Authentication and authorization in Jenkins and nectar 1

6,697 views
6,496 views

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
6,697
On SlideShare
0
From Embeds
0
Number of Embeds
12
Actions
Shares
0
Downloads
88
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Authentication and authorization in Jenkins and nectar 1

  1. 1. Authentication and Authorization in Jenkins and Nectar<br />July 27th, 2011<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  2. 2. The slides will be made available as well as a link to the replay of this webinar.<br />Links will be sent in an email after the webinar has finished (2-3 days).<br />Housekeeping<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  3. 3. The Presenters<br />Who exactly is talking?<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  4. 4. Stephen Connolly<br />Responsible for<br />Most of this talk<br />Trying to answer the questions<br />Harpreet Singh<br />Responsible for<br />Ensuring Stephen does not go too fast/slow<br />Keeping track of questions for the Q&A session<br />The Presenters<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  5. 5. Overview<br />What we will be covering today<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  6. 6. Jenkins Security Architecture<br />Authentication Plugins<br />Authorization Plugins<br />CloudBees’ RBAC plugin<br />Common Use Cases & Walk-throughs<br />Questions & Answers<br />Overview<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  7. 7. CloudBees<br />Who are we and what we can do for you?<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  8. 8. About CloudBees<br />©2011 CloudBees, Inc. All Rights Reserved<br />Our Mission<br />Become the leading Platform as a Service (PaaS) for Java™ <br />Why We’re Different<br />CloudBees services the complete lifecycle of Cloud application development and deployment.No Servers. No Virtual Machines. No IT.<br />Strategy<br /><ul><li>Nectar – CloudBees Pro version of Jenkins
  9. 9. DEV@cloud – Cloud Services for Developers
  10. 10. RUN@cloud–Frictionless runtime PaaS for Java apps</li></li></ul><li>CloudBees Jenkins Solutions<br />©2011 CloudBees, Inc. All Rights Reserved<br />Professional support from the Experts<br />
  11. 11. CloudBees Jenkins Solutions<br />©2011 CloudBees, Inc. All Rights Reserved<br />CloudBees’ Pro version of Jenkinsproprietary add-ons, stable release cycle<br />Professional support from the Experts<br />
  12. 12. CloudBees Jenkins Solutions<br />©2011 CloudBees, Inc. All Rights Reserved<br />Self-service “Jenkins as a Service”pay-as-you-go public cloud <br />DEV@cloud<br />CloudBees’ Pro version of Jenkinsproprietary add-ons, stable release cycle<br />Professional support from the Experts<br />
  13. 13. CloudBees Jenkins Solutions<br />©2011 CloudBees, Inc. All Rights Reserved<br />Self-Service“Jenkins as a Service”for Enterprises<br />DEV@cloudPrivate Edition<br />Self-service “Jenkins as a Service”pay-as-you-go public cloud <br />DEV@cloud<br />CloudBees’ Pro version of Jenkinsproprietary add-ons, stable release cycle<br />Professional support from the Experts<br />
  14. 14. Jenkins Security Architecture<br />Server security<br />Security Realms<br />Authorization Strategies<br />Master/Slave security<br />Authentication Plugins<br />Authorization Plugins<br />CloudBees’ RBAC plugin<br />Common Use Cases & Walk-throughs<br />Questions & Answers<br />Overview<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  15. 15. Jenkins Security Architecture<br />What goes where and which does what…<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  16. 16. Security Realm provides user identity<br />Authorization Strategy provides user’s permissions for each object.<br />Actions can require a specific permission to be performed.<br />Jenkins Security Architecture<br />©2011 CloudBees, Inc. All Rights Reserved<br />Security Realm<br />Object<br />Identity<br />Action<br />AuthorizationStrategy<br />Permission<br />Access<br />Plugins extension points<br />
  17. 17. Depends on your server:<br />Operating System<br />Windows<br />Linux<br />Servlet container<br />Winstone (java -jar jenkins.war)<br />Tomcat<br />Jetty<br />JBoss<br />etc<br />Server security<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  18. 18. Checklist should include<br /><ul><li>Server patches & hotfixes up to date
  19. 19. Server firewall configured appropriately
  20. 20. Server remote access locked down
  21. 21. Remote desktop on Windows
  22. 22. SSHD on *nix
  23. 23. Servlet container running as restricted user
