• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Authentication and authorization in Jenkins and nectar 1
 

Authentication and authorization in Jenkins and nectar 1

on

  • 5,730 views

 

Statistics

Views

Total Views
5,730
Views on SlideShare
5,727
Embed Views
3

Actions

Likes
2
Downloads
70
Comments
0

1 Embed 3

https://foresttechnologies.atlassian.net 3

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Authentication and authorization in Jenkins and nectar 1 Authentication and authorization in Jenkins and nectar 1 Presentation Transcript

    • Authentication and Authorization in Jenkins and Nectar
      July 27th, 2011
      ©2011 CloudBees, Inc. All Rights Reserved
    • The slides will be made available as well as a link to the replay of this webinar.
      Links will be sent in an email after the webinar has finished (2-3 days).
      Housekeeping
      ©2011 CloudBees, Inc. All Rights Reserved
    • The Presenters
      Who exactly is talking?
      ©2011 CloudBees, Inc. All Rights Reserved
    • Stephen Connolly
      Responsible for
      Most of this talk
      Trying to answer the questions
      Harpreet Singh
      Responsible for
      Ensuring Stephen does not go too fast/slow
      Keeping track of questions for the Q&A session
      The Presenters
      ©2011 CloudBees, Inc. All Rights Reserved
    • Overview
      What we will be covering today
      ©2011 CloudBees, Inc. All Rights Reserved
    • Jenkins Security Architecture
      Authentication Plugins
      Authorization Plugins
      CloudBees’ RBAC plugin
      Common Use Cases & Walk-throughs
      Questions & Answers
      Overview
      ©2011 CloudBees, Inc. All Rights Reserved
    • CloudBees
      Who are we and what we can do for you?
      ©2011 CloudBees, Inc. All Rights Reserved
    • About CloudBees
      ©2011 CloudBees, Inc. All Rights Reserved
      Our Mission
      Become the leading Platform as a Service (PaaS) for Java™
      Why We’re Different
      CloudBees services the complete lifecycle of Cloud application development and deployment.No Servers. No Virtual Machines. No IT.
      Strategy
      • Nectar – CloudBees Pro version of Jenkins
      • DEV@cloud – Cloud Services for Developers
      • RUN@cloud–Frictionless runtime PaaS for Java apps
    • CloudBees Jenkins Solutions
      ©2011 CloudBees, Inc. All Rights Reserved
      Professional support from the Experts
    • CloudBees Jenkins Solutions
      ©2011 CloudBees, Inc. All Rights Reserved
      CloudBees’ Pro version of Jenkinsproprietary add-ons, stable release cycle
      Professional support from the Experts
    • CloudBees Jenkins Solutions
      ©2011 CloudBees, Inc. All Rights Reserved
      Self-service “Jenkins as a Service”pay-as-you-go public cloud
      DEV@cloud
      CloudBees’ Pro version of Jenkinsproprietary add-ons, stable release cycle
      Professional support from the Experts
    • CloudBees Jenkins Solutions
      ©2011 CloudBees, Inc. All Rights Reserved
      Self-Service“Jenkins as a Service”for Enterprises
      DEV@cloudPrivate Edition
      Self-service “Jenkins as a Service”pay-as-you-go public cloud
      DEV@cloud
      CloudBees’ Pro version of Jenkinsproprietary add-ons, stable release cycle
      Professional support from the Experts
    • Jenkins Security Architecture
      Server security
      Security Realms
      Authorization Strategies
      Master/Slave security
      Authentication Plugins
      Authorization Plugins
      CloudBees’ RBAC plugin
      Common Use Cases & Walk-throughs
      Questions & Answers
      Overview
      ©2011 CloudBees, Inc. All Rights Reserved
    • Jenkins Security Architecture
      What goes where and which does what…
      ©2011 CloudBees, Inc. All Rights Reserved
    • Security Realm provides user identity
      Authorization Strategy provides user’s permissions for each object.
      Actions can require a specific permission to be performed.
      Jenkins Security Architecture
      ©2011 CloudBees, Inc. All Rights Reserved
      Security Realm
      Object
      Identity
      Action
      AuthorizationStrategy
      Permission
      Access
      Plugins extension points
    • Depends on your server:
      Operating System
      Windows
      Linux
      Servlet container
      Winstone (java -jar jenkins.war)
      Tomcat
      Jetty
      JBoss
      etc
      Server security
      ©2011 CloudBees, Inc. All Rights Reserved
    • Checklist should include
      • Server patches & hotfixes up to date
      • Server firewall configured appropriately
      • Server remote access locked down
      • Remote desktop on Windows
      • SSHD on *nix
      • Servlet container running as restricted user
      • Consider Apache HTTPD or nginx if exposing on a public network
      Server security (cont.)
      ©2011 CloudBees, Inc. All Rights Reserved
    • What are they
      Core Jenkins extension point for Authentication
      Responsible for validating user identity
      Can only select one.
      Default for clean install:
      None
      What is available already
      Core
      None
      Unix PAM
      Internal DB
      Legacy Container
      Open Source Plugins
      Active Directory
      CAS v1
      CollabNet
      Crowd
      MySQL DB
      OpenID SSO
      Script & Extended Script
      SourceForge Enterprise Edition

