Plugin Information |
---|
View Role-based Authorization Strategy on the plugin site for more information. |
Older versions of this plugin may not be safe to use. Please review the following warnings before using an older version:
About this plugin
This plugin adds a new role-based strategy to ease and fasten users management. This strategy allows:
- Creating global roles, such as admin, job creator, anonymous, etc., allowing to set Overall, Slave, Job, Run, View and SCM permissions on a global basis.
- Creating project roles, allowing to set only Job and Run permissions on a project basis.
- Creating slave roles, allowing to set node-related permissions.
- Assigning these roles to users.
Table of contents
User guide
Getting started
Using the plugin is fairly simple:
- Activate the Role-Based Strategy by using the standard Manage Jenkins > Configure System screen:
- Define and assign roles by using the Manages Roles item which appears in the Manage Jenkins screen:
You then get following options:
#* Manage Roles is the place where to set up roles:
There's nothing much to say here, this is self-explanatory. The only tricky field is the Pattern one. This field consists in a regular expression aimed at matching the full name (including the folder name, if you're using Cloudbees Folders Plugin) of the jobs which the role will apply to. For example, if you set the field to "Roger-.*
", then the role will match all jobs which name starts with "Roger-". Note that the pattern is case-sensitive. To perform a case-insensitive match, use(?i)
notation: upper, "Roger-.*
" vs. lower, "roger-.*
" vs. case-insensitive, "(?i)roger-.*
". If you have a nested folder structure where you want to provide the particular access to the second folder (or deeper), consider having a two-level security structure as well (Say you want to provide exclusive write/ modify type access to foo/bar and not everything else under "foo": First, assign that user/ group to read/ discover permissions with pattern " ^foo.* ", then assign that same user/ group to the more particular permissions with pattern " ^foo/bar.* " - Similar to what you'd do in a Unix/ Linux environment.
- #* Assign Roles is the place where to assign the defined roles to users:
Global Roles vs. Project Roles
It should be noted that the Global Roles override anything you specify in the Project Roles. That is, when you give a role the right to Job-Read in the Global Roles, then this role is allowed to read all Jobs, no matter what you specify in the Project Roles.
It may therefore be advisable to leave most (all) options unchecked in Job, Run and SCM in the Global Roles section for normal users.
Built-in Roles
There are two built-in roles:
*Anonymous* — Users who have not logged in
authenticated — Logged in users
Macros support (since 2.1.0)
Macros allow to extend analysis of user's access rights (see @RoleMacroExtension). If user's sid meets criteria in Roles and Assignments, then analysis will be propagated to extension, which makes decisions according to instance and parameters.
Available macros
You can get list of available macros and theirs descriptions at the JENKINS_URL/role-strategy/list-macros page. At the current state, plugin has minimal set of available macros, but they can be added by extensions from plugins.
Known macros:
- Built-in: @BuildableJob
- Ownership plugin: Ownership-based roles: @Owner and @CoOwner (will be released in ownership-0.2)
Macro usage
Macros can be used in the following fields:
- RoleMacros - name of the role
- UserMacros - Not supported yet
Macro format: @macroName[:id][(parameter1, parameter2, ...)]> - macroName - name of the macro (see available macros in the table below)
- id - identifier of the macro. Technical parameter, which allows to use same macros for multiple patterns
- parameter - additional parameters. At the current state, they don't support variables or TokenMacros
Macro string examples:
- @BuildableJob - Primitive macro invocation. Such invocation can be used only once in each roles category.
- @BuildableJob:1 - Macro with id
- @ParameterizedMacro(param1) - Invokes macro with one parameter
- @ParameterizedMacro:2(param1,param2) - Invokes macro with two parameters. Id prevents naming conflicts
External add-ons
The management interface becomes difficult to use with a large number of users and/or roles. Several Greasemonkey userscripts exist to make the UI easier to use (Jira issue):
Jenkins Role Strategy UI enhancer
This userscript adds a tooltip to the checkboxes indicating the row (e.g. user name) and column (e.g. permission).
Jenkins Role Strategy Role Management Enhancer and Jenkins Role Strategy Role Assignment Enhancer
These userscripts rotate the text in the column title cells on the Role Strategy configuration pages by 90 degrees so they use less horizontal space. Additionally, the first (header) column is repeated at the end of the table.
Version history
Version 2.10 (Feb 11, 2019)
Jenkins 2.60.3 is now the minimal requirement of the plugin
JENKINS-44472 - "Manage roles" table now supports preview of jobs matching the regular expression
PR #45 - REST API: getRole now also returns SID assignments
JENKINS-55804, JENKINS-55803 - Improve performance of the plugin on instances with many roles
JENKINS-49102 - "Manage roles" page now displays patterns in quotes to properly visualize whitespace patterns
JENKINS-45942 - REST API: Throw error when a non-existent permission is added in the addRole call
JENKINS-54900 - REST API: Prevent concurrency issues when permissions are checked in parallel with REST API calls
Internal changes:
JENKINS-55916 - RoleWalker iterator now can be aborted by the handler
JENKINS-55933 - First version of the Role Strategy performance testing instance
Version 2.9.0 (Aug 27, 2018)
PR #42 - Add REST API for retrieving particular roles
- Example: curl -XGET 'http://localhost:8080/jenkins/role-strategy/strategy/getRole?type=globalRoles&roleName=admin'
Version 2.8.2 (Aug 07, 2018)
PR #41 - getAllRoles REST API call was not closing output writer properly, and responses were missing in some cases
PR #40 - Prevent NullPointerException when getAllRoles REST API is called for non-existent role type
Version 2.8.1 (May 25, 2018)
PR #39 - Prevent NullPointerException when adding role to an empty type from REST API
Version 2.8.0 (May 16, 2018)
PR #37 - getAllRoles method now allows retrieving Job and Agent roles
- Example: curl -X GET localhost:8080/role-strategy/strategy/getAllRoles?type=globalRoles ("projectRoles" or "slaveRoles")
- Example: curl -X GET localhost:8080/role-strategy/strategy/getAllRoles?type=globalRoles ("projectRoles" or "slaveRoles")
Version 2.7.0 (Feb 06, 2018)
PR #36 - Improve API to provide integration with Configuration As Code Plugin
Version 2.6.1 (Oct 04, 2017)
JENKINS-47265 - The plugin does not require extra dangerous permission enabler flags to be set with Matrix Authorization Strategy Plugin 1.5+
PR #33 - Improve diagnostics of invalid cases when Roles get created with null permissions
Version 2.6.0 (Aug 28, 2017)
PR #30 - Add REST API endpoints to get and unassign roles
- Examples:
- Unassign role: curl -X POST localhost:8080/role-strategy/strategy/unassignRole --data "type=globalRoles&roleName=AMD&sid=username"
- List roles: curl -X GET localhost:8080/role-strategy/strategy/getAllRoles
- Examples:
Update Jenkins core minimal requirement to 1.625.3
Version 2.5.1 (July 10, 2017)
Version 2.5.0 (Jun 02, 2017)
JENKINS-37178 - Add REST API, which allows managing roles and assignments
- Examples:
- Add Role: curl -X POST localhost:8080/role-strategy/strategy/addRole --data "type=globalRoles&roleName=ADM&permissionIds=hudson.model.Item.Discover,hudson.model.Item.ExtendedRead&overwrite=true"
- Remove Role(s): curl -X POST localhost:8080/role-strategy/strategy/removeRoles --data "type=globalRoles&roleNames=ADMIN,DEV"
- Assign Role: curl -X POST localhost:8080/role-strategy/strategy/assignRole --data "type=globalRoles&roleName=ADMIN&sid=username"
- Delete SID from all roles: curl -X POST localhost:8080/role-strategy/strategy/deleteSid --data "type=globalRoles&sid=username"
- Parameters:
- Type: globalRoles, projectRoles, slaveRoles
- Type: globalRoles, projectRoles, slaveRoles
- Examples:
JENKINS-18377 - Improve speed of fetching roles by permission
JENKINS-43058 - Stop mentioning "slaves" in the plugin UI and Javadoc
Version 2.4.0 (Apr 10, 2017)
This change is a part of the Security release in Jenkins.