  24. 24. Consider Apache HTTPD or nginx if exposing on a public network</li></ul>Server security (cont.)<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  25. 25. What are they<br />Core Jenkins extension point for Authentication<br />Responsible for validating user identity<br />Can only select one.<br />Default for clean install:<br />None<br />What is available already<br />Core<br />None<br />Unix PAM<br />Internal DB<br />Legacy Container<br />Open Source Plugins<br />Active Directory<br />CAS v1<br />CollabNet<br />Crowd<br />MySQL DB<br />OpenID SSO<br />Script & Extended Script<br />SourceForge Enterprise Edition<br />…<br />Security Realms<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  26. 26. What are they<br />Core Jenkins extension point for Authorization<br />Responsible for deciding the permissions available to users.<br />Can only select one.<br />Default for clean install:<br />Unsecured<br />What is available already<br />Core<br />Global Matrix<br />Project Matrix<br />Logged in user can do anything<br />Legacy Authorization<br />Open Source Plugins<br />CollabNet<br />Role strategy<br />SourceForge Enterprise Edition<br />…<br />CloudBees’ Plugins<br />RBAC<br />Authorization Strategies<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  27. 27. What are they<br />The fine-grained activities that can be secured within Jenkins<br />Some permissions aggregate others, e.g. Global Admin implies all other standard permissions<br />Plugins can define their own permissions for their own actions<br />What is available<br />Overall<br />Administer<br />Read<br />Slave<br />Configure<br />Delete<br />Job<br />Create<br />Delete<br />Configure<br />Read<br />Build<br />Workspace<br />View<br />Create<br />Delete<br />Configure<br />…<br />Permissions<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  28. 28. Bi-directional channel between Master and Slaves.<br />To trust a slave it is necessary that you trust the JVM used to launch the slave.<br />That JVM can then fork less trusted JVMs for the builds if you want to<br />SCM security is a bigger risk<br />Can fork threads, etc as the user running the build<br />Checklist<br /><ul><li>Only run builds on slaves
  29. 29. Use VM for slaves & reset VM image after every build
  30. 30. Launch slave process with a read-only JVM
  31. 31. Access to slaves should be as restricted as the Master
  32. 32. Install build tools read-only</li></ul>Master / Slave security<br />©2011 CloudBees, Inc. All Rights Reserved<br />Take Away <br />SCM security sets the upper bound<br />
  33. 33. <ul><li>Jenkins Security Architecture</li></ul>Authentication Plugins<br />Active Directory<br />Atlassian Crowd<br />LDAP<br />Open ID<br />Unix PAM<br />Authorization Plugins<br />CloudBees’ RBAC plugin<br />Common Use Cases & Walk-throughs<br />Questions & Answers<br />Overview<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  34. 34. Authentication Plugins<br />Who are you and how can you prove it to me…<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  35. 35. Not all plugins implement every feature<br />Key features to check for are:<br />Supports signup<br />Provides group details<br />Supports group lookup<br />Can logout<br />You may not need all/any of the above but it may restrict your choice of Authorization Strategy<br />Authentication Plugins<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  36. 36. Authenticates the username and the password through Active Directory<br />Actually multiple implementations under the hood and one is chosen based on your environment<br />Active Directory (plugin)<br />©2011 CloudBees, Inc. All Rights Reserved<br />Notes:<br />Jenkins does not have to run on Windows to use this.<br />Can require a correctly configured DNS for Active Directory<br />
  37. 37. Authenticates the username and password through Atlassian Crowd<br />Does not currently support SSO<br />Atlassian Crowd (plugin)<br />©2011 CloudBees, Inc. All Rights Reserved<br />Notes:<br /><ul><li>CloudBees have a fix for the group lookup issue currently under test</li></li></ul><li>Authenticates the username and the password against a basic built-in database<br />Jenkins’ own user database (core)<br />©2011 CloudBees, Inc. All Rights Reserved<br />Notes:<br />Not recommended for public facing instances.<br />
  38. 38. Authenticates the username and the password through LDAP<br />Every LDAP server is different<br /><ul><li>Very flexible
  39. 39. Harder to configure than some of the other providers</li></ul>LDAP (core)<br />©2011 CloudBees, Inc. All Rights Reserved<br />Notes:<br />Can use for Active Directory<br /><ul><li>No RFC covering how to map groups in LDAP
