[Matrix-auth & Folders] How to properly restrict a user to get access only to a job in a (sub)folder

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[Matrix-auth & Folders] How to properly restrict a user to get access only to a job in a (sub)folder

geoffroy.jabouley
Hello

i'm a bit struggling for one use case i have, maybe someone could share its experience on such scenario.

Jobs structure:
  • FolderA
    • SubFolderA
      • jobA1
      • jobA2
    • SubFolderB
      • jobB1

Use caseq:
  1. user1 has read access to all jobs
  2. user2 has only read access to jobA2

By default, authorizations are inherited from parent ACL. It is very handy to avoid redefining all authorizations for each item level.
However, i am not able to find a way to keep this inherited behavior while granting some authorizations at lower (job) level.
  • If i configure user1 authorization at FolderA level, then with inheritance it will have access to everything
  • If i configure user2 authorization at jobA2 level, then it cannot access jobA2 because upper-level authorizations are not defined (ie. user2 does not have access to FolderA & SubFolderA)
Is there a way to address those 2 scenarios while still relying on inheritance to ease authorization definitions? If not, does it means i have to redefine at each level all authorizations (ie. no parent ACL inheritance) to achieve that?

What about an implicit "Folder PassThrough" authorization that would be automatically granted to all parents items when authorizing a user to access a lower-level item?
In that case, if i configure user2 authorization at jobA2 level, then it could "PassThrough" FolderA and SubFolderA and eventually get access to jobA2 on the UI.

Not sure if it is clear, anyway any help will be appreciated ;)
BR

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/01c02b93-c245-4aa6-853f-789211add017%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Matrix-auth & Folders] How to properly restrict a user to get access only to a job in a (sub)folder

geoffroy.jabouley
Hello
any suggestion to move forward on this topic?
Thanks in advance

On Thursday, 20 December 2018 18:13:18 UTC+1, [hidden email] wrote:
Hello

i'm a bit struggling for one use case i have, maybe someone could share its experience on such scenario.

Jobs structure:
  • FolderA
    • SubFolderA
      • jobA1
      • jobA2
    • SubFolderB
      • jobB1

Use caseq:
  1. user1 has read access to all jobs
  2. user2 has only read access to jobA2

By default, authorizations are inherited from parent ACL. It is very handy to avoid redefining all authorizations for each item level.
However, i am not able to find a way to keep this inherited behavior while granting some authorizations at lower (job) level.
  • If i configure user1 authorization at FolderA level, then with inheritance it will have access to everything
  • If i configure user2 authorization at jobA2 level, then it cannot access jobA2 because upper-level authorizations are not defined (ie. user2 does not have access to FolderA & SubFolderA)
Is there a way to address those 2 scenarios while still relying on inheritance to ease authorization definitions? If not, does it means i have to redefine at each level all authorizations (ie. no parent ACL inheritance) to achieve that?

What about an implicit "Folder PassThrough" authorization that would be automatically granted to all parents items when authorizing a user to access a lower-level item?
In that case, if i configure user2 authorization at jobA2 level, then it could "PassThrough" FolderA and SubFolderA and eventually get access to jobA2 on the UI.

Not sure if it is clear, anyway any help will be appreciated ;)
BR

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/ce26d039-828a-485a-bc0b-9eb572dec7fb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Matrix-auth & Folders] How to properly restrict a user to get access only to a job in a (sub)folder

Brian Ray
I'm guessing you use the Role Strategy plugin. We use it with the Active Directory plugin for authentication. To make a long story short I don't think there's a way, at least with Role Strategy, to set up an ACL hierarchy. We have had to set up multiple roles (ACLs) on the folders and then on jobs.

The one labor-saving grace is that via AD groups we've been able to assign roles to groups instead of individual users. Sometimes we do give individual users special privileges and in that sense we get some small bit of hierarchical effect. But by virtue of user membership in AD groups, not via some relationship between the the roles targeting folders and jobs.

If you come across a solution I'd be curious to learn of it.

Good luck.

On Wednesday, January 16, 2019 at 5:33:01 AM UTC-8, [hidden email] wrote:
Hello
any suggestion to move forward on this topic?
Thanks in advance

On Thursday, 20 December 2018 18:13:18 UTC+1, [hidden email] wrote:
Hello

i'm a bit struggling for one use case i have, maybe someone could share its experience on such scenario.