SECURITY-410 - Prohibit dangerous permissions by default
- Permissions like "Jenkins.RUN_SCRIPTS" cannot be granted to non-admin users by default
- After the upgrade to 2.4.0, such dangerous permission configurations will be disabled and reported in the Administrative Monitor
- "org.jenkinsci.plugins.rolestrategy.permissions.DangerousPermissionHandlingMode.enableDangerousPermissions" system property can be used to allow these dangerous permissions (not recommended)
- See the referenced issue for more info
Fixed escaping of descriptions in the Role Strategy Macros list (JENKINS-38230)
Version 2.3.2 (06/13/2016)
Performance: Disable user authorities resolution in permission checks by default (JENKINS-35515)
- It has been done due to the reported performance degradation in 2.3.0
- The 2.3.0 behavior can be restored by the org.jenkinsci.plugins.rolestrategy.Settings.treatUserAuthoritiesAsRoles system property
- If you enable it, the performance can be also tweaked by org.jenkinsci.plugins.rolestrategy.Settings.userDetailsCacheMaxSize and org.jenkinsci.plugins.rolestrategy.Settings.userDetailsCacheExpircationTimeSec
Authorities resolution: Catch Runtime Exceptions from underlying Security Realms. Prevents Jenkins DoS in such case (JENKINS-35652)
Generalize the help message for role patterns (JENKINS-35250)
2.3.1 is skipped due to the typo in the property name
Version 2.3.0 (06/07/2016)
Threat user authorities as roles (https://github.com/jenkinsci/role-strategy-plugin/pull/13)
Escape all form entry fields by default (prevent unintentional HTML injection by admins)
Migration to the new Jenkins plugin parent POM
Fixes of minor issues discovered by FindBugs
WARNING!
There are performance regressions reported to this version. Upgrade only after testing
Version 2.2.0 (06/29/2014)
Support of Create Job permissions since jenkins-1.566 (JENKINS-19934)
- The permission requires the specific item name validation strategy, which should be selected in Jenkins global configuration
Fixed help links in manage-roles pages (JENKINS-15030)
Slave permissions: Allow assignment of permissions, which don't belong to "Slave" group (JENKINS-18978)
Version 2.1.0 (07/20/2013)
- Added support of individual permission assignments for slave nodes (JENKINS-18748)
- Added support of Macro roles (JENKINS-18700)
Version 1.1.3 (07/10/2013)
- Prevented exceptions in case of missing roles (JENKINS-18648)
- Prevented exceptions in case of deleted Permissions
- Support of folders plugin (JENKINS-17482)
- Upgraded to Jenkins 1.424
Version 1.1.2 (10/14/2011)
- Implemented JENKINS-9325: Permissions contributed by plugins can now be managed at the project roles level
- Upgraded to Jenkins 1.409
Version 1.1.1 (09/19/2011)
- Fixed JENKINS-8058: "<" and ">" characters were not supported in regular expression patterns
Version 1.1 (06/08/2011)
- SCM permissions (e.g. Tag) can now be handled at the project roles level
- Improved UI to handle large installations:
- Deletion buttons are now also displayed on the left of each table
- When having table with more than 20 entries, a footer is now added which repeats header
- It is now possible to edit already defined patterns by double-clicking on them in the Project roles table
- Fixed some typos
- Fixed some image display issues
Version 1.0 (09/20/2010)
- Initial release
Save
198 Comments
Giuliano Ribeiro
Hello, first of all, congratulations you are the first to create a good plugin to reorganize how Hudson works with user/group/permissions.
Second, I have a question, how can I configure a role to have permissions on 2 projects with diferent names, like ProjectABC and BuildMyProject? how to put it on Pattern field?
Romain Seguy
Simply build a regular expression which fits that:
(ProjectABC.*|BuildMyProject.*)
Dominik Bartholdi
Is it possible to add new roles/users via CLI or remote API?
The problem is, that we need to do this fully automated and by updating the configuration file directly, we would have to restart hudons after a modification right?
Romain Seguy
No it's not possible yet (+ yes, you're right, you would have to restart Hudson). May you create a JIRA ticket for that please? I've just requested through the ML for the creation of the JIRA role-strategy component.
Unknown User (michil)
I'm trying to add a project role with a role name and a regular expression. When pressing the add button, nothing happens.
I tried it also with a regular expression ".*" which should cover all my projects, but even then, nothing happens.
TRied to check Hudson log files, but no output found from plugin.
Romain Seguy
Please create an issue in JIRA with screenshots + the technical configuration.
Unknown User (valley.antoine)
Hello, this is a very nice plugin.
On my local hudson configuration, your
However, on the production server, I encounter a problem.
On the main board (with the project list), I'm always asked to enter my login/password even when I'm already logged in.
Sometimes, i can access this page, but can't explain when and why.
Strangely, I have no problem to access other pages (configuration, users...)
Configuration :
Customed Hudson v1.364 (no major changes)
I'm using an LDAP based anthentication + LDAP groups
I have some users in several groups.
Thank's in advance for your advice
Unknown User (valley.antoine)
Hello again,
Just to say there are some small mistakes in the french property file :
You wrote "&ocric;" instade of "ô ;" (I added a space in order to make it appear)
Bye
Romain Seguy
Hi,
Thanks for reporting the typo. I've fixed that locally and will commit once SVN is fully back.
May you next time create an issue in JIRA to report bugs/request enhancements?
Regards.
Unknown User (valley.antoine)
Ok, you will never believe me about the previous bug (asking me to authenticate myself) :
There is certainly a bug with Firefox. Here are the steps :
Configuration :
- Firefox 3.0.19
- Internet Explorer 7
1 - I log in on firefox
--> I have the error
2 - I open Internet Explorer
3 - I log in with IE (same user or not makes no difference)
--> No error on IE
4 - I go back on Firefox
5 - I refresh the page
--> No error !
If I logout and login again on Firefox --> The bug come back
It's just like the privileges index is not well refreshed when loggin with Firefox
That's kind of magic
(Still no bug on local)
Romain Seguy
OK.
Kindly create an issue in JIRA (if not already there) for the Hudson core component (since it's not related to the Role Strategy plugin).
Unknown User (raghuram_028@yahoo.com)
Hi,
Thanks for this plugin - it is very useful.
I recently upgraded to version 1.386 of hudson. I'm not able to add roles/group at project level.
I click on the "add" button & nothing happens.
Can any one confirm?
Thanks,
Romain Seguy
Which browser are you using? It highly depends on it. E.g., it works fine on Firefox 4.0 but not on Internet Explorer 6.0.
Markus Dieterle
Same problem here, using IE 8.
Do you have any more detailed information, what the problem causes?
Is there a chance, that this problem can be solved?
(IE is company standard)
Thank you in advance.
hbockelmann -
I really like this plugin since it allows to hide some 'internal' jobs (which are not fully tested or just meta-steps in a job chain) and show them only to authenticated users - thank you very much.
But: if I set the global role for anonymous to
<permission>hudson.model.Hudson.Read</permission>
and then add a project role to some jobs with
<permission>hudson.model.Item.Read</permission>
the anonymous user can not only see the jobs I granted to him, but also the sidebar information! This might cause some trouble since the sidebar shows the build executors and in my case also the userContent directory on the hudson server. Is it possible the restrict the view on the sidebar in the same fashion as for projects?
Romain Seguy
How have you added the userContent dir in the sidebar? Is it a plugin or a direct modification to Hudson core? In both cases, what you have to do is to add a new permission or to reuse an existing one in order to protect your sidebar.
hbockelmann -
Thanx for your help, I added the userContent via the Sidebar-Link Plugin. Could be please be a bit more concrete how to add a new permission? Do I have to modify the source of the plugin or of Hudson core?
BB Tksh
Hi, this plugin is very useful to us, thanks.
Sorry if this is a FAQ or my mistake, but I suppose that
this plugin outputs data to config.xml without sorting elements, for example:
Of course, this is no harm, but as a result,
simple diff of config.xml (ex. jobConfigHistory plugin) becomes very dirty ...
Romain Seguy
I think I can implement sorting easily since the plugin uses its own converter to serialize data.
May you please fill an issue in JIRA to track that? Thanks.
Kuh 96
I posted JIRA, instead of Takesh.
I'm a newbie of JIRA, so feel free to modify this report (including my English) and please don't hurry to fix this tiny problem.