  40. 40. Group details may be unavailable</li></li></ul><li>Authenticates the user via OpenID provider(s)<br />User is sent to the OpenID provider when required to authenticate<br />Supports the OpenID team extension => group details<br />OpenID(plugin)<br />©2011 CloudBees, Inc. All Rights Reserved<br />Notes:<br />This plugin has a special “on-the-side” mode whereby users can link their OpenID identities with e.g. their Active Directory user account<br />
  41. 41. Authenticates the username and password through Unix Pluggable Authentication Modules<br />Requires that Jenkins be running on Linux / Mac OSX / Unix<br />Unix PAM (core)<br />©2011 CloudBees, Inc. All Rights Reserved<br />Notes:<br />Very quick to set-up<br />Handy if you already have a federated PAM configuration<br />If on a public network serve Jenkins over https://<br />
  42. 42. Feature Matrix<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  43. 43. <ul><li>Jenkins Security Architecture
  44. 44. Authentication Plugins</li></ul>Authorization Plugins<br />Matrix Strategy<br />Project-based Matrix Strategy<br />Role strategy<br />CloudBees’ RBAC plugin<br />CloudBees’ RBAC plugin<br />Common Use Cases & Walk-throughs<br />Questions & Answers<br />Overview<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  45. 45. Authorization Plugins<br />So tell me… who can do what?<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  46. 46. A simple matrix of click-boxes.<br />Each row is a user/group*<br />Each column is a Permission<br />* If the Authentication plugin does not support group details then one row is required for each user<br />Matrix Strategy (core)<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  47. 47. A simple matrix of click-boxes.<br />Each row is a user/group*<br />Each column is a Permission<br />Each project can add its own matrix<br />Project-based Matrix Strategy (core)<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  48. 48. Allows grouping permissions into roles<br />Roles assigned to users/groups<br />‡ Project roles are defined using a regex for the project name to which the role is restricted.<br />* If the Authentication plugin does not support group details then one row is required for each user<br />§ Requires global Admin role<br />Role Strategy (plugin)<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  49. 49. A simple matrix of click-boxesRow: roleColumn: permission<br />Define groups at any level<br />Assign roles to groups<br />Filter roles at any level<br />CloudBees’ RBAC Plugin (plugin)<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  50. 50. Feature Matrix<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  51. 51. <ul><li>Jenkins Security Architecture
  52. 52. Authentication Plugins
  53. 53. Authorization Plugins</li></ul>CloudBees’ RBAC plugin<br />Overview<br />Inheritance model<br />Filtering<br />Common Use Cases & Walk-throughs<br />Questions & Answers<br />Overview<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  54. 54. CloudBees’ RBAC plugin<br />Our take on an Authorization Strategy<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  55. 55. Roles defined in Nectar<br />External Groups from LDAP / AD / Atlassian Crowd / etc<br />Local Groups defined in Nectar<br />Configure Roles in Local Groups<br />Manage membership in Local Groups<br />Users / other Local Groups / External Groups<br />Role filtering to restrict inheritance<br />A layered approach<br />What<br />Who<br />Tweak<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  56. 56. Adds new elements to the GUI<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  57. 57. Groups are defined on objects<br />Per-slave permissions<br />Per-folder permissions (Folders Plugin)<br />Per-module permissions (Maven Projects)<br />Role definitions are global<br />Role assignments can be scoped<br />Object based permissions<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  58. 58. Plan out your roles<br />Enable security<br />Add the roles<br />Save<br />Define Groups<br />Remove Admin permissions from Authenticated Role<br />Save<br />How to deploy<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  59. 59. Inheritance model: Groups and roles<br />Have Dev role if in Devs group or Folder A Devs group<br />Dev<br />Folder A Devs<br />Have Dev role if in Devs group<br />Devs<br />Dev<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  60. 60. Inheritance model: Pinned roles<br />Have Dev role if in Folder A Devs group<br />Dev<br />Folder A Devs<br />Devs<br />Dev<br />Nobody has Dev role<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  61. 61. Filtering<br />Have Dev role if in Folder A Devs group<br />Dev<br />Folder A Devs<br />Have Dev role if in Devs group<br />Devs<br />Dev<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  62. 62. <ul><li>Jenkins Security Architecture
  63. 63. Authentication Plugins
