![]() |
|
|
|
|
|
|
Change By:
|
Michael Rumpf
(09/Jul/14 9:56 PM)
|
|
Description:
|
I' currently trying to automate the role creation and assignment.
As the plugin does not provide a REST API, the only chance was to execute a System Groovy Script via Jenkins' script console.
The ugly thing is that the Plugin API seems to be aimed at internal usage only. The Role constructors are package protected so that I was forced to use "setAccessible(true)" in order to make them accessible.
I also had to make the method "assignRole" accessible (see script below)
The following script shows
how to create
a
first draft which only creates a
role
without any
with some
permissions
yet
and assigns the role to the sid
:
{code}
import
Hudson
hudson
.*
import
hudson.security.*
import
java.util.*
import com.michelin.cio.hudson.plugins.rolestrategy.*
import java.lang.reflect.*
import hudson.security.*
def ldapGroupName = "@GROUP@"
def
projectPrefix = "@PREFIX@"
def
authStrategy = Hudson.instance.getAuthorizationStrategy()
if(authStrategy instanceof RoleBasedAuthorizationStrategy){
println "Role Strategy Plugin found!"
RoleBasedAuthorizationStrategy roleAuthStrategy = (RoleBasedAuthorizationStrategy) authStrategy
// Make constructors
accessible
available
Constructor[] constrs = Role.class.getConstructors();
for (Constructor<?> c : constrs) {
c.setAccessible(true);
}
//
create
Make
the
new
method assignRole accessible
Method assignRoleMethod = RoleBasedAuthorizationStrategy.class.getDeclaredMethod("assignRole", String.class, Role.class, String.class);
assignRoleMethod.setAccessible(true);
// Create
role
Set<Permission> permissions = new HashSet<Permission>();
permissions.add(
Permission.fromId(
"
hudson.model.Item.Read
")
)
;
Role newRole = new Role
permissions.add
(
Permission.fromId(
"
test
hudson.model.Item.Build
"
,
));
permissions.add(Permission.fromId(
"
test
hudson
.
*
model.Item.Workspace
"
, permissions
)
)
;
roleAuthStrategy
permissions
.
addRole
add
(
RoleBasedAuthorizationStrategy
Permission
.
PROJECT, newRole
fromId("hudson.model.Item.Cancel"
)
)
;
//
Role, Set<String>
The release permission is only available when the release plugin is installed
def globalRoles
String releasePermission
=
roleAuthStrategy
Permission
.
getGrantedRoles
fromId
(
RoleBasedAuthorizationStrategy
"hudson
.
GLOBAL)
def projectRoles = roleAuthStrategy
model
.
getGrantedRoles(RoleBasedAuthorizationStrategy
Item
.
PROJECT
Release"
)
;
def slaveRoles
if (releasePermission !
=
roleAuthStrategy
null) {
permissions
.
getGrantedRoles
add
(
RoleBasedAuthorizationStrategy.SLAVE
releasePermission
)
;
}
println
permissions.add(Permission.fromId(
"
GLOBAL:
hudson.model.Run.Delete
"
for (r in globalRoles
)
{
);
println
permissions.add(Permission.fromId(
"
" + r
hudson
.
key
model
.
name
}
println
Run.Update
"
PROJECT:"
for (r in projectRoles
)
{
);
println
Role newRole = new Role(projectPrefix, projectPrefix +
"
.*
"
+ r
, permissions);
roleAuthStrategy
.
key
addRole(RoleBasedAuthorizationStrategy
.
name
PROJECT, newRole);
}
// assign the role
println "SLAVE:"
for
roleAuthStrategy.assignRole
(
r in slaveRoles
RoleBasedAuthorizationStrategy.PROJECT, newRole, ldapGroupName
)
{
;
println "
OK
"
+ r.key.name
}
}
else {
println "
Role Strategy Plugin
not found
!
"
}
{code}
|
|
|
|
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira
|
--
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
[email protected].
For more options, visit
https://groups.google.com/d/optout.
I updated the script which does what I need now. Having a public API class which is more stable than the internal classes would be great.