Hello Jenkins Community!
I am currently doing some preemptive planning for setting up our Jenkins
instance.
We are going to use LDAP (Jenkins LDAP
plugin<https://wiki.jenkins.io/display/JENKINS/LDAP+Plugin>), as our security
realm, and project-based matrix authorization strategy (Matrix Authorization
Strategy
plugin<https://wiki.jenkins.io/display/JENKINS/Matrix+Authorization+Strategy+Plugin?focusedCommentId=80642557>),
as our authorization strategy.
It should also be noted that we have a distributed build system in place (1
Jenkins Master and several Jenkins Agents (virtual machine's running on Jenkins
host via VirtualBox)). The goal of the distributed build system is to separate
build / project environments on a per project basis.
As far as using a project-based matrix authorization strategy, I envision the
permissions working like so:
1. Global Administrators:
- Access to everything within Jenkins (all projects / jobs,
configuration settings, plugins, etc.).
- Access to all Jenkins Agents / Build Nodes (provide with
virtual machine credentials for login).
- Can configure / modify all project's Jenkins Agents / Slaves.
2. Project Administrators:
- Access as an administrator to specific project's / job's
configurations.
- Access to team's / project's specific Jenkins Agents / Build
Nodes (provide with virtual machine credentials for login).
- Can configure / modify project specific Jenkins Agents /
Slaves.
3. Jenkins Users
- Low level users added by project level administrators.
- Project level administrators have the ability to add users to
their project / job and grant permissions to those users as they see fit.
- Cannot directly configure / modify Jenkins Agents / Slaves
(Jenkins Agent / Slave credentials for login are not provided to low level
users).
- Could possibly modify job configurations for their project if
granted the right by a project administrator.
Is there anything I'm missing here as far as defining our authorization
strategy? From everything I've read on the Jenkins wiki about the plugins as
well as Jenkins itself, this appears to be a viable approach for giving teams
as much control over their builds / projects as possible.
Thanks to anyone who has any experience setting up a Jenkins Distributed Build
system using project-based authorization!
- Jason
--
You received this message because you are subscribed to the Google Groups
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/jenkinsci-users/BY2PR12MB0599349B594D500AE8612BFA89AE0%40BY2PR12MB0599.namprd12.prod.outlook.com.
For more options, visit https://groups.google.com/d/optout.