  64. 64. Authorization Plugins
  65. 65. CloudBees’ RBAC plugin</li></ul>Common Use Cases & Walk-throughs<br />Authenticated only<br />Public read-only<br />Devvs SQA<br />Multi-department<br />Secret skunk-works projects<br />Questions & Answers<br />Overview<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  66. 66. Common use-cases & Walk-throughs<br />You’re not so different… here’s how you might do it…<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  67. 67. Use case<br />System is set up so that only authenticated users can access.<br />Authenticated users can do anything.<br />Authenticated Only<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  68. 68. Authenticated Only<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  69. 69. Walk-through<br />Authenticated Only use case<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  70. 70. Use case<br />System is set up so that anonymous users can browse all projects<br />Anonymous users cannot access the Job Workspaces, or change/trigger anything<br />Authenticated users can do anything.<br />Public read-only<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  71. 71. Public read-only<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  72. 72. Walk-through<br />Public read-only use case<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  73. 73. Use case<br />System is set up so that anonymous users can browse all projects.<br />Anonymous users cannot access the Job Workspaces, or change/trigger anything.<br />Authenticated Developers can trigger builds.<br />Authenticate SQA can delete/tag builds.<br />Devvs SQA<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  74. 74. Devvs SQA<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  75. 75. Walk-through<br />Devvs SQA use case<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  76. 76. Use case<br />System is set up so that anonymous users can browse all projects<br />Anonymous users cannot access the Job Workspaces, or change/trigger anything<br />Authenticated users can do anything to the projects in their department only. For projects outside their department they are like anonymous users.<br />Multi-department<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  77. 77. Multi-department<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  78. 78. Walk-through<br />Multi-department use case<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  79. 79. Use case<br />A secret project is set up for a skunk-works team.<br />Only the skunk-works team‡ can see the secret project. <br />The skunk-works team are not otherwise restricted.<br />‡Someone with direct disk access to the master may be able to find the skunk-works project. The aim is to hide the project from the GUI.<br />Secret skunk-works projects<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  80. 80. Impl matrix with each plugin<br />Secret skunk-works projects<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  81. 81. Walk-through<br />Secret skunk-works projects use case<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  82. 82. <ul><li>Jenkins Security Architecture
  83. 83. Authentication Plugins
  84. 84. Authorization Plugins
  85. 85. CloudBees’ RBAC plugin
  86. 86. Common Use Cases & Walk-throughs</li></ul>Questions & Answers<br />Overview<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  87. 87. Support<br />Nectar<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  88. 88. Releases every 6 months. <br />Supported for 18 months.<br />Patches every 6 weeks.<br />Plugins supported for life of underlying release<br />Support all plugins<br />Nectar 10.10 and Nectar 11.04 released<br />Nectar<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  89. 89. CloudBees Resources Page <br />http://www.cloudbees.com/support.cb<br />Try DEV@cloud& RUN@cloud<br />https://grandcentral.cloudbees.com/account/signup<br />CloudBees Eclipse Plugin<br />http://cloudbees.com/eclipse-plugin.cb<br />DEV@cloud Private Edition Beta Program (DEV@cloud for private clouds)<br />http://www.cloudbees.com/dev-pe.cb<br />CloudBees Resources<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  90. 90. Questions & Answers<br />And if the questions are too tough, we’ll answer offline…<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  91. 91. Raise your hand if you have a question and type your question into the question box…<br />Harpreet is keeping track of who is next…<br />We will unmute you while it is your Q&A…<br />If an answer is going too long, or we need to check some specifics we will distribute the answer off-line.<br />Questions & Answers<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  92. 92. ©2011 CloudBees, Inc. All Rights Reserved<br />

×