How does GoCD manage user access?

[Giancarlo Garcia]

I've set up GoCD to launch with ldap configured and a few predefined admin users and the allowOnlyKnownUsersToLogin attribute set to True. For a fresh launch, cruise-config.xml will look like this:

<cruise xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="cruise-config.xsd" schemaVersion="74">

  <server artifactsdir="artifacts" commandRepositoryLocation="default" serverId=“server-id”>

    <security allowOnlyKnownUsersToLogin="true">

      <ldap uri=“ldap-uri” searchFilter=“ldap-search”-filter>

        <bases>

          <base value=“ldap-base” />

        </bases>

      </ldap>

      <roles>

        <role name="go-admin">

          <users>

            <user>user1</user>

            <user>user2</user>

          </users>

        </role>

      </roles>

      <admins>

        <role>go-admin</role>

        <user>user1</user>

        <user>user2</user>

      </admins>

    </security>

  </server>

</cruise>

When I go to the home page and try to login with ldap credentials (say, for user1 or user2), I get the following message: Please ask the administrator to add you to Go Help Topic: Authentication

Is there a separate managed list of users that I need to modify?

Thanks!

[Aravind SV]

Yes. If you choose not to let Go automatically add users (as you have), you can add them explicitly. See the documentation here.

--
You received this message because you are subscribed to the Google Groups "go-cd" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-cd+un...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Giancarlo Garcia]

My question has to do with how I can populate the user list through the backend (without using the GUI). For example, is there a config file I can modify to populate the user list? I tried adding users and roles in the cruise-config.xml file, but this didn't work.

[srinivas upadhya]

Sadly, no.

While all the configuration data is in config XML, the user's configuration like - list of users, enabled/disabled | admin/non-admin | name | email | aliases | notification settings etc. are in database. Only user related information in config & is permissions.

This is partly for performance reasons i.e. if it was in config it would be large & read-write would be slow etc.

We are thinking of making APIs available for each of the action so you can build something on top of it & not use Go's UI. There is delete API available.

Do you think we can do something more?

[Giancarlo Garcia]

Having a list of pre-approved names that can be referenced by Go when someone signs in with LDAP credentials would be good. Based on the list, Go could decide whether to allow someone access (on the list) or block out (off the list).

[Carl Reid]

Whilst it is not possible to pre-approve users who can use GO, it is possible to pre-populate the roles that they will be added to when they do login.

We setup GO to allow anyone in our LDAP server to login to GO however since their role is pre-assigned they cannot do anything they should not be allowed to do.

You setup the roles in the config.xml as such:

<security>
      <roles>
        <role name="Technical_Architects">
          <users>
            <user>fred.bloggs</user>
            <user>jim.smith</user>
          </users>
        </role>
        </security>