Setting up the Role Based Access Control plugin

Before configuring the Role Based Access Control plugin, it is helpful to review the checklist in Table 8.1, “Pre-configuration checklist”

Table 8.1. Pre-configuration checklist

Check Done

Have you got a list of roles do you want to define?

It is usually best to start small, you can always add more later. If unsure a reasonable minimal set could be: Read-only; Developer; Manager; and Administrator. Additionally it is helpful to think about what you want those roles to be able to do.

Yes / No

Have you got a list of groups you want to define?

You will typically require at least one local group for each role you define. If some roles are only being assigned to specific users or groups of users on specific objects, then each of those assignments will require a group local to that object.

Yes / No

Have you configured and tested your security realm?

The first time you enable the Role Based Access Control plugin, it defaults to a configuration whereby logged-in users can do anything and users cannot access the system anonymously. If you have not tested that you can successfully log in to the system with the security realm you are using, enabling the Role Based Access Control plugin may result in everyone being completely locked out of the system. See the section called “Recovering from a lock-out” for details on how to restore access to the system in the event of a lock-out.

Yes / No

Does your security realm provide details of external groups?

If the security realm does not provide details of external groups then you (or somebody you delegate the permissions to) may have to manually maintain synchronization between the external group membership and any corresponding shadow local groups that you may define within Jenkins.

Yes / No

Is this the first time the Role Based Access Control plugin will be enabled?

The Role Based Access Control plugin remembers its configuration even when a different authorization strategy is configured, this allows easier experimentation with the plugin, but a side-effect is that you may have to remove the existing configuration if you want to start from a clean slate. See the section called “Completely resetting the configuration” for details on how to remove any existing configuration.

Yes / No

Are there specific objects which require different permissions?

If most of your jobs will have a permissive set of permissions, but a few jobs will have permissions restricted to specific users, then the typical design is to grant the permissive permissions at the root level, filter those permissions out on the few jobs that have restricted permissions, and define groups for the users who require permissions on the restricted jobs.

Yes / No


Tip

If you are still prototyping how the Role Based Access Control plugin can help you, it can be useful to defer setting up a proper security realm while you are testing Jenkins configuration. The Mock Security Realm plugin lets you simulate having multiple users, as well as various external groups that can be bound to local groups. It provides no actual security (everyone has a dummy password), so replace it with another security realm before going into production.

Enabling the authorization strategy

The Role Based Access Control authorization strategy is enabled from the main configure screen by selecting the Role-based matrix authorization strategy from the Authorization selections (that are displayed when the Enable Security checkbox is enabled) and then saving the configuration. See Figure 8.1, “Enabling the Role Based Access Control authorization strategy”

Note

The first time you enable the Role Based Access Control plugin, it defaults to a configuration whereby logged in users can do anything and users cannot access the system anonymously. If you have not tested that you can successfully log in to the system with the security realm you are using, enabling the Role Based Access Control plugin may result in everyone being completely locked out of the system. See the section called “Recovering from a lock-out” for details on how to restore access to the system in the event of a lock-out.

Alternately, you may select the option Typical initial setup when enabling this strategy. This option is only available when you are logged in, because it creates a group of “administrators” (with full permissions) of whom you are initially the sole member. For convenience, it also creates initially empty groups for “developers” and “browsers” with useful permission sets; later you might want to add some existing users to developers, or add the special labels anonymous or authenticated to browsers, etc.

Figure 8.1. Enabling the Role Based Access Control authorization strategy

configured

When the Role Based Access Control authorization strategy, Jenkins Changes is enabled there will be a number of changes to the Jenkins interface.

Figure 8.2. The main Jenkins screen with the additional icons for Groups and Roles

new icons

Figure 8.3. The Manage Roles action from the main Manage Jenkins screen

manage icon

Configuring and managing roles

Roles are configured and managed from the image Manage Roles screen accessed via the Manage Jenkins screen (See Figure 8.3, “The Manage Roles action from the main Manage Jenkins screen”). The first time the Role Based Access Control authorization strategy Plugins RBAC Authorization Strategy is enabled the Manage Roles screen should look something like Figure 8.4, “The Manage Roles screen after the Role Based Access Control authorization strategy Plugins RBAC Authorization Strategy has been initially enabled”. The screen consists of a table of check boxes with each row of the table corresponds to a role, and each column corresponding to a permission. By checking the boxes you can assign permissions to roles.

