Authentication and authorization in Jenkins and nectar 1

Authentication and Authorization in Jenkins and Nectar
July 27th, 2011
©2011 CloudBees, Inc. All Rights Reserved

The slides will be made available as well as a link to the replay of this webinar.
Links will be sent in an email after the webinar has finished (2-3 days).
Housekeeping

The Presenters
Who exactly is talking?

Stephen Connolly
Responsible for
Most of this talk
Trying to answer the questions
Harpreet Singh
Responsible for
Ensuring Stephen does not go too fast/slow
Keeping track of questions for the Q&A session
The Presenters

Overview
What we will be covering today

Jenkins Security Architecture
Authentication Plugins
Authorization Plugins
CloudBees’ RBAC plugin
Common Use Cases & Walk-throughs
Questions & Answers
Overview

CloudBees
Who are we and what we can do for you?

About CloudBees
Our Mission
Become the leading Platform as a Service (PaaS) for Java™
Why We’re Different
CloudBees services the complete lifecycle of Cloud application development and deployment.No Servers. No Virtual Machines. No IT.
Strategy
Nectar – CloudBees Pro version of Jenkins
DEV@cloud – Cloud Services for Developers
RUN@cloud–Frictionless runtime PaaS for Java apps

CloudBees Jenkins Solutions
Professional support from the Experts

CloudBees’ Pro version of Jenkinsproprietary add-ons, stable release cycle

Self-service “Jenkins as a Service”pay-as-you-go public cloud
DEV@cloud

Self-Service“Jenkins as a Service”for Enterprises
DEV@cloudPrivate Edition
Self-service “Jenkins as a Service”pay-as-you-go public cloud
DEV@cloud

Server security
Security Realms
Authorization Strategies
Master/Slave security
Questions & Answers
Overview

What goes where and which does what…

Security Realm provides user identity
Authorization Strategy provides user’s permissions for each object.
Actions can require a specific permission to be performed.
Security Realm
Object
Identity
Action
AuthorizationStrategy
Permission
Access
Plugins extension points

Depends on your server:
Operating System
Windows
Linux
Servlet container
Winstone (java -jar jenkins.war)
Tomcat
Jetty
JBoss
etc
Server security

Checklist should include
Server patches & hotfixes up to date
Server firewall configured appropriately
Server remote access locked down
Remote desktop on Windows
SSHD on *nix
Servlet container running as restricted user
Consider Apache HTTPD or nginx if exposing on a public network
Server security (cont.)

What are they
Core Jenkins extension point for Authentication
Responsible for validating user identity
Can only select one.
Default for clean install:
None
What is available already
Core
None
Unix PAM
Internal DB
Legacy Container
Open Source Plugins
Active Directory
CAS v1
CollabNet
Crowd
MySQL DB
OpenID SSO
Script & Extended Script
SourceForge Enterprise Edition
…
Security Realms

What are they
Core Jenkins extension point for Authorization
Responsible for deciding the permissions available to users.
Can only select one.
Default for clean install:
Unsecured
What is available already
Core
Global Matrix
Project Matrix
Logged in user can do anything
Legacy Authorization
Open Source Plugins
CollabNet
Role strategy
SourceForge Enterprise Edition
…
CloudBees’ Plugins
RBAC
Authorization Strategies

What are they
The fine-grained activities that can be secured within Jenkins
Some permissions aggregate others, e.g. Global Admin implies all other standard permissions
Plugins can define their own permissions for their own actions
What is available
Overall
Administer
Read
Slave
Configure
Delete
Job
Create
Delete
Configure
Read
Build
Workspace
View
Create
Delete
Configure
…
Permissions

Bi-directional channel between Master and Slaves.
To trust a slave it is necessary that you trust the JVM used to launch the slave.
That JVM can then fork less trusted JVMs for the builds if you want to
SCM security is a bigger risk
Can fork threads, etc as the user running the build
Checklist
Only run builds on slaves
Use VM for slaves & reset VM image after every build
Launch slave process with a read-only JVM
Access to slaves should be as restricted as the Master
Install build tools read-only
Master / Slave security
Take Away
SCM security sets the upper bound

Active Directory
Atlassian Crowd
LDAP
Open ID
Unix PAM
Questions & Answers
Overview

Who are you and how can you prove it to me…

Not all plugins implement every feature
Key features to check for are:
Supports signup
Provides group details
Supports group lookup
Can logout
You may not need all/any of the above but it may restrict your choice of Authorization Strategy

Authenticates the username and the password through Active Directory
Actually multiple implementations under the hood and one is chosen based on your environment
Active Directory (plugin)
Notes:
Jenkins does not have to run on Windows to use this.
Can require a correctly configured DNS for Active Directory

Authenticates the username and password through Atlassian Crowd
Does not currently support SSO
Atlassian Crowd (plugin)
Notes:
CloudBees have a fix for the group lookup issue currently under test

Authenticates the username and the password against a basic built-in database
Jenkins’ own user database (core)
Notes:
Not recommended for public facing instances.