Thanks in advance !
Maxime Lemanissier
Hi,
I'm using Promoted builds plugin. The "promote" right is displayed in global authorization matrix, but not in role strategy matrix.
Can you please add it?
Romain Seguy
This is something I have to do for some time now. May you please create an issue in JIRA about that so that I don't forget? Thanks.
Maxime Lemanissier
Ok, done : https://issues.jenkins-ci.org/browse/JENKINS-11118
Thanks.
Kenny Watts
I don't know if this has been asked before, but I am tryign to use the Logged-in users can do anything. I was wondering though how do you create a user? I cannot log into my system to do anything at this point. Thanks.
Maxim Kopeyka
Is it possible to reset all security settings?
Romain Seguy
I guess you're asking for this: Disable security.
Maxim Kopeyka
Thanks.
Jason Spotswood
Are there plans to add a default authenticated user role (basically the opposite of anonymous)? This is similar to the Logged-in users requested, I want authenticated users to be able to perform certain operations without having to manage them individually.
William Wightman
We really would have found an "Authenticated" user useful here as well. We have the case where we would like to allow anyone to start a type of build, but would like to track who started the builds. An authenticated user would allow us to do this.
Jason Spotswood
I have raised the issue https://issues.jenkins-ci.org/browse/JENKINS-13029 for this feature request. Please Vote if you think it is a good idea.
Maxim Kopeyka
I'd like to close access for Anonymous except Overall/read but I can't use RSS notifications because I have to login in first. Does somebody know some workaround?
Swa Ch
Plugin crashes tomcat6,
We are using Windows XP, IE8
Anybody has faced same problem?
Please Help!!
Romain Seguy
Don't attach log files to this page: This is a wiki, not a bug tracker or a support tool. Please use appropriate tools for that: Take a look at the users mailing list or at JIRA.
Swa Ch
Sorry about that, i just updated my comment.But could you at least tell me why am i facing above issue
John Van Lierde
I'm having trouble with the project roles.
I have a project called “reporting_build”, and I created a role called “reporting” with the pattern “reporting_build” with all permissions enabled.
I then assigned a user (mark) to that role.
But when mark logs in, I get “Access Denied, user is missing the Read permission”.
If I assign mark to a global role, i can log on and see everything (which, of course, is not what I need).
I've googled “missing the Read permission”, but I haven't found anything that's relevant.
What does this error mean? Is it a problem with the role set up, or is there a more fundamental configuration issue that I'm missing?
I'm using Hudson 2.2.0 with Hudson's user database and v1.1.2 of the plug in.
Thanks for any pointers.
John Van Lierde
I got it to work.
I went back and followed the example above slavishly and discovered that you need to have the global anonymous role with overall read permission set.After that, everything worked as advertised. It seems odd that the plug-in doesn't set that permission autom-magically.
The anonymous user is quite useful.
A cool plug-in.
Zachary Young
Yes, a very critical part of the configuration that was not explicitly mentioned. In my case, I don't want Anonymous being able to read, so I substituted Anonymous for authenticated users.
Damian Shameer
<!-- /* Style Definitions */ table.MsoNormalTable
-->
I'm not sure if this can be classified as a bug but I just discovered this while doing some testing.
Don’t laugh @ my job names and views as they are fake. I work for a large org and I'm setting up a CI environment for my division so we have a CI QA space for testing and experimenting. I setup this Jenkins space to simulate multiple teams with one team having multiple projects (multiple apps). I'm using LDAP for login authentication. The job naming convention will determine the group. For example: all apache-* jobs belong to team Apache.
What I did:
In the Manage and Assign Roles view, I created a role called apache_only_access (only users assigned to role can chnage apache-* jobs) and grant it the global permission to create jobs.
In Project Roles, I granted role apache_only_accessfull project permission. I then assigned a specific user (user1) to this role. This works beautifully.
User1 has read-only access to the other jobs but cannot make any changes. User1 can only modify the apache-* jobs.
User1 can also create a new job as long as the job name begins with "apache" For example, new job apache-something works is allowed.
What is the issue?
Logged in as user1, I clicked on New Job, select Build a maven2/3 project , enter job name "my-new-job" then click next where the following error is shown
Access Denied:user1 is missing the ExtendedRead permission
This I expected since user1 is restricted based on the role I created.
The issue (again, not sure if this is an issue/bug) is the job user1 intended to create is created and shows up in the default view (last image). User1 can view the job but cannot delete it. To remove the job, I have to log in as admin and delete it.
Romain Seguy
This is normal: The permission to create a job, well, allows for creating jobs. It doesn't control the name of these jobs. So if the user has this permission, then he can create whatever job he wants. But he won't be able to view/edit/delete them (depending on the perm) if he's not been allowed to.
Damian Shameer
Thanks Romain!
I suspected such was the case as the job is saved after you leave the initial screen and go to the job configuration screen.
However i feel the Jenkins should factor in the user's permission BEFORE saving the job . After all, if a user only has permission to create, for example, apache.* jobs, creating a job titled otherwise would be point less.
In any case, I'm nitpicking on this one ;-)
This plugin is a great addition to Jenkins!
Dhan Raj
I get issue with project specific role.. Global setting always takes precedence and project specific role is ignored.. I am trying to make separate group /User to own there own jobs without modifying / restricting other Jobs..
I tried following steps above.
Hans Peter
Hi Guy's,
is it possible to connect to jenkins via CLI while this plugin is enabled?
venkat Annangi
Hi Guys,
This plugin is giving awesome features on securing the Jenkins .Thanks for the plugin
We are struggling to update the project roles for the users .Is there any future release with filtering the users based on roles or user?
If we have filter in the assign roles matrix that would be very great and helpful to most of the users
And also i found some issue with current version of the plugin. It is not working with latest version (1.27) of AD plugin
Romain Seguy
Hey,
Yes, this is something I wanted to achieve. I started the work (you can a screenshot in this JIRA issue: JENKINS-8075) but didn't complete it. Daniel (you'll see his name in the JIRA issue) will be your guy for that.
venkat Annangi
Thanks Romain
will get in touch with Daniel
Damien Finck
Hello,
Can you correct French translations ?
In the "Manage and Assign Roles" page > "Global roles" > "Role" > "Run" translate in "Lancer" but it will better with "Historique des builds"
In the "Manage and Assign Roles" page > "Global roles" > "Role" > "View" translate in "Voir" but it will better with "Vues"
To translate other phrases, do you want help?
Thank you
Damien Finck
Hello,
Can you correct French translations ?
In the "Manage and Assign Roles" page > "Global roles" > "Role" > "Run" translate in "Lancer" but it will better with "Historique des builds"
In the "Manage and Assign Roles" page > "Global roles" > "Role" > "View" translate in "Voir" but it will better with "Vues"
To translate other phrases, do you want help?
Thank you
Romain Seguy
Hi Damien,
These translations are not part of the plugin, they are part of Jenkins core: The plugin gathers permissions from Jenkins itself and from other plugins, so it's the reponsibility of Jenkins and these plugins to provide the right translations.
Haggai Philip Zagury
Hi,
I have stumbled upon and issue which I am not sure qualifies as a bug for I might be doing something wrong.
I have two roles:
a.builders which have build permissions - these users should be able to build a pattern of a(.*) build name pattern
a.releasers which have release permissions - these users should be able to build and release a(.*) build name pattern
users in either group have the ability to release which is kind of missing the point - the question is how does the plugin apply the permissions, the release permission is introduced only if the release plugin is installed and my question is why isn't the permission applied. - let me know if I should file a bug.
Thanks,HP
kapila narang
Need help here how to do
I need to create multiple groups like raildev here who can login only with their defined view & access permission( with set of pattern matching jobs-trains.*). + cant view to other jobs in other's view.
but right now when raildev user logs in he is able to view all other views also & its job. How can i hide this?
Alex Vesely
I needed to give users the ability to manually trigger a set of jobs, all of which had a common prefix in their names. I thought I had to tediously modify each of them using the "Project-based matrix authorization strategy".
But then I ran into your plugin, and set everything up in a matter of minutes. Thanks very much, works great!
E B
I set the pattern to any of j* , j.* , j. , "j." for a job that is named jenkinstest but every time I get an error during login with the user who is assigned to that role. Should you use double quotes when creating the pattern or quotes not needed?