      Security Realms
      ©2011 CloudBees, Inc. All Rights Reserved
    • What are they
      Core Jenkins extension point for Authorization
      Responsible for deciding the permissions available to users.
      Can only select one.
      Default for clean install:
      Unsecured
      What is available already
      Core
      Global Matrix
      Project Matrix
      Logged in user can do anything
      Legacy Authorization
      Open Source Plugins
      CollabNet
      Role strategy
      SourceForge Enterprise Edition

      CloudBees’ Plugins
      RBAC
      Authorization Strategies
      ©2011 CloudBees, Inc. All Rights Reserved
    • What are they
      The fine-grained activities that can be secured within Jenkins
      Some permissions aggregate others, e.g. Global Admin implies all other standard permissions
      Plugins can define their own permissions for their own actions
      What is available
      Overall
      Administer
      Read
      Slave
      Configure
      Delete
      Job
      Create
      Delete
      Configure
      Read
      Build
      Workspace
      View
      Create
      Delete
      Configure

      Permissions
      ©2011 CloudBees, Inc. All Rights Reserved
    • Bi-directional channel between Master and Slaves.
      To trust a slave it is necessary that you trust the JVM used to launch the slave.
      That JVM can then fork less trusted JVMs for the builds if you want to
      SCM security is a bigger risk
      Can fork threads, etc as the user running the build
      Checklist
      • Only run builds on slaves
      • Use VM for slaves & reset VM image after every build
      • Launch slave process with a read-only JVM
      • Access to slaves should be as restricted as the Master
      • Install build tools read-only
      Master / Slave security
      ©2011 CloudBees, Inc. All Rights Reserved
      Take Away
      SCM security sets the upper bound
      • Jenkins Security Architecture
      Authentication Plugins
      Active Directory
      Atlassian Crowd
      LDAP
      Open ID
      Unix PAM
      Authorization Plugins
      CloudBees’ RBAC plugin
      Common Use Cases & Walk-throughs
      Questions & Answers
      Overview
      ©2011 CloudBees, Inc. All Rights Reserved
    • Authentication Plugins
      Who are you and how can you prove it to me…
      ©2011 CloudBees, Inc. All Rights Reserved
    • Not all plugins implement every feature
      Key features to check for are:
      Supports signup
      Provides group details
      Supports group lookup
      Can logout
      You may not need all/any of the above but it may restrict your choice of Authorization Strategy
      Authentication Plugins
      ©2011 CloudBees, Inc. All Rights Reserved
    • Authenticates the username and the password through Active Directory
      Actually multiple implementations under the hood and one is chosen based on your environment
      Active Directory (plugin)
      ©2011 CloudBees, Inc. All Rights Reserved
      Notes:
      Jenkins does not have to run on Windows to use this.
      Can require a correctly configured DNS for Active Directory
    • Authenticates the username and password through Atlassian Crowd
      Does not currently support SSO
      Atlassian Crowd (plugin)
      ©2011 CloudBees, Inc. All Rights Reserved
      Notes:
      • CloudBees have a fix for the group lookup issue currently under test
    • Authenticates the username and the password against a basic built-in database
