I was unclear on point 2. Is this a way to… - scope a credential to an individual job or jobs? - scope a credential to an individual build or builds? - provide ephemeral credentials that are created at the start of a build, exist during the lifetime of the build, and are scrapped at the end?
Ephemeral credentials would be harder, as we would have to reconcile the long-lived nature of credentials (and the extra constraints of remote credential providers) with the short-lived nature of builds. Chris > On 13 Feb 2020, at 06:40, Tim Jacomb <[email protected]> wrote: > > Which bit were you unclear about? > Point 1? > > Point 1 is a request based authorisation, nothing is allowed to use it by > default, jobs request to use it and then an autrhorised person allows it > > On Wed, 12 Feb 2020 at 23:36, Chris Kilding <[email protected] > <mailto:chris%[email protected]>> wrote: > Point 2 (credentials scoped to a single build) could be relevant - if we’re > adding a credentials concept to a general ACL, a user should be able to apply > any kind of restriction that their ACL permits to the credentials objects. > (Not just folder restrictions.) > > I’m a bit unclear about what you meant though - could you clarify, maybe with > an example? > > Chris > >> On 12 Feb 2020, at 18:01, Tim Jacomb <[email protected] >> <mailto:[email protected]>> wrote: >> >> > >> Not directly related, possibly even to this JEP, >> >> But wanted to add a couple of features I’ve seen in other systems, >> >> 1. Require authorisation, before allowed to use, I.e build is run and fails >> because the credential isn’t authorised for that job but then an >> administrator can authorise it and it will be allowed to use it on the next >> run, >> 2. Credentials scoped to a single build >> >> Thanks >> Tim >> >> On Wed, 12 Feb 2020 at 17:50, Chris Kilding <[email protected] >> <mailto:chris%[email protected]>> wrote: >> The first thing to figure out is what role-based access control solutions >> are already out there for Jenkins, so we can then decide how best to fit >> this functionality in. >> >> I have encountered the following solutions which seem relevant, but I know >> very little about them: >> >> - Cloudbees RBAC plugin (commercial) >> - Role Strategy Plugin >> - Jenkins permissions system >> >> Would someone who knows these components well be able to provide more >> details, and thoughts on how we might add concepts of folders and >> credentials to them, so that credential access constraints could be >> formulated as standard rules? >> >> Chris >> >> > On 12 Feb 2020, at 16:29, Chris Kilding <[email protected] >> > <mailto:chris%[email protected]>> wrote: >> > >> > Hello, >> > >> > This is the discussion thread for JEP-225: Folder-based access control for >> > any credentials provider. >> > >> > A brief summary... >> > >> > The Cloudbees Folders Plugin has the ability to restrict access to >> > credentials on a per-folder basis. Unfortunately this feature is only >> > available for credentials stored in the Folders plugin's internal >> > provider. This JEP will extend that concept, and allow users to specify >> > folder-based access restrictions for any credential, from any provider. >> > (For example, the AWS Secrets Manager and Kubernetes providers.) >> > >> > This JEP is relevant in 2 notable cases: >> > >> > - Dev / Production environment isolation. (Ensure that only jobs in the >> > production environment can access production credentials, and vice versa.) >> > - Per-team isolation on a multi-tenant Jenkins. (Ensure that only a given >> > team or teams can access their credentials.) >> > >> > You can follow the pull request at >> > https://github.com/jenkinsci/jep/pull/266 >> > <https://github.com/jenkinsci/jep/pull/266>. >> > >> > Chris >> > >> > -- >> > You received this message because you are subscribed to the Google Groups >> > "Jenkins Developers" group. >> > To unsubscribe from this group and stop receiving emails from it, send an >> > email to [email protected] >> > <mailto:jenkinsci-dev%[email protected]>. >> > To view this discussion on the web visit >> > https://groups.google.com/d/msgid/jenkinsci-dev/9567dfcf-b057-4616-8682-2eccf7b127b0%40www.fastmail.com >> > >> > <https://groups.google.com/d/msgid/jenkinsci-dev/9567dfcf-b057-4616-8682-2eccf7b127b0%40www.fastmail.com>. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Jenkins Developers" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] >> <mailto:jenkinsci-dev%[email protected]>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/jenkinsci-dev/21F4C984-6263-4B61-811F-DF5FFBB65014%40chriskilding.com >> >> <https://groups.google.com/d/msgid/jenkinsci-dev/21F4C984-6263-4B61-811F-DF5FFBB65014%40chriskilding.com>. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Jenkins Developers" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] >> <mailto:[email protected]>. > >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/jenkinsci-dev/CAH-3BifzEig30bXEOmhf-rYzZ-o7aocJODJR3U5Go1_WGH6DaQ%40mail.gmail.com >> >> <https://groups.google.com/d/msgid/jenkinsci-dev/CAH-3BifzEig30bXEOmhf-rYzZ-o7aocJODJR3U5Go1_WGH6DaQ%40mail.gmail.com?utm_medium=email&utm_source=footer>. > > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] > <mailto:[email protected]>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/4B4E063F-8E1A-41BC-9EE5-95EAE335A54B%40chriskilding.com > > <https://groups.google.com/d/msgid/jenkinsci-dev/4B4E063F-8E1A-41BC-9EE5-95EAE335A54B%40chriskilding.com?utm_medium=email&utm_source=footer>. > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] > <mailto:[email protected]>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/CAH-3BicZnU-DyZnWYn-uvP3FRtChn5iX7j4Rp-9CqgntePfghQ%40mail.gmail.com > > <https://groups.google.com/d/msgid/jenkinsci-dev/CAH-3BicZnU-DyZnWYn-uvP3FRtChn5iX7j4Rp-9CqgntePfghQ%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/C31B5C32-774E-43E0-9CCC-0852DF21B3AE%40chriskilding.com.