If I assign the user to admin role then the user can login successfully. I am using the Collabnet plugin for authentication.
HTTP Status 404 -
type Status report
message
description The requested resource is not available.
Apache Tomcat/7.0.30
E B
Resolved this "The requested resource is not available" issue. Created a readonly role and then needed to give read access in global to Anonymous .
But this looks like a bad design or bug to me to have to give read access to Anonymous at global level.
Harpreet Nain
Hi,
I have configured the plugin and it works well. However, I have noticed that the plugin does a case sensitive match when searching for usernames.
I personally think that this search should be case insensitive. Is this a bug or is this how the plugin has been designed to work? This is causing us a lot of grief as we have to add each user twice , once with uppercase username and one with lowercase username.
Please advise..
Regards
Oleg Nenashev
Hello,
By default, user names are case-sensitive in Jenkins. Several security plugins (like Active Directory) allow user to connect with any case, which cause such SIDs difference. I'm going to add support of user macros at the some point (https://issues.jenkins-ci.org/browse/JENKINS-19320). Such macros can resolve your issue, but it can significantly affect performance of the plugin.
BR, Oleg Nenashev
Overmind DL1
Would be nice to give some people access to create their own jobs, and for them to have full access over their own jobs that they created automatically. Perhaps a way to restrict their job names to always start with a certain prefix, then we could just give permissions to that prefix.
Oleg Nenashev
Hello,
https://wiki.jenkins-ci.org/display/JENKINS/Ownership+Plugin implements such functionality w/o any additional prefixes.
BR, Oleg Nenashev
Rakesh Kande
Hi
we are using this plugin to server our needs for segregating the Job access to users based on the Job name
we are having some issues using regex .Manage and Assign Roles-> Manage Roles->Project Roles is not working. the regex is not working.
say we are trying to apply the regex for all job names starting with "test" with ignoring case.( like "(?!)test.*" ). this is not able to filter the jobs. i have tried this using the latest version of the update too. Any suggestions :)
Oleg Nenashev
Hi Rakesh,
It is not an issue in the plugin. You should use "(?i)test.*" (i instead of !)
Useful link: https://blogs.oracle.com/xuemingshen/entry/case_insensitive_matching_in_java
Best regards, Oleg Nenashev
Rakesh Kande
Thanks a lot Oleg:) i overlooked the symbol..it working now thanks alot
vishal sahasrabuddhe
Thanks a lot, This is really a great plugin. I have a doubt and requirement.
I am using ldap authentication for the jenkins and using role-based-stategy plugin for authorization.
My problem is that i can not put the list of user in the global roles because
1. there is huge list.
2. Even i don't know the complete list because users are being added and deleted in ldap.
I would like to have something like "*" which should include all users, so that users added or deleted will not be manual task in jenkins.
Thanks,
Vishal
Oleg Nenashev
Hello Vishal,
You can use "authenticated" User/group to assign all authenticated users to a global role. Does it resolve your issue?
Best regards, Oleg Nenashev
vishal sahasrabuddhe
Hi Oleg, Your are superb.
Yes, this solves my problem.
I can't tell you how useful this feature is for me.
once again, great plugin .
Thanks,
Vishal
Angelo Schneider
I'm wondering:
"It should be noted that the Global Roles override anything you specify in the Project Roles. That is, when you give a role the right to Job-Read in the Global Roles, then this role is allowed to read all Jobs, no matter what you specify in the Project Roles."
What is the rational behind this? It is very counterintuitive and IMHO makes no sense at all. Everyone I know would assume exactly the opposite. I guess it is now to late to change that ... but I wonder why it came to that decission.
Oleg Nenashev
It a common approach for multi-role/group authorization systems. Most of them provide cumulative permissions like role-strategy does. If you assign an user to any role, he will get its permissions.
Global roles just affect all jobs. You can just consider them as project roles with ".*" pattern.
Szabolcs Sélley
Hi,
Could you please add a bit more detailed description of the slave roles to this wiki? Unfortunately the help is not available for the pattern variable of the slave role section at the Manage Roles page. And how will these Slave Roles work against Global Roles. If I want to restrict a group of user to be able to build only a group of slaves in Jenkins I have to leave the Build right empty on global level for these users?
Thanks!
Oleg Nenashev
I'll add such info to the Wiki. Just a short answer to your question...
Szabolcs Sélley
Thanks for the quick answer Oleg!
Szabolcs Sélley
Hi,
Just one more issue, I also use Project roles for users in Jenkins. Slave roles will be cumulative with these also? The problem is with the build permissions, which are already restricted by the project roles. And I also wan't to have a filter not just on the project but on the nodes also for users in our Jenkins.
Thanks!
Szabolcs Sélley
Sorry and one more thing in addition. If I remove the build permission of a user for a node abortion of jobs running on that will be also disallowed for that user? I hope that it works like that. :)
Oleg Nenashev
Seems I've missed the Wiki update notification...
Szabolcs Sélley
Hi,
Thanks, is it possible to add cancel right for a user on a job(s), but just on a group of slaves, not on both?
Oleg Nenashev
AFAIK, it is not possible now. Such permission type should be provided by Jenkins core. "Computer.Build" is a new permission, other slave-specific permissions have not been implemented yet.
Please create a feature request on JIRA (component=core) if you need such functionality.
Szabolcs Sélley
OK, thanks for your help!
Benjamin Todd
Hello,
Can you expand on this note for the 2.2.0 release?
Support of Create Job permissions since jenkins-1.566 (issue #19934)
- The permission requires the specific item name validation strategy, which should be selected in Jenkins global configuration
I'm trying to understand what is meant by "The permission requires the specific item name validation strategy".
Thanks,
Ben
Oleg Nenashev
Nick Glasser
Is there a role provided to allow users to edit their own profile? I'd like to allow users to access /user/[username]/configure without granting all users administrative rights.
Oleg Nenashev
This functionality is available out-of-the-box
BTW, it may be prohibited by your Security realm
Nick Glasser
How would I configure this? I can edit my own and other users as an admin. Other users cannot edit their own account unless I add the overall administer role.
Oleg Nenashev
What Jenkins version do you use? There's no such problems on 1.509.4
Nick Glasser
Turns out this was a case-sensitivity issue. My LDAP users can log in successfully using lowercase, but only if they log in using uppercase do they have the option to configure their account.
System Administrator
I've been trying to get the ?i case insensitivity switch to work on Assign Roles/Global Roles so it works the same way as Active Directory but I can't seem to make it work. Is it possible?
Oleg Nenashev
What switches do you mean?
System Administrator
When I add users to Global Roles on the Assign Roles page at the moment I have to add two, 'user.name' and 'User.Name' - if I only add 'user.name' then when they log in to Jenkins with 'User.Name' they don't get the right features as per their assigned role.
However having looked at the link you gave it seems you are already working on this one. I shall wait for the update... :)
Oleg Nenashev
I'm not sure If the PR will be merged.
New versions of Jenkins core provide the similar functionality since 1.566. See https://issues.jenkins-ci.org/browse/JENKINS-22247
Chris Beauclair
Is it possible to require a user to be part of two groups to access certain builds? Like say I have ldapGroupA and ldapGroupB, and I want to require that the logged in user has access to both groups to have role N.
Oleg Nenashev
Currently, the plugin does not support specific permissions on the builds level. This case is very rare.
Feel free to contribute to the plugin or to submit a feature request on Jenkins JIRA
Chris Beauclair
Hello again! So I think maybe I miss spoke when I said "certain builds". I mean to continue using the plugin as it is used now, by assigning groups to roles in order for them to have access to a project. It's just that I would need to be able to specify that the current user be part of two groups to be granted that role. If that is not possible I'm more than happy to try and contribute to the plugin, I'm just a little uncertain on where to start.
Jordan Spiker
Great plugin! Is it (yet) possible to update projects / assign roles via means outside of check boxes? I would like to do so from a groovy script. For example, I'd like to pull redmine groups / permissions and apply them to Jenkins. Thanks!
Oleg Nenashev
Yes, it is possible.
Groovy system scripts have full access to all public and private (not recommended) methods of plugin classes. For example, we use Groovy scripts to temporary grant ADMINISTER permissions (sudo mode).