Figure 8.4. The Manage Roles screen after the Role Based Access Control authorization strategy Plugins RBAC Authorization Strategy has been initially enabled

manage roles initial

There are two types of roles:

  • image system role.
  • image user defined role.

System roles cannot be removed. There are two system roles:

  • image anonymous

    This role is automatically assigned to any user that is not logged in. If you do not want anonymous users to be able to access the system then do not assign any permissions to the anonymous role.

  • image authenticated

    This role is automatically assigned to any user that is logged in. If you want very fine grained control over user permissions you may end up removing all permissions from this role.

To define a new role you type the name of the role you want to define into the Role to add text box (Figure 8.5, “Adding a role called Administrator).

Figure 8.5. Adding a role called Administrator

manage roles add admin

Once you have typed the name in click the Add button. This will add a new row to the bottom of the table (Figure 8.6, “After clicking the Add button”).

Figure 8.6. After clicking the Add button

manage roles admin added

Once you have created the row for the new role, you can assign permissions for that role by clicking the appropriate check boxes.

Note

If you want to assign all permissions there is a image Check all button at the far right of the screen. There is also a image Clear all button to speed up clearing all the check boxes in a specific row. See Figure 8.7, “The three icons for: checking all the check boxes in a row; clearing all the check boxes in a row; and removing the role.” and Figure 8.8, “After clicking on the Check all icon for the Administrator role”

Tip

If you install the Extended Read Permission plugin you will see another permission: to be able to view, but not change, configuration of objects such as jobs. This can be useful for certain roles; for example, a developer role might be granted this permission so that developers can more easily debug build failures while still requiring a project administrator to make changes to the job setup.

Note

Sometimes one permission will automatically imply other permissions. For example, Overall/Administer usually implies every other permission (running Groovy scripts may be excluded). When you have checked the overarching permission but not other permissions it implies, these other permission checkboxes will be shown with a colored background to remind you that they are also implicitly part of the role.

Figure 8.7. The three icons for: checking all the check boxes in a row; clearing all the check boxes in a row; and removing the role.

manage roles check all

Figure 8.8. After clicking on the Check all icon for the Administrator role

manage roles admin configured

If you need to delete a role, there is a image remove button at the far right of the row for all of the user defined roles.

Normally roles are filterable: anyone with the Role/Filter permission on an object such as a folder is allowed to block that role from propagating into the object from its parent (such as Jenkins overall), possibly while allowing another group defined on the object to explicitly grant it. (See the section called “Configuring and managing role filters”.) For some roles it is undesirable to permit this: a Jenkins administrative role ought to be valid anywhere in the system, so that a project manager cannot accidentally block even site administrators from seeing an otherwise private project. (That situation could be considered a kind of lockout.) For such roles you should uncheck the Filterable checkbox to make sure the role applies globally.

Once you have defined all the roles you require, you can save that configuration by clicking on the Save button.

Warning

Care should be taken when removing the Overall Administer permission, from roles, as it is possible to lock yourself out of administrative access. There are some safeguards which will protect you from obvious ways of locking out administrative access, however, as you may legitimately want to remove your own administrative access, the safeguards can only protect the obvious issues. See the section called “Recovering from a lock-out” for details on how to restore access to the system in the event of a lock-out.

Configuring and managing groups

Groups can be defined at any point in Jenkins where the image groups action is available. The following classes of objects support group definitions out of the box:

  • Jenkins itself
  • Jobs
  • Maven modules in a Maven project
  • Slaves
  • Views
  • Folders

Note

Other objects added by plugins can support group definitions if the required support is built into the plugin itself, or is added by an additional plugin. However, in general, the objects need to have been designed to allow other plugins to contribute actions in order for the group definition support to be possible.

Where an object does not support group definitions, the groups are inherited from the object’s parent.

Tip

While you can define groups on a view, and in general manage which roles are available to whom on the view, such permissions do not apply to jobs which happen to be displayed in the view, since they might also be encountered in other views (such as All). Permissions granted on a view only affect operations on the view itself, such as changing its list of columns. To control access to a set of jobs in one place, you must move them into a folder.

