain for us we accumulated more folders, jobs, and users. And that could eliminate at least one bit of complexity in your use case. Though beware, you still need to create read-access roles to the folders and separate roles to the jobs inside the folders.

The advantage is twofold though: 1) You tailor ACLs to roles instead of individual users. 2) The pattern-matching nature of the roles can give you the ability to apply the role to multiple folders and jobs.
Reply all
Reply to author
Forward
0 new messages