Configure user access rights on Jenkins

This post is continuing upon “how to allow users to authenticate using their github credentials“. Note that it is not a pre-requisite, users can login using other login functionality (jenkins credentials, LDAP, …) – see jenkins documentation for more information on that part.

For this section, I would recommend setting up Role-based Authorization Strategy Plugin. This plugin will allow to define notion of “roles”, assign rights to roles and user to roles.
Follow plugin instructions on how to install this plugin into your jenkins app.

Possible access rights restriction

Let’s go to your Jenkins app > Configure Global Security > section “Authorization” and review possible options

List of options should be as per below:

Anyone can do anything

This is not recommended, for obvious security reasons.

Logged-in users can do anything

It means that any user which is logged in can have full Jenkins access.
In case you have oauth-integration with Github, then any collaborator you add on github would also have full Jenkins access.

While that may be well suited for small teams, it is not recommended for bigger teams, prefer user-based, role-based or project-based authorization matrix instead.

Note: Ensure to leave “Allow anonymous read access” un-ticked, for obvious security reasons (anyone could download entire private repos through that behavior).

Matrix-based security

This approach allows a great deal of granularity in access rights and is a great way to configure the system.

One limitation of the above though is that it needs to be defined for each individual user. Preferable approach with bigger team is to use Role-Based Strategy

Project-based Matrix Authorization strategy

Same comments as for Matrix-based security, from which it is really close

Role-Based Strategy

Note: if this option is not available to you, ensure you have correctly setup “Role Strategy Plugin” for jenkins

Once above option is selected, next step is to define roles.
Follow this great tutorial on how to set it up: https://www.thegeekstuff.com/2017/03/jenkins-users-groups-roles/

Conclusions

Role-based strategy plugin is definitely a great way to configure access-rights in Jenkins and increases overall platform flexibility.

sources

Post a Comment

Your email is never published nor shared. You're allow to say what you want...