Authenticates the username and the password through LDAP
Every LDAP server is different
Very flexible
Harder to configure than some of the other providers
LDAP (core)
Notes:
Can use for Active Directory
No RFC covering how to map groups in LDAP
Group details may be unavailable

Authenticates the user via OpenID provider(s)
User is sent to the OpenID provider when required to authenticate
Supports the OpenID team extension => group details
OpenID(plugin)
Notes:
This plugin has a special “on-the-side” mode whereby users can link their OpenID identities with e.g. their Active Directory user account

Authenticates the username and password through Unix Pluggable Authentication Modules
Requires that Jenkins be running on Linux / Mac OSX / Unix
Unix PAM (core)
Notes:
Very quick to set-up
Handy if you already have a federated PAM configuration
If on a public network serve Jenkins over https://

Feature Matrix

Matrix Strategy
Project-based Matrix Strategy
Role strategy
Questions & Answers
Overview

So tell me… who can do what?

A simple matrix of click-boxes.
Each row is a user/group*
Each column is a Permission
* If the Authentication plugin does not support group details then one row is required for each user
Matrix Strategy (core)

A simple matrix of click-boxes.
Each row is a user/group*
Each column is a Permission
Each project can add its own matrix
Project-based Matrix Strategy (core)

Allows grouping permissions into roles
Roles assigned to users/groups
‡ Project roles are defined using a regex for the project name to which the role is restricted.
* If the Authentication plugin does not support group details then one row is required for each user
§ Requires global Admin role
Role Strategy (plugin)

A simple matrix of click-boxesRow: roleColumn: permission
Define groups at any level
Assign roles to groups
Filter roles at any level
CloudBees’ RBAC Plugin (plugin)

Feature Matrix

Overview
Inheritance model
Filtering
Questions & Answers
Overview

Our take on an Authorization Strategy

Roles defined in Nectar
External Groups from LDAP / AD / Atlassian Crowd / etc
Local Groups defined in Nectar
Configure Roles in Local Groups
Manage membership in Local Groups
Users / other Local Groups / External Groups
Role filtering to restrict inheritance
A layered approach
What
Who
Tweak

Adds new elements to the GUI

Groups are defined on objects
Per-slave permissions
Per-folder permissions (Folders Plugin)
Per-module permissions (Maven Projects)
Role definitions are global
Role assignments can be scoped
Object based permissions

Plan out your roles
Enable security
Add the roles
Save
Define Groups
Remove Admin permissions from Authenticated Role
Save
How to deploy

Inheritance model: Groups and roles
Have Dev role if in Devs group or Folder A Devs group
Dev
Folder A Devs
Have Dev role if in Devs group
Devs
Dev

Inheritance model: Pinned roles
Have Dev role if in Folder A Devs group
Dev
Folder A Devs
Devs
Dev
Nobody has Dev role

Filtering
Have Dev role if in Folder A Devs group
Dev
Folder A Devs
Have Dev role if in Devs group
Devs
Dev

Authenticated only
Public read-only
Devvs SQA
Multi-department
Secret skunk-works projects
Questions & Answers
Overview

Common use-cases & Walk-throughs
You’re not so different… here’s how you might do it…

Use case
System is set up so that only authenticated users can access.
Authenticated users can do anything.
Authenticated Only

Authenticated Only

Walk-through
Authenticated Only use case

Use case
System is set up so that anonymous users can browse all projects
Anonymous users cannot access the Job Workspaces, or change/trigger anything
Authenticated users can do anything.
Public read-only

Public read-only

Walk-through
Public read-only use case

Use case
System is set up so that anonymous users can browse all projects.
Anonymous users cannot access the Job Workspaces, or change/trigger anything.
Authenticated Developers can trigger builds.
Authenticate SQA can delete/tag builds.
Devvs SQA

Devvs SQA

Walk-through
Devvs SQA use case

Use case
System is set up so that anonymous users can browse all projects
Anonymous users cannot access the Job Workspaces, or change/trigger anything
Authenticated users can do anything to the projects in their department only. For projects outside their department they are like anonymous users.
Multi-department

Multi-department

Walk-through
Multi-department use case

Use case
A secret project is set up for a skunk-works team.
Only the skunk-works team‡ can see the secret project.
The skunk-works team are not otherwise restricted.
‡Someone with direct disk access to the master may be able to find the skunk-works project. The aim is to hide the project from the GUI.

Impl matrix with each plugin

Walk-through
Secret skunk-works projects use case

Questions & Answers
Overview

Support
Nectar

Releases every 6 months.
Supported for 18 months.
Patches every 6 weeks.
Plugins supported for life of underlying release
Support all plugins
Nectar 10.10 and Nectar 11.04 released
Nectar

CloudBees Resources Page
http://www.cloudbees.com/support.cb
Try DEV@cloud& RUN@cloud
https://grandcentral.cloudbees.com/account/signup
CloudBees Eclipse Plugin
http://cloudbees.com/eclipse-plugin.cb
DEV@cloud Private Edition Beta Program (DEV@cloud for private clouds)
http://www.cloudbees.com/dev-pe.cb
CloudBees Resources

Questions & Answers
And if the questions are too tough, we’ll answer offline…

Raise your hand if you have a question and type your question into the question box…
Harpreet is keeping track of who is next…
We will unmute you while it is your Q&A…
If an answer is going too long, or we need to check some specifics we will distribute the answer off-line.
Questions & Answers

Authentication and authorization in Jenkins and nectar 1

by CloudBees

Accessibility

Categories

Upload Details

Usage Rights

Statistics

Authentication and authorization in Jenkins and nectar 1 Presentation Transcript