      Jenkins’ own user database (core)
      ©2011 CloudBees, Inc. All Rights Reserved
      Notes:
      Not recommended for public facing instances.
    • Authenticates the username and the password through LDAP
      Every LDAP server is different
      • Very flexible
      • Harder to configure than some of the other providers
      LDAP (core)
      ©2011 CloudBees, Inc. All Rights Reserved
      Notes:
      Can use for Active Directory
      • No RFC covering how to map groups in LDAP
      • Group details may be unavailable
    • Authenticates the user via OpenID provider(s)
      User is sent to the OpenID provider when required to authenticate
      Supports the OpenID team extension => group details
      OpenID(plugin)
      ©2011 CloudBees, Inc. All Rights Reserved
      Notes:
      This plugin has a special “on-the-side” mode whereby users can link their OpenID identities with e.g. their Active Directory user account
    • Authenticates the username and password through Unix Pluggable Authentication Modules
      Requires that Jenkins be running on Linux / Mac OSX / Unix
      Unix PAM (core)
      ©2011 CloudBees, Inc. All Rights Reserved
      Notes:
      Very quick to set-up
      Handy if you already have a federated PAM configuration
      If on a public network serve Jenkins over https://
    • Feature Matrix
      ©2011 CloudBees, Inc. All Rights Reserved
      • Jenkins Security Architecture
      • Authentication Plugins
      Authorization Plugins
      Matrix Strategy
      Project-based Matrix Strategy
      Role strategy
      CloudBees’ RBAC plugin
      CloudBees’ RBAC plugin
      Common Use Cases & Walk-throughs
      Questions & Answers
      Overview
      ©2011 CloudBees, Inc. All Rights Reserved
    • Authorization Plugins
      So tell me… who can do what?
      ©2011 CloudBees, Inc. All Rights Reserved
    • A simple matrix of click-boxes.
      Each row is a user/group*
      Each column is a Permission
      * If the Authentication plugin does not support group details then one row is required for each user
      Matrix Strategy (core)
      ©2011 CloudBees, Inc. All Rights Reserved
    • A simple matrix of click-boxes.
      Each row is a user/group*
      Each column is a Permission
      Each project can add its own matrix
      Project-based Matrix Strategy (core)
      ©2011 CloudBees, Inc. All Rights Reserved
    • Allows grouping permissions into roles
      Roles assigned to users/groups
      ‡ Project roles are defined using a regex for the project name to which the role is restricted.
      * If the Authentication plugin does not support group details then one row is required for each user
      § Requires global Admin role
      Role Strategy (plugin)
      ©2011 CloudBees, Inc. All Rights Reserved
    • A simple matrix of click-boxesRow: roleColumn: permission
      Define groups at any level
      Assign roles to groups
      Filter roles at any level
      CloudBees’ RBAC Plugin (plugin)
      ©2011 CloudBees, Inc. All Rights Reserved
    • Feature Matrix
      ©2011 CloudBees, Inc. All Rights Reserved
      • Jenkins Security Architecture
      • Authentication Plugins
      • Authorization Plugins
      CloudBees’ RBAC plugin
      Overview
      Inheritance model
      Filtering
      Common Use Cases & Walk-throughs
      Questions & Answers
      Overview
      ©2011 CloudBees, Inc. All Rights Reserved
    • CloudBees’ RBAC plugin
      Our take on an Authorization Strategy
      ©2011 CloudBees, