Which bit were you unclear about? Point 1? Point 1 is a request based authorisation, nothing is allowed to use it by default, jobs request to use it and then an autrhorised person allows it
On Wed, 12 Feb 2020 at 23:36, Chris Kilding <[email protected]> wrote: > Point 2 (credentials scoped to a single build) could be relevant - if > we’re adding a credentials concept to a general ACL, a user should be able > to apply any kind of restriction that their ACL permits to the credentials > objects. (Not just folder restrictions.) > > I’m a bit unclear about what you meant though - could you clarify, maybe > with an example? > > Chris > > On 12 Feb 2020, at 18:01, Tim Jacomb <[email protected]> wrote: > > > > Not directly related, possibly even to this JEP, > > But wanted to add a couple of features I’ve seen in other systems, > > 1. Require authorisation, before allowed to use, I.e build is run and > fails because the credential isn’t authorised for that job but then an > administrator can authorise it and it will be allowed to use it on the next > run, > 2. Credentials scoped to a single build > > Thanks > Tim > > On Wed, 12 Feb 2020 at 17:50, Chris Kilding < > [email protected]> wrote: > >> The first thing to figure out is what role-based access control solutions >> are already out there for Jenkins, so we can then decide how best to fit >> this functionality in. >> >> I have encountered the following solutions which seem relevant, but I >> know very little about them: >> >> - Cloudbees RBAC plugin (commercial) >> - Role Strategy Plugin >> - Jenkins permissions system >> >> Would someone who knows these components well be able to provide more >> details, and thoughts on how we might add concepts of folders and >> credentials to them, so that credential access constraints could be >> formulated as standard rules? >> >> Chris >> >> > On 12 Feb 2020, at 16:29, Chris Kilding <[email protected]> >> wrote: >> > >> > Hello, >> > >> > This is the discussion thread for JEP-225: Folder-based access control >> for any credentials provider. >> > >> > A brief summary... >> > >> > The Cloudbees Folders Plugin has the ability to restrict access to >> credentials on a per-folder basis. Unfortunately this feature is only >> available for credentials stored in the Folders plugin's internal provider. >> This JEP will extend that concept, and allow users to specify folder-based >> access restrictions for any credential, from any provider. (For example, >> the AWS Secrets Manager and Kubernetes providers.) >> > >> > This JEP is relevant in 2 notable cases: >> > >> > - Dev / Production environment isolation. (Ensure that only jobs in the >> production environment can access production credentials, and vice versa.) >> > - Per-team isolation on a multi-tenant Jenkins. (Ensure that only a >> given team or teams can access their credentials.) >> > >> > You can follow the pull request at >> https://github.com/jenkinsci/jep/pull/266. >> > >> > Chris >> > >> > -- >> > You received this message because you are subscribed to the Google >> Groups "Jenkins Developers" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to [email protected]. >> > To view this discussion on the web visit >> https://groups.google.com/d/msgid/jenkinsci-dev/9567dfcf-b057-4616-8682-2eccf7b127b0%40www.fastmail.com >> . >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Jenkins Developers" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/jenkinsci-dev/21F4C984-6263-4B61-811F-DF5FFBB65014%40chriskilding.com >> . >> > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/CAH-3BifzEig30bXEOmhf-rYzZ-o7aocJODJR3U5Go1_WGH6DaQ%40mail.gmail.com > <https://groups.google.com/d/msgid/jenkinsci-dev/CAH-3BifzEig30bXEOmhf-rYzZ-o7aocJODJR3U5Go1_WGH6DaQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/4B4E063F-8E1A-41BC-9EE5-95EAE335A54B%40chriskilding.com > <https://groups.google.com/d/msgid/jenkinsci-dev/4B4E063F-8E1A-41BC-9EE5-95EAE335A54B%40chriskilding.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAH-3BicZnU-DyZnWYn-uvP3FRtChn5iX7j4Rp-9CqgntePfghQ%40mail.gmail.com.
