Scoping to a job On Thu, 13 Feb 2020 at 11:23, Chris Kilding <[email protected]> wrote:
> I was unclear on point 2. Is this a way to… > - scope a credential to an individual job or jobs? > - scope a credential to an individual build or builds? > - provide ephemeral credentials that are created at the start of a build, > exist during the lifetime of the build, and are scrapped at the end? > > Ephemeral credentials would be harder, as we would have to reconcile the > long-lived nature of credentials (and the extra constraints of remote > credential providers) with the short-lived nature of builds. > > Chris > > On 13 Feb 2020, at 06:40, Tim Jacomb <[email protected]> wrote: > > Which bit were you unclear about? > Point 1? > > Point 1 is a request based authorisation, nothing is allowed to use it by > default, jobs request to use it and then an autrhorised person allows it > > On Wed, 12 Feb 2020 at 23:36, Chris Kilding < > [email protected]> wrote: > >> Point 2 (credentials scoped to a single build) could be relevant - if >> we’re adding a credentials concept to a general ACL, a user should be able >> to apply any kind of restriction that their ACL permits to the credentials >> objects. (Not just folder restrictions.) >> >> I’m a bit unclear about what you meant though - could you clarify, maybe >> with an example? >> >> Chris >> >> On 12 Feb 2020, at 18:01, Tim Jacomb <[email protected]> wrote: >> >> >> >> Not directly related, possibly even to this JEP, >> >> But wanted to add a couple of features I’ve seen in other systems, >> >> 1. Require authorisation, before allowed to use, I.e build is run and >> fails because the credential isn’t authorised for that job but then an >> administrator can authorise it and it will be allowed to use it on the next >> run, >> 2. Credentials scoped to a single build >> >> Thanks >> Tim >> >> On Wed, 12 Feb 2020 at 17:50, Chris Kilding < >> [email protected]> wrote: >> >>> The first thing to figure out is what role-based access control >>> solutions are already out there for Jenkins, so we can then decide how best >>> to fit this functionality in. >>> >>> I have encountered the following solutions which seem relevant, but I >>> know very little about them: >>> >>> - Cloudbees RBAC plugin (commercial) >>> - Role Strategy Plugin >>> - Jenkins permissions system >>> >>> Would someone who knows these components well be able to provide more >>> details, and thoughts on how we might add concepts of folders and >>> credentials to them, so that credential access constraints could be >>> formulated as standard rules? >>> >>> Chris >>> >>> > On 12 Feb 2020, at 16:29, Chris Kilding < >>> [email protected]> wrote: >>> > >>> > Hello, >>> > >>> > This is the discussion thread for JEP-225: Folder-based access control >>> for any credentials provider. >>> > >>> > A brief summary... >>> > >>> > The Cloudbees Folders Plugin has the ability to restrict access to >>> credentials on a per-folder basis. Unfortunately this feature is only >>> available for credentials stored in the Folders plugin's internal provider. >>> This JEP will extend that concept, and allow users to specify folder-based >>> access restrictions for any credential, from any provider. (For example, >>> the AWS Secrets Manager and Kubernetes providers.) >>> > >>> > This JEP is relevant in 2 notable cases: >>> > >>> > - Dev / Production environment isolation. (Ensure that only jobs in >>> the production environment can access production credentials, and vice >>> versa.) >>> > - Per-team isolation on a multi-tenant Jenkins. (Ensure that only a >>> given team or teams can access their credentials.) >>> > >>> > You can follow the pull request at >>> https://github.com/jenkinsci/jep/pull/266. >>> > >>> > Chris >>> > >>> > -- >>> > You received this message because you are subscribed to the Google >>> Groups "Jenkins Developers" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> > To view this discussion on the web visit >>> https://groups.google.com/d/msgid/jenkinsci-dev/9567dfcf-b057-4616-8682-2eccf7b127b0%40www.fastmail.com >>> . >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Jenkins Developers" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/jenkinsci-dev/21F4C984-6263-4B61-811F-DF5FFBB65014%40chriskilding.com >>> . >>> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Jenkins Developers" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/jenkinsci-dev/CAH-3BifzEig30bXEOmhf-rYzZ-o7aocJODJR3U5Go1_WGH6DaQ%40mail.gmail.com >> <https://groups.google.com/d/msgid/jenkinsci-dev/CAH-3BifzEig30bXEOmhf-rYzZ-o7aocJODJR3U5Go1_WGH6DaQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Jenkins Developers" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/jenkinsci-dev/4B4E063F-8E1A-41BC-9EE5-95EAE335A54B%40chriskilding.com >> <https://groups.google.com/d/msgid/jenkinsci-dev/4B4E063F-8E1A-41BC-9EE5-95EAE335A54B%40chriskilding.com?utm_medium=email&utm_source=footer> >> . >> > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/CAH-3BicZnU-DyZnWYn-uvP3FRtChn5iX7j4Rp-9CqgntePfghQ%40mail.gmail.com > <https://groups.google.com/d/msgid/jenkinsci-dev/CAH-3BicZnU-DyZnWYn-uvP3FRtChn5iX7j4Rp-9CqgntePfghQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/C31B5C32-774E-43E0-9CCC-0852DF21B3AE%40chriskilding.com > <https://groups.google.com/d/msgid/jenkinsci-dev/C31B5C32-774E-43E0-9CCC-0852DF21B3AE%40chriskilding.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAH-3BicRiepXK6RecZdu_dYmjUwezE8TTo3woEb0mANQhSYkYw%40mail.gmail.com.