Jordan Spiker
Awesome! Thank you. If it's not too much to ask, can you show an example? As much as I've tried, I can't figure out how to access plugin methods from a groovy script. Thanks!
Oleg Nenashev
I've posted an example to Gist. Please note it's internal hack implementation from a Jenkins job, hence it takes some info from the environment.
https://gist.github.com/oleg-nenashev/7ff848fabc291cdc1236
Jordan Spiker
Ah, you just made my week! Thank you so much.
Joshua Coughlan
Hello. I'm trying to use this plugin to restrict access to a jenkins slave. The setup that I am working with has only a single slave. My slave role has a pattern of ^.*$ and all of the permissions are enabled. I then assign this role to an LDAP group and members outside that group are still able to run jobs on the slave with the slave being specified in the job using the "Restrict where this project can be run" setting. I have tried various things like creating a role with no permissions and the slave node as the pattern and assigning that role to the group that should not be allowed to run things on the slave, but nothing seems to have any effect on the job being able to run on the slave. The test user I have in the LDAP group is always able to run the job on the slave.
Any suggestions?
Oleg Nenashev
Computer.BUILD permission elaborates the internal authentication of jobs, which should performed by Jenkins extensions. This permissions won't take affect on a default Jenkins installation.
See https://wiki.jenkins-ci.org/display/JENKINS/Authorize+Project+plugin . It provides a relevant user definition for the project.
You can also use https://wiki.jenkins-ci.org/display/JENKINS/Job+Restrictions+Plugin in order to get the required functionality outside the Permission Matrix
Christopher Suarez
Hi. I don't quite understand your answer(sorry :-) and I have the same type of challenge as Joshua but more generic.
Is it possible to use the node label and parametrized build plugins to allow the user to select a node to run a job on. But then check wether that user is allowed to run jobs on a specific slave?
I've tried back and forth with the job restrictions plugin only to realize that I misunderstood "Jobs owner must belong to the list".
So basically person A but not B should be allowed to run job x on slave Y, while person A and B should be able to run job x on slave Z. Slaves are listed as parameters (node labels) when starting the build. Or are you saying
that the only way to achieve that is to add the authorize project plugin to properly be able to pick up the user when evaluating slave roles?
Oleg Nenashev
@Christopher
Job Restrictions Plugin may be updated for the case. I suppose that "Started by a user" may help (https://issues.jenkins-ci.org/browse/JENKINS-25726).
Ye Liu
@Joshua Coughlan, did you make it work? I am using this role based strategy plugin with Kubernetes plugin on Jenkins 2.150.1, and I want do the similar thing you were trying, control who can build the jobs on specific nodes based on the labels, but people are always able to build on any node.
Dmitry K
Hi Oleg,
We have a custom UI on top of Jenkins and I would like to get a role of a user.
Please advise how can I get the user role using the REST API?
If it is not implemented do you have some plan to do this?
Regards,
Dmitry
Oleg Nenashev
Hi Dmitry,
REST API is not available for the plugin. There's no such feature requests in JIRA, so it would be useful if you create such one. In any case, I don't have enough resources to implement this feature in the short-term perspective. If you want to implement this feature on your own, I'm ready to review pull requests, etc. So feel free to contribute ;)
To emulate REST API you can do the following:
BR, Oleg Nenashev
michele ripm
Hi guys,
I'm trying to configure a restrict permissions using this plugin for users and groups on my AD based on our internal policy on Jenkins.
The scenario that I'm working on is:
-jenkins 1.579
-role strategy plugin 2.2.0
-AD win 2k8
The "configuration to be expect" should be:
(Role) "Role 1" -> assigned to ->(Group) Group A ->that contains ->(Group) Group B ->that contains -> users.
The workaround that we have implemented is:
(Role) "Role 1" ->assigned to ->(Group) Group B ->that contains -> users.
The issue seems due to nested group on AD that doesn't works correctly with the plugin.
Any suggestion would be appreciated.
Thank in advance for your help.
Best Regards.
Michele
Oleg Nenashev
Hi Michele,
Please create an issue in JIRA for your case.
G Dameron
I would like to create a setup in which:
Is such a capability available now, or in the pipeline?
(Currently running: Core 1.565.1, v2.2.0 of Role Strategy plugin, v0.3 of Job Restrictions plugin, v0.5.1 of Ownership plugin)
hbockelmann -
I have the same problem. user authenticate via LDAP and they should only use slaves that are allowed for their group.
Using the following plugins with core 1.580.2 (LTS)
the slave-role permission "slave/build" should do the check whether a user is allowed to run a job on a specified slave - but it is not working!
If you define a slave-role with the "slave/configure" permission given and assign this role to an LDAP group, all users in this group are allowed to configure every node/slave that matches the pattern of the role.
But if I activate the "slave/build" permission for this slave-role, the user cannot run a job on any slave that matches the pattern ?!?!? The job would idle forever waiting for the slave.
I suppose that this is a bug in the plugin, since the role-based access to configure a slave works perfectly, but not the permission to build on a slave - maybe the plugin developer could comment on this?
BTW: I need a global role "authenticated" with overall/read permission in order to view the dashboard for an authenticated user. One might activate the slave/build permission for the global role, but than every authenticated user can use every slave ...
Oleg Nenashev
Hi,
The feature will be available in job-restrictions-0.4 (it will use LDAP groups directly w/o Role-Strategy plugin). See https://github.com/jenkinsci/job-restrictions-plugin/pull/5
It would be great if you evaluate the dev. build from https://jenkins.ci.cloudbees.com/job/plugins/job/job-restrictions-plugin/33/com.synopsys.arc.jenkinsci.plugins$job-restrictions/artifact/com.synopsys.arc.jenkinsci.plugins/job-restrictions/0.4-SNAPSHOT/job-restrictions-0.4-SNAPSHOT.hpi
hbockelmann -
Hi Oleg,
I have now updated to
and restricted job execution on dedicated slaves to some LDAP groups only. This is working as intended only if I am giving "slave/build" permission to the authenticated user in the global role! Interestingly this is eg. not needed for the "slave/connect" permission ...
Another remark: if a user tries to start a job on a slave for which his LDAP group does not have the permission, the job idles forever in the build queue. It would be nice to reject such a job already when it is submitted, such that the user gets to know about his "error". Do you know of any easy way to achieve this?
Oleg Nenashev
> This is working as intended only if I am giving "slave/build" permission to the authenticated user in the global role!
The permission has been introduced in relatively new Jenkins versions, so there could be an issue within the plugin. Please create an JIRA issue and attach the info about your job. I'll check it and create appropriate tests.
> if a user tries to start a job on a slave for which his LDAP group does not have the permission, the job idles forever in the build queue. It would be nice to reject such a job already when it is submitted, such that the user gets to know about his "error". Do you know of any easy way to achieve this?
AFAIK Christopher Suarez is working on such feature for job-restrictions. I'll review changes and release the new version when he creates a pull request.
hbockelmann -
I just created the issue #26485 - thank you for having a look at this
vishal sahasrabuddhe
Hi Oleg,
We had ldap integration and "authenticated" user bit was working fine to assign role for the logged in user.
However after SAML integration for SSO, "authenticated" user role stopped working without throwing any error.
Role based strategy plugin is working fine for individual users but it is not working for authenticated users.
Any idea where could be the problem?
I already raised a ticket https://issues.jenkins-ci.org/browse/JENKINS-27829
Petr Vejchoda
Why overall read necessity is a stupid idea
Because I don't want anyone to see all the jobs! I want testers to see jobs that are related to them. I want administrators to have their playground that is not visible to others. Maybe I want testers to give authorization to build all the jobs, so that authorization plugin don't have problems to run them as testers, but I don't want them to be able to run them directly. Well tell me just what is it good for and I'll shut my mouth.
If it is necessary somehow because of the code, wouldn't it be possible to decline some read authorization at least? Just get me rid of that stuff. Please.
Oleg Nenashev
Seems you misinterpret meanings of Overall.READ, Item.READ and Item.DISCOVER.
Overall read is not necessary in Jenkins core and plugins. Role Strategy allows to configure the behavior without a global read, so I don't get your complain at all.