Clicking on the image groups action will bring you to a screen similar to that shown in Figure 8.9, “The initial groups screen for the root of a Jenkins instance”

Figure 8.9. The initial groups screen for the root of a Jenkins instance

manage groups initial

You create a group using the image New Group action which will prompt for the group name as in Figure 8.10, “Creating a new group”. Groups can be renamed after they are created. Group names are case sensitive and whitespace is allowed (although it can be confusing). When a group is created with the same name as a group from the parent context, it will hide the group from the parent context, however the permissions granted to members of the group will not be removed.

Figure 8.10. Creating a new group

manage groups create

After the group has been created, depending on the effective permissions of the user creating the group, one of two screens will be displayed. Users with the Group Configure permission will be shown the Configuration screen (Figure 8.11, “Configuring a group”), otherwise the user will be taken straight to the group details screen (Figure 8.12, “Managing a group”). This differentiation is key to effectively allowing administrators to delegate some of the administrative responsibility.

Figure 8.11. Configuring a group

manage groups configure

The Configuration screen is the screen where roles are assigned to a group. By restricting access to this screen, an administrator can ensure that groups cannot be created with permissions greater than those intended by the administrator. The Group Manage permission can then be assigned to specific users in order to allow them to manage the membership of groups without risking them escalating their own permissions by the addition of extra roles to groups they belong to.

Where a role is granted to a group, the role can be granted in one of two modes. Be default the role is granted in the Propagates mode. This means that the role will be available in child contexts. By clearing the Propagates checkbox, you can create a pinned role ( image) that is only available on the specific object that the group is created on. Some examples where a pinned role can be useful would be:

  • A pinned group creation role at the root allows creating groups at the root while preventing creating groups on jobs.
  • A pinned role in a Maven Project job which allows building the job in order to prevent users from triggering builds of individual modules within the Maven Project job.
  • When using the Folders plugin, a pinned group creation role on a folder allows creating groups at the in the folder while preventing creating groups on sub-folders.

After the configuration has been saved, the user will be taken to the group details screen (Figure 8.12, “Managing a group”).

Figure 8.12. Managing a group

manage groups created

The image Add user/group action is used to add a member to the group. After clicking the action you will be prompted to enter the id of the user/group to add (Figure 8.13, “Adding a member to a group”).

Figure 8.13. Adding a member to a group

manage groups add ext group

The ID that you enter can be any of:

  • image A user id
  • image A group name from the current context
  • image A group name from any of the parent contexts
  • image An external group id from the security realm

You can add as many members as you like. Figure 8.14, “A group with multiple members: another group; an external group; and a user” shows a group containing three members, one of each type. Circular membership is permitted, i.e. a group can have as a member a group that it is a member of. When adding external groups the http:// Jenkins-URL /whoAmI page can be useful to figure out what the external group IDs actually are.

Figure 8.14. A group with multiple members: another group; an external group; and a user

manage groups add users groups

Members of a group can be removed by clicking on the member’s image remove icon. There is a two step confirmation for removing a member and you must confirm the removal by clicking on the image confirmation icon. (Figure 8.15, “Removing a member from a group requires two step confirmation”)

Figure 8.15. Removing a member from a group requires two step confirmation

manage groups remove member

Configuring and managing role filters

Role filters can be defined at any point in Jenkins where group definitions are supported and roles are inherited from a parent of that object. By default the following objects will support role filtering:

  • Jobs
  • Maven modules in a Maven project
  • Slaves
  • Views
  • Folders

Clicking on the image roles action will bring you to a screen similar to that shown in Figure 8.16, “The roles screen for a job within a Jenkins showing the roles, their permissions, and the groups that are assigned to each of the roles for this object and its children”.

Figure 8.16. The roles screen for a job within a Jenkins showing the roles, their permissions, and the groups that are assigned to each of the roles for this object and its children

view roles initial

If the object supports role filters then the image Filter action will be available from that screen. Clicking on the image Filter icon will bring you to a screen similar to that shown in Figure 8.17, “The role filter screen for a job within a Jenkins instance where two roles are being filtered out”

Figure 8.17. The role filter screen for a job within a Jenkins instance where two roles are being filtered out

filter roles

To filter a role, you just check the corresponding check-box. When a role is filtered, then the role is not available on that object to users unless there is a group defined within that object which the user is a member of and which has been assigned that role.

As mentioned in the section called “Configuring and managing roles”, administrators can mark certain important roles as being unfilterable. In such a case they will not appear in the Filter Roles page at all.