Jobs structure:
  • FolderA
    • SubFolderA
      • jobA1
      • jobA2
    • SubFolderB
      • jobB1

Use caseq:
  1. user1 has read access to all jobs
  2. user2 has only read access to jobA2

By default, authorizations are inherited from parent ACL. It is very handy to avoid redefining all authorizations for each item level.
However, i am not able to find a way to keep this inherited behavior while granting some authorizations at lower (job) level.
  • If i configure user1 authorization at FolderA level, then with inheritance it will have access to everything
  • If i configure user2 authorization at jobA2 level, then it cannot access jobA2 because upper-level authorizations are not defined (ie. user2 does not have access to FolderA & SubFolderA)
Is there a way to address those 2 scenarios while still relying on inheritance to ease authorization definitions? If not, does it means i have to redefine at each level all authorizations (ie. no parent ACL inheritance) to achieve that?

What about an implicit "Folder PassThrough" authorization that would be automatically granted to all parents items when authorizing a user to access a lower-level item?
In that case, if i configure user2 authorization at jobA2 level, then it could "PassThrough" FolderA and SubFolderA and eventually get access to jobA2 on the UI.

Not sure if it is clear, anyway any help will be appreciated ;)
BR

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/e1cecde5-ea39-4f9b-99ef-0212488cb20f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Matrix-auth & Folders] How to properly restrict a user to get access only to a job in a (sub)folder

Brian Ray
My tired eyes. I just re-read the subject line mentioning Matrix Auth.

I do recommend "upgrading" from Matrix Auth to Role Strategy. That eliminated a lot of pain for us we accumulated more folders, jobs, and users. And that could eliminate at least one bit of complexity in your use case. Though beware, you still need to create read-access roles to the folders and separate roles to the jobs inside the folders.

The advantage is twofold though: 1) You tailor ACLs to roles instead of individual users. 2) The pattern-matching nature of the roles can give you the ability to apply the role to multiple folders and jobs.

On Sunday, March 24, 2019 at 9:05:25 AM UTC-7, Brian Ray wrote:
I'm guessing you use the <a href="https://plugins.jenkins.io/role-strategy" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fplugins.jenkins.io%2Frole-strategy\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEA1GRc9XC43bbcWeyGuiEHiZuCTQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fplugins.jenkins.io%2Frole-strategy\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEA1GRc9XC43bbcWeyGuiEHiZuCTQ&#39;;return true;">Role Strategy plugin. We use it with the <a href="https://plugins.jenkins.io/active-directory" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fplugins.jenkins.io%2Factive-directory\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNF3fE0OVXX2PVCaDRgnzU9FKONfaw&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fplugins.jenkins.io%2Factive-directory\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNF3fE0OVXX2PVCaDRgnzU9FKONfaw&#39;;return true;">Active Directory plugin for authentication. To make a long story short I don't think there's a way, at least with Role Strategy, to set up an ACL hierarchy. We have had to set up multiple roles (ACLs) on the folders and then on jobs.

The one labor-saving grace is that via AD groups we've been able to assign roles to groups instead of individual users. Sometimes we do give individual users special privileges and in that sense we get some small bit of hierarchical effect. But by virtue of user membership in AD groups, not via some relationship between the the roles targeting folders and jobs.

If you come across a solution I'd be curious to learn of it.

Good luck.

On Wednesday, January 16, 2019 at 5:33:01 AM UTC-8, [hidden email] wrote:
Hello
any suggestion to move forward on this topic?
Thanks in advance

On Thursday, 20 December 2018 18:13:18 UTC+1, [hidden email] wrote:
Hello

i'm a bit struggling for one use case i have, maybe someone could share its experience on such scenario.

Jobs structure:
  • FolderA
    • SubFolderA
      • jobA1
      • jobA2
    • SubFolderB
      • jobB1

Use caseq:
  1. user1 has read access to all jobs
  2. user2 has only read access to jobA2

By default, authorizations are inherited from parent ACL. It is very handy to avoid redefining all authorizations for each item level.
However, i am not able to find a way to keep this inherited behavior while granting some authorizations at lower (job) level.
  • If i configure user1 authorization at FolderA level, then with inheritance it will have access to everything
  • If i configure user2 authorization at jobA2 level, then it cannot access jobA2 because upper-level authorizations are not defined (ie. user2 does not have access to FolderA & SubFolderA)
Is there a way to address those 2 scenarios while still relying on inheritance to ease authorization definitions? If not, does it means i have to redefine at each level all authorizations (ie. no parent ACL inheritance) to achieve that?

What about an implicit "Folder PassThrough" authorization that would be automatically granted to all parents items when authorizing a user to access a lower-level item?
In that case, if i configure user2 authorization at jobA2 level, then it could "PassThrough" FolderA and SubFolderA and eventually get access to jobA2 on the UI.

Not sure if it is clear, anyway any help will be appreciated ;)
BR

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/466345a9-886c-4aab-9e8e-cfb8c5c1ca99%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.