Petr Vejchoda
Well OK, I just wanted to show you how it was always showing all the jobs to tester accounts. But it suddenly started to work the way I was expecting it the whole time. I feel like complete idiot, sorry. Is there any delay between when I change the policy and when it actually starts working? I just don't know what was happening.
Oleg Nenashev
> Is there any delay between when I change the policy and when it actually starts working?
No, there is no delay. Make sure that item discovery is set up correctly. If yes, create an issue on Jenkins JIRA, specify the aux data according to https://wiki.jenkins-ci.org/display/JENKINS/How+to+report+an+issue and also provide a configuration of Roles and assignments
Petr Vejchoda
Well ... somehow it works now. If it behaves strangly again, i'll report it.
Petr Vejchoda
Well ... somehow it works now. If it behaves strangly again, i'll report it.
sunder konda
I'm trying to use this plugin but it got me all confused but not sure if its working.
I've created few roles like DevManager with privileges like only Read for builds and DevLead with create/delete jobs.
and I created users for both roles and assigned users for both roles. but when I login as user of both roles i see the same
screens and privileges. Even the DevManager is able to create/delete jobs and users which I've haven't given them.
I've only created Global roles, no project level roles. But nothing seems to be working unless I missed something.
Is there anything I missed other than creating the users and roles and assigning users to the roles?
Thanks,
Sunder
Oleg Nenashev
Sorry, missed the comment due to the vacation. This Wiki page is not a support portal BTW. Use Jenkins JIRA, IRC or jenkinsci-users list to ask questions.
The description seems to be correct, but it should work (it's a very basic case). If the issue still exists, it would be helpful if you crate a JIRA issue and attach your security configs there.
Krisztian Fekete
Could you please update the documentation in terms of project based credentials? I would like to set up project based credentials, but it is not clear how is it working. If I add a global read credential permission to my user, it can see all the credentials, if I remove the global read permission, it cannot see anything. I am unable to see how the project based credentials affect the global visibility of the credentials.
Could you please advise?
Thank you!
Chris
Oleg Nenashev
Hi Chris,
"Credentials" term may be quite confusing, because it's another security mechanism in Jenkins. I'm not sure what you mean under "project based credentials", because there is no such feature in Jenkins IIRC. Could you clarify the question or probably attach several screenshots?
Todd B
We have numbers as our usernames. I am wondering if this plug-in could be enhanced to allow a text column to the far right or left for each User/group (in Assign Roles). We could then add a user and use the description for their real names.
Oleg Nenashev
It could be enhanced in such way. Feel free to submit a pull request or to create a JIRA issue.
Gabor V
Hi,
what if I lock myself out on a project/job level? I enabled the auth for a job, added some user, after some time I removed everyone and - accidentally - pressed save button. After that I can not see the config and noone else can.
I have updated the job's config.xml, but it did not help. I removed the whole security section from there, still not ok.
I can not copy the job.
Any ideas?
br,
Gabor
Oleg Nenashev
Hi. Role Strategy plugin has no configuration options on the job/project level.
I suppose you use another plugin like Matrix-based security or RBAC (the second one is a proprietary one from CloudBees)
Gabor V
You're right, thanks. I hope they reply (Matrix guys). I don't see too much activity on their page...
Oleg Nenashev
Wiki is not a QA channel, so all activity there is pretty random. Response is not guaranteed. The right way to ask questions is to use Jenkins IRC or jenkinsci-users mailing list.
Regarding your issue, most probably you need to setup an admin account having global Jenkins.ADMINISTER permissions. Then this user will be able to open any job and fix permissions there.
Gabor V
I already have admin account, it can't see that job config neither. Stange, isn't it. I tried to remove the security stuff from config.xml, reloaded the confg from disk, still the same.
Brian Bennett
Environment:
OS: Windows Server 2012 64-bit
Jenkins: 2.7
Role-based Authorization Strategy: 2.2.0
Folders plugin: 5.11
We have a top-level folder called Technical_Support and one job in this folder: Test1. I've created the following project roles and patterns:
Developer_A: ^Technical_Support/.*
Developer_A2: ^Technical_Support.*
Developer_A3: ^Technical_Support\/.*
and I've created the following global roles and permissions:
Overall_Read: Overall/Read and Job/Discover
In roles assignments, I have the following roles/assignments:
Global: authenticated: Overall_Read
Project: brbennett: Developer_A, Developer_A3
Issue: This configuration does not give user brbennett any permissions to jobs in folder Technical_Support. We have to use role Developer_A2 in order to get permissions so it would appear that I'm not coding the pattern for the folder correctly. However, that pattern does not include the '/' delimiter so it could match Technical_Support/testjob1 and Technical_Support2/testjob2 and job Technical_Support_job in the root. Is there a coding method I can use to specifically have it apply to only folder Technical_Support?
Oleg Nenashev
^Technical_Support$ ?
Brian Bennett
If I change role Developer_A to pattern ^Technical_Support$.*, then user brbennett has rights to Technical_Support2/... jobs, so that isn't the fix.
Brian Bennett
I apologize as I didn't take your suggestion literally and I added '.*' at the end of it. Now I've modified role Developer_A to ^Technical_Support$ and am now having success. My unit test is that I've created folders Technical_Support and Technical_Support2 and user brbennett (still in role Developer_A) is not even seeing Technical_Support2. I'll do some further testing, but wanted to thank you in the interim.
Brian Bennett
But pattern ^Technical_Support$ in role Developer_A is not allowing user brbennett the ability to create new items under folder Technical_Support. Is there an accompanying pattern I would have to enter to allow that?
Brian Bennett
OK, I now have a working model:
Global role Overall_Read gives Overall/Read right.
Two folders in root level: Technical_Support and Technical_Support2.
Role Developer_A has pattern ^Technical_Support$ and all project rights.
Role Developer_A4 has pattern ^Technical_Support/.* and all project rights.
User brbennett is in roles Developer_A and Developer_A4 and can only see folder Technical_Support (not Technical_Support2) and is able to add, modify and delete jobs in Technical_Support.
Brian Bennett
Just completed my testing and I am ecstatic! This allows me to setup my Jenkins environment and share it with multiple groups. Thanks again for your help and support.
john parfitt
Is it necessary to enable "Role-based Strategy" in order to see the Manage Jenkins >> Manage Roles section? I was hoping to configure the roles while using the existing strategy so as not to affect production, and let flip it over when ready.
Thanks
Oleg Nenashev
Yes, it's required in the current implementation. Feel free to create an enhancement issue in JIRA.
On the other hand, my recommendation would be to create and test the strategy on a test server. Then you will be able to safily propagate the new strategy to the master
Raj Meghraj
Hi All,
I am using Role-based Authorization Strategy in my organization for managing and assigning roles to users. In my Manage and Assign Roles -> Assign roles tab, I have 160 users for Global Roles and 160 users for Project Roles. When I tried to add 161th user to the Project Roles, it threw a "FormContentSize" error. But I was able to add when I removed an existing inactive user. So my question here is does this plugin has the limitation of users to 160/320, if yes how can we bump the number of users.
Any help would be highly appreciated.
Oleg Nenashev
Hi,
There is no limitation in the plugin, but Jenkins web container has a limited form size by default. This size limit can be configured via the System Property (see http://stackoverflow.com/questions/3861455/form-too-large-exception).
Regarding the number of users, maybe such straightforward user adding is not a perfect approach in any case. Role strategy extensions like https://wiki.jenkins-ci.org/display/JENKINS/Ownership-Based+security may simplify the configuration and administration sometimes.
cliff houzz
Hi,
Similarly to "Project roles" and "Slave roles", is it possible to also add "View roles" to better control permission for view reading/editing? Thanks a lot!
Oleg Nenashev
There is an open pull-request for it https://github.com/jenkinsci/role-strategy-plugin/pull/21
T H
Is it possible to use roles to provide them as "submitter" argument for the pipeline "input" step?
Oleg Nenashev
AFAIK no, but you can get address some Pipeline use-cases by using Ownership integration, which provides Ownership global variables. If you need something specific, please create a JIRA ticket with details
https://speakerdeck.com/onenashev/jw2016-ownership-plugin-demo
Christian Erhardt
I have a question to the Project Roles. The text states that: "...First, assign that user/ group to read/ discover permissions with pattern " ^foo.* ", then assign that same user/ group to the more particular permissions with pattern " ^foo/bar.* "...". I tried to do this. But as soon as I try to add my Role "SystemEngineering" a second time, with a different pattern, i get the error "Entry for 'SystemEngineering' already exists". What am I doing wrong?
