Point 2 (credentials scoped to a single build) could be relevant - if we’re adding a credentials concept to a general ACL, a user should be able to apply any kind of restriction that their ACL permits to the credentials objects. (Not just folder restrictions.)
I’m a bit unclear about what you meant though - could you clarify, maybe with an example? Chris > On 12 Feb 2020, at 18:01, Tim Jacomb <[email protected]> wrote: > > > Not directly related, possibly even to this JEP, > > But wanted to add a couple of features I’ve seen in other systems, > > 1. Require authorisation, before allowed to use, I.e build is run and fails > because the credential isn’t authorised for that job but then an > administrator can authorise it and it will be allowed to use it on the next > run, > 2. Credentials scoped to a single build > > Thanks > Tim > >> On Wed, 12 Feb 2020 at 17:50, Chris Kilding <[email protected]> >> wrote: >> The first thing to figure out is what role-based access control solutions >> are already out there for Jenkins, so we can then decide how best to fit >> this functionality in. >> >> I have encountered the following solutions which seem relevant, but I know >> very little about them: >> >> - Cloudbees RBAC plugin (commercial) >> - Role Strategy Plugin >> - Jenkins permissions system >> >> Would someone who knows these components well be able to provide more >> details, and thoughts on how we might add concepts of folders and >> credentials to them, so that credential access constraints could be >> formulated as standard rules? >> >> Chris >> >> > On 12 Feb 2020, at 16:29, Chris Kilding <[email protected]> >> > wrote: >> > >> > Hello, >> > >> > This is the discussion thread for JEP-225: Folder-based access control for >> > any credentials provider. >> > >> > A brief summary... >> > >> > The Cloudbees Folders Plugin has the ability to restrict access to >> > credentials on a per-folder basis. Unfortunately this feature is only >> > available for credentials stored in the Folders plugin's internal >> > provider. This JEP will extend that concept, and allow users to specify >> > folder-based access restrictions for any credential, from any provider. >> > (For example, the AWS Secrets Manager and Kubernetes providers.) >> > >> > This JEP is relevant in 2 notable cases: >> > >> > - Dev / Production environment isolation. (Ensure that only jobs in the >> > production environment can access production credentials, and vice versa.) >> > - Per-team isolation on a multi-tenant Jenkins. (Ensure that only a given >> > team or teams can access their credentials.) >> > >> > You can follow the pull request at >> > https://github.com/jenkinsci/jep/pull/266. >> > >> > Chris >> > >> > -- >> > You received this message because you are subscribed to the Google Groups >> > "Jenkins Developers" group. >> > To unsubscribe from this group and stop receiving emails from it, send an >> > email to [email protected]. >> > To view this discussion on the web visit >> > https://groups.google.com/d/msgid/jenkinsci-dev/9567dfcf-b057-4616-8682-2eccf7b127b0%40www.fastmail.com. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Jenkins Developers" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/jenkinsci-dev/21F4C984-6263-4B61-811F-DF5FFBB65014%40chriskilding.com. > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/CAH-3BifzEig30bXEOmhf-rYzZ-o7aocJODJR3U5Go1_WGH6DaQ%40mail.gmail.com. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/4B4E063F-8E1A-41BC-9EE5-95EAE335A54B%40chriskilding.com.
