Hi,
I’m Ikedam, a maintainer of authorize-project-plugin.
https://plugins.jenkins.io/authorize-project
Authorize-project-plugin doesn’t support features of modern Jenkins, such as
pipelines, multibranch and JCaC.
Making things worse, authorize-project-plugin is the only implementation for
QueueItemAuthenticator as far as I know.
Authorize-project-plugin is originally designed for legacy Jenkins, that is,
expected to use with freestyle projects and matrix projects, and expected to
configured with web browsers. And I believe it’s fundamentally incompatible
with modern Jenkins.
It might be possible to extend or redesign this plugin and to have it
applicable to modern Jenkins, but I’m afraid that it’s not reasonable as it
mainly costs not for new features, but rather for preserving backward
compatibilities.
What I want to do here are:
* Request a new plugin implementing QueueItemAuthenticator, supporting modern
Jenkins and which will replace and deprecate authorize-project-plugin.
* Unfortunately I won’t join that development. Sorry.
* Ask depelopers whether QueueItemAuthenticator is what we actually want, or
there can be alternate ways to control permissions of builds:
* I originally developed authorize-project-plugin for copyartifact-plugin
to control the permission to copy artifacts from other builds. But I believe
it’s easier to control that permission with CopyArtifactPermissionProperty,
which defines jobs allowed to access to artifacts.
* I believe users want to define permissions not bound to actual specific
users such as those in LDAP, or Active Directory. But Jenkins doesn’t provide
mechanisms for authentications not bound to specific users, like sevice
accounts in Google Cloud Platform.
* I expect QueueItemAuthenticator can be replaced with other permission
mechanisms not bound to specific users, like permissions between jobs
(generalizing CopyArtifactPermissionProperty) or permissions for credentials
from jobs (folder-scoped credentials might meet that).
* I don’t know actual usecases of QueueItemAuthenticatorcan and there might
be usecases that cannot be replaced with other mechanisms.
Regards,
Ikedam
--
You received this message because you are subscribed to the Google Groups
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/jenkinsci-dev/d0bed924-83ec-4c5e-9ce4-04a03363fd27%40googlegroups.com.