Oleg Nenashev
Role names must be unique. But you can edit their patterns in the configuration after the creation. I am pretty sure it's what the text says
Christian Erhardt
Ah, I see. "assign that same user/ group to the more particular permissions" means, add a second role, with a different pattern and add this role to the user/group. Not add the same role with a different pattern. My bad. Clearly 'user/group' does not mean 'role'. Thanks for the explanation!
Steve Stevenson
So I seem to be having an issue. I use LDAP for authentication and want to restrict the users abilities to build on given nodes. I installed this plugin along with Authorize Project plugin. I have configured the project to run as the user that triggered the build. In the roles I have setup two different levels of permissions, one set should be allowed to run all their jobs on one slave and not the other and vice versa. So I have left all AGENT permissions in the Global Permission unchecked. I then configure those permissions as all enabled for the node that matches the name based on the regular expression pattern defined. I assign the specific user one of the global roles and then the appropriate node specific role. I even made a very generic .* rule so that any node name would match. Seems that the rules are not even checked and I get a 'pending—Waiting for next available executor' in jenkins. Has anyone else seen this issue?
Oleg Nenashev
If the the authenticated user has no Computer.BUILD permission, the job will not be accepted. With your setup the user will be anonymous if the job is started by the Periodic Trigger. Maybe it is the root cause
It is hard to say your plugin is configured properly, you can find a configuration sample here: https://github.com/oleg-nenashev/demo-jenkins-config-as-code
Steve Stevenson
This may be my problem. I misunderstood the Computer.BUILD Permission. I had just installed the plugin through the Jenkins interface, along with the Authorize Project plugin. From a read I did above I thought that was all that needed to be done outside of setting the patterns properly in the node permissions. I will look at the at the sample and if I have any questions I will let you know.
Miguelángel Fernández
Hi, can anyone tell me how to do a subtraction/exception with the project role patterns? For instance, I want to specify anything starting with a capital letter, except for a folder called "Admin". So I want to say [A-Z].*(except)Admin
Now, the (except) is the bit I don't know how to write. I've tried ^ and !. Also, what regex specification does this use? Doesn't seem to be Java because in Java ^ is the the exception operator.
Daniel Beck
Only within character classes. You're looking for negative lookahead/lookbehind, just google for that.
Miguelángel Fernández
Thanks Daniel, I'm now using (?!Admin)[A-Z].* and it did the trick
Miguelángel Fernández
Hi, I'm trying to allow a user to create credentials in the Jenkins root, but not inside any other folders.
I'm trying to do this by specifying a pattern regex for anything not containing a forward slash (/):
[^/]*
but for some reason it's allowing the user to do exactly the opposite, to create credentials within folders and not in the root.
I also tried specifying that the user may create credentials so long as they're names are completely alphanumeric:
^[a-zA-Z0-9]*$
Which implies that there are no forward slashes in the path. But I still get the opposite behavior.
Can anyone please help?
Miguelángel Fernández
Small update. What I'm getting is not "the opposite behavior" and it's not happening just for credentials.
What's happening is that whatever pattern I use to try grant the create job or create credentials privileges to a user, it doesn't apply to the Jenkins root. Even if I use .* to assign create credentials or create job permissions, the user can then create jobs and credentials in any folder, but not in the root.
I'm starting to think this is an edge case that's not covered by this plugin.
Vishnu Potti
This is an amazing plugin and I have been using it for some time.
One feature I can think of for this plugin is "Redirecting Jenkins Home Folder based on Project" .
We can have one more option while configuring the permissions and set Home folder for each project.
So if a user having access to a particular project access Jenkins, then he should be redirected to the project folder directly.
Eg - Instead of http://localhost:8080/jenkins/, it will be nice to redirect to http://localhost:8080/jenkins/job/[FolderName].
Thanks,
Vishnu
Oleg Nenashev
Such redirects are not the part of this plugin. You could write a new plugin for it. Probably it could be done using the existing DefaultView user property and a system script, which just assigns them to users
Sewmi Rajapaksha
Hello,
I am new to curl and JENKINS as well. I am trying to list the roles as shown in the example provided:
However, this page is not found. Could someone kindly tell me the URL I should be using. I am also unable to create and assign roles using the provided examples..
curl -X GET https://jenkins.xxx.xxx/role-strategy/allRoles --user xxx:xxxx
<html>
--
<body><h2> HTTP ERROR 404</h2>
<p> Problem accessing /role-strategy/allRoles. Reason:
<pre> Not found </pre></p>...
--
</html>
ryan donahoe
the doc is out of date. it should be .../role-strategy/strategy/getAllRoles
I did some digging through their github to find the correct api calls
https://github.com/jenkinsci/role-strategy-plugin
https://github.com/jenkinsci/role-strategy-plugin/blob/566fb7369c3c9b383f21ac3d76e33778d91132b5/src/main/java/com/michelin/cio/hudson/plugins/rolestrategy/RoleBasedAuthorizationStrategy.java#L421
Jeroen van de Haterd
Hey,
Recently it's been happening a lot that some users get a 'USER is missing the Overall/Read permission' error. They do have this permission, and all I have to do is restart in order to fix the problem.
Any idea what could be causing this or how I could fix it?
Kind Regards,
Jeroen.
Piotr Rogoża
Hi
Is it possible to create a role manager which will be allowed to manage role for a folder/project? I'm just explaining what's going on.
I keep jobs grouped in folders. One folder per project. Folder contains some jobs. In global roles authenticated group can only build or cancel job. It cannot create a new item or configure existing ones.
In Project roles I've created a new role Test jobs which matches to ^Test jobs(/.*)? and can create, configure or delete a job. And I've assigned authenticated to Test jobs in Item Roles and it works. But I would like to create local admin or manager role which will be able to assign any user to Test jobs role.
King Regards, Piotr
Miguelángel Fernández
I had a similar requirement and managed to cover it by combining this Role Strategy with the Ownership Plugin. I recommend you look into that.
Piotr Rogoża
Thx, I'll check it and I let you know.
Piotr Rogoża
Miguelángel Fernández It works great, thx again.
Oleg Nenashev
Do not hesitate to update the page if there are mistake. It's Wiki for a reason. Thanks!
Ashok Kumar Srinivas
Hello,
Can you please advise me on how to input the project role pattern for the project role type via CURL ?
Thanks in advance.
Thanks,
Ashok Kumar Srinivas
ryan donahoe
would like a way to add a sid without assigning to a role (for automation reasons)
Lavnish Lalchandani
JENKINS-37856 - Getting issue details... STATUS Facing this issue , can someone help me understand if this is a LDAP Plugin isue or Role Strategy Plugin Issue
Miguelángel Fernández
I've asked this question before but had no luck so I'm rephrasing and posting it again. I'm trying to write a regex to refer to the Jenkins root. To allow a user to create credentials globally, but not inside any folders. I've tried these:
I've had no luck with either. Is it possible to do this?
Steve Cohen
Here is a feature request: On the "Assign Roles" page would it be possible to show the Full Name field for each user (assuming they have entered it on the Profile configure page)? The reason I ask is that ours is a part of a large organization which assigns userid's that are not indicative of the person's real name, making administrative management of the Assign Roles page more difficult than it needs to be as more users are added to the system.
Oleg Nenashev
Please file your request in JIRA. Pull requests are welcome
Fang Wei
First thank you for your good job!
Your plugin is powerful, and easy to use, but still I have some difficulties, about your plugin, and about Jenkins, hope you can help me.
1. Jenkins can manages users, but I cannot create group to put some users in it so I can easily assign permissions as a whole. Suppose when I use Jenkins in a large organization with 200 engineers, I have 20 projects, every project has 10 people with the same permissions , in fact I would like to manage 20 groups, not 200 users. But now I use your plugin, I have to deal with 200 users, a huge authorization matrix, it's a terrible thing. Maybe I use Jenkins and your product improperly?
2.Your plugin maybe provide the functions like backup and import? Once a colleague uninstalled your plugin without my agreement, this made me lose my configuration data.
Hope you well, thank you!
