Project-based authorization strategy: permitting users to configure specific jobs

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Project-based authorization strategy: permitting users to configure specific jobs

J0991

I am trying to setup a project-based matrix authorization strategy for our Jenkins instance. The current security realm is Jenkins own user database. I want to have two tiers of users; Global Administrators as well as Project Level Users.

Because you must grant a user the overall global read permission in order to view any jobs, in the ACL matrix for each project I have checked the option to ‘Block inheritance of global authorization matrix’ in order to prevent users from viewing jobs which they have not explicitly been assigned a read permission on the project level. This seems to work great for limiting what jobs users are able to see.

Some of these users I want to assign the permissions necessary to configure jobs. As ‘Block inheritance of global authorization matrix’ is checked for each project, I have assigned the configure permission in the global ACL matrix as well as on the project level.

Global Level ACL Matrix

Project Level ACL Matrix

When I attempt to configure the project as the user assigned the configure permission for jobs on the global as well as project level, I receive an error that the user does not have the necessary permissions to configure the project:

What may be going on here? From what I understand this is the intended use of the project-based matrix authorization strategy. Am I misunderstanding how this authorization strategy is used? Thanks in advance for any guidance!

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/BY2PR12MB0599A4AD61BACCB5E8115D6B89AD0%40BY2PR12MB0599.namprd12.prod.outlook.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Project-based authorization strategy: permitting users to configure specific jobs

Daniel Beck

> On 14. Jul 2017, at 17:04, Jason LeMauk <[hidden email]> wrote:
>
> Because you must grant a user the overall global read permission in order to view any jobs, in the ACL matrix for each project I have checked the option to ‘Block inheritance of global authorization matrix’ in order to prevent users from viewing jobs which they have not explicitly been assigned a read permission on the project level. This seems to work great for limiting what jobs users are able to see.

Not an answer to your question, but note that Overall/Read is separate from Job/Read; to achieve the same behavior you just need Overall/Read globally, then grant Job/Read per job you wish to grant access to.

IOW, remove Job/Read globally, and you won't need 'block inheritance'.

Which approach is superior depends on which is the more common case.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/9D4C79E5-40DD-4133-90F5-6155C38A0461%40beckweb.net.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Project-based authorization strategy: permitting users to configure specific jobs

Artur Szostak
In reply to this post by J0991
I think you will be better off looking at using: https://wiki.jenkins.io/display/JENKINS/Role+Strategy+Plugin
It provides more fine grained level of control you needs as soon as your are talking about multiple tiers of users.
I will be moving to using the role based strategy for this very reason on our next upgrade.

Cheers

Artur
________________________________________
From: [hidden email] <[hidden email]> on behalf of Jason LeMauk <[hidden email]>
Sent: 14 July 2017 17:04:47
To: [hidden email]
Subject: Project-based authorization strategy: permitting users to configure specific jobs

I am trying to setup a project-based matrix authorization strategy for our Jenkins instance. The current security realm is Jenkins own user database. I want to have two tiers of users; Global Administrators as well as Project Level Users.
Because you must grant a user the overall global read permission in order to view any jobs, in the ACL matrix for each project I have checked the option to ‘Block inheritance of global authorization matrix’ in order to prevent users from viewing jobs which they have not explicitly been assigned a read permission on the project level. This seems to work great for limiting what jobs users are able to see.
Some of these users I want to assign the permissions necessary to configure jobs. As ‘Block inheritance of global authorization matrix’ is checked for each project, I have assigned the configure permission in the global ACL matrix as well as on the project level.
Global Level ACL Matrix
[cid:image001.png@01D2FC91.00266760]
Project Level ACL Matrix
[cid:image002.png@01D2FC91.00266760]
When I attempt to configure the project as the user assigned the configure permission for jobs on the global as well as project level, I receive an error that the user does not have the necessary permissions to configure the project:
[cid:image003.png@01D2FC91.00266760]
What may be going on here? From what I understand this is the intended use of the project-based matrix authorization strategy. Am I misunderstanding how this authorization strategy is used? Thanks in advance for any guidance!

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]<mailto:[hidden email]>.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/BY2PR12MB0599A4AD61BACCB5E8115D6B89AD0%40BY2PR12MB0599.namprd12.prod.outlook.com<https://groups.google.com/d/msgid/jenkinsci-users/BY2PR12MB0599A4AD61BACCB5E8115D6B89AD0%40BY2PR12MB0599.namprd12.prod.outlook.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/683ab66403e245a1b7b62e5144022e87%40partner.eso.org.
For more options, visit https://groups.google.com/d/optout.

image001.png (94K) Download Attachment
image002.png (61K) Download Attachment
image003.png (56K) Download Attachment
Loading...