Oleg Nenashev
Miguelángel Fernández
Hi Fang Wei,
About item 1, you first have understand that the Jenkins extension point to define authentication is a SecurityRealm and the extension point to define authorization is an AuthorizationStrategy. This plugin implements the latter –extremely well I might add-- but not the former. What you're asking for in terms of being able to define user groups must be provided by a plugin that implements a SecurityRealm, so that based on your own custom rules you can assign GrantedAuthorities to a user, which are roughly equivalent to user groups. The Jenkins SAML plugin is a good example of this. Of course this also means you'd be delegating authentication to an external Identity Provider.
About item 2, look for the
config.xml
file in your Jenkins home folder. There you'll find an element calledauthorizationStrategy
which nests a bunch ofroleMap
elements, each one being a role and the user/group that's that have it assigned. Back up this file and restore whenever needed. That will fix your problem. If you've been periodically backing up your Jenkins home folder as you should then this is your solution.Kiran Jampanii
I have a parameter called Environment with values "dev, test and prod". Is there a way that I can restrict some users not to display the prod option at all. else do we have option not to build when demo is selected for some users.
Can some one help me with example
星人 火
Assign Role api can not assing multi user when the type is projectrole
It's may be a bug. I call many times the Assign Role api at the same projectrole only assign the last user.The global role not like this
Andrea Fontana
Hi Guys, today i try to use this plugin, but i have some problem.
i try to assign two different Project Roles like:
Developer Dev* with Any JOB,Run,SCM grants
Tester Test* with Any JOB,Run,SCM grants
and at Global level both user are member of "Employee" roles and have grant to read OverAll and any grant to View
but when i try to login i received message like :
Access Denied
devuser is missing the Overall/Read permission
I install all on selfinstaller for Windows on Win2k12, try using firefox and explorer
have someone find the same problem?
Petr Baloun
Hi,
I am trying to use this plugin to control ability to execute a job and observe different behavior for GUI access and Gitlab webhook trigger.
I have a user having two project roles - first granting 'Job/Read' for all jobs and the second granting Job/Build just for some subset of jobs.
I the global role, the Job/Build permission is NOT granted.
When I log into Jenkins and browse the web GUI the behavior is correct. I see all builds and can trigger just some.
And now gitlab - I use Gitlab plugin and have enabled /project end-point authentication (no checking would have been performed otherwise). In Gitlab I've located some project and a set up two webhooks - one for the job that is permitted to be triggered and the second to job that should be denied to trigger.
When testing the webhooks, I always observe the same behavior - both are denied. When I enable Job/Build in the global role, than both are permitted.
Have anyone tried the same?
Of course, I can't tell whether this is a problem in this plugin or in Gitlab plugin.
Rahul Raj
How to freeze the grid header for the entier table in assgin role ?
Andreas Schoenfeld
Hi, is it possible to define a role that can only configure the jenkins but is not able to build or configure jobs?
Thanks and regards
Andreas
Saurabh Jain
Hi,
For me even after installing the plugin "Enable Security" and "Manage Roles" does not appear. I am running Jenkins in docker.
Thanks
Saurabh
Saurabh Jain
J S
Do you have already restart Jenkins and Delete your Browser Cache ?
J S
Hello,
I have another BUG. When I add Windows AD users to Role Based Strategy, the user must pay attention to upper and lower case. For example, if I create the user TestUser in RoleBasedStrategy, the user has no authorization if he logs in with testuser (lowercase). If I add the user testuser(lowercase), I must also give him the rights. Is it possible that the plugin is case-insensitive? Otherwise I would have to add each user 2 times( Once upper and lower case)
Thank You
Oleg Nenashev
Please see Jenkins JIRA. there is an issue reported for that. So far there is no plan to change that due to the performance concerns
Miguelángel Fernández
This is hardly a bug. The evaluation of the user name is case sensitive. That's all. Have you tried using a regex with a case-insensitive switch?
P.S.: The word "bug" is not an acronym, so there's no need for capslock. It just comes across as yelling.
J S
Thank you. Sorry i would't like to yelling. Can you explain me where i can find the regex case-insensitive switch Sir ?
Miguelángel Fernández
Under "Project Roles" you can create a role to be applied to any folder or job that matches a regex pattern, and this pattern can be made case insensitive. E.g.: This expression will match any job with a name that starts with "FOO", "foo", "fOo", etc.
J S
Can i use regex pattern also for Manage and Assign Roles → Global Roles ? I have a few User something like "max.hilton" and i would like to say that the User "max.hilton" get the same permission as well as "Max.Hilton" (uppercases)
Amide tex
Hi, I'm encountering a slight problem, I have a user with 2 roles assigned. One is a global role allowing him only to have the global.read permission, the other is an item role, which grants the user the ability to see and control only one project on Jenkins using the regex. My user can successfuly see the project on the dashboard, but when clicked, the project seems completely empty, even though the configuration is present, but there's nothing to build ("This folder is empty error"). For the user to actually be able to see the content of the project and start to make builds, I need to give it the Job.Read permission on the global role it is assigned to. But why is the plugin handling it like that ? My user already had the Job.Read permission from its item role, why does it need the same permission on the global role ? Why aren't the permissions doing the exact same thing ? It causes me trouble because with the Job.Read permission enabled on a global level, that user is capable of seeing all the other projects registered on Jenkins, though it can't modify them nor launch builds or anything. But still, I would like my user to be able to see and modify and launch builds ONLY on the build I assigned it to. Is there a way to do that ? Thank you
Simon Zamudio
Hi, firends!
I need to block all the sections of a task, in such a way that it should only shows me, "the origin of the source code"
could you help me? please!
Thanks!
Kind Regards!!
Adnane SAGHIR
I can use the REST API to get all roles and assign them to users.
But I don't see how to create a projectRole with pattern, I can't find such api in the docs.
Thanks
张 伟强
hi, Adnane SAGHIR!
You can create projectRole with curl -X POST localhost:8080/role-strategy/strategy/addRole --data "type=projectRoles&roleName=ADM&permissionIds=hudson.model.Item.Discover,hudson.model.Item.ExtendedRead&overwrite=true&pattern=xxx.*".
Release note of Version 2.5.0 (Jun 02, 2017) has example, but for globalRoles.
Nicola Forbes
Hello,
I'm trying to use this plugin in combination with the Github organisation plugin and get the following error:
Does the role strategy plugin support this functionality and, if so, how do I need to configure it? I've also found a similar Stackoverflow question (currently unanswered).
https://stackoverflow.com/questions/51637270/jenkins-role-based-authorization-github-organization
Many thanks.
sakshi sood
I am trying write a regex which supports only folder creation at the root level of jenkins for each role and inside the folder any folder/job can be created. No regex pattern seems to work for this case.
Piotr Rogoża
As I remember I'm using following regexp:
Owners can modify, create jobs only inside top-level folders ( only administrators and a few users, another role, can create a top-level job).
zhaoluping zhaoluping
hi~ I have a question when use this plugin.
I have set the user's permission in [administrative permission], and I have the following problems:
1. I logged in with an ordinary user and showed that I did not have overall read permission
2. In "assign permissions", I was prompted that I could not find the user or group
3. In [item roles], how do I set up the user's roles?Shouldn't the column show the project name?Why do group names appear?How should I configure it?
Is this a Bug?I spent a whole day for this, read a lot of articles and finally did not solve!!!
zhaoluping zhaoluping
It was resolved.
Ken black
Hi,
Thanks for the plugin。As we use this plugin for many years,There are thousands of lines configuration in Item roles 。Every time del/add Item role need lots of time to load。Could you add REST API for Item role add/del?
vinay pally
Good plugin and very helpful for our requirement.
I was able to consume REST API in our automation for adding the roles (Global, Project) but there is no API for Item role which require manual efforts.
Kindly provide the REST API for Item role at the earliest which will benefit us to go with full automation instead of half automation and half manual changes, this will save lot of efforts and time.
Miguelángel Fernández
Sorry, but this statement:
Tells me you don't understand how Open Source works, so allow me to clarify.
So, in your case, which appears to fall into the latter of the two options above, you can start by reading the Jenkins Plugin Tutorial. You can ask the project's maintainers or the community at large for advice while you're implementing the new feature, but you should avoid asking the community to provide features for you "at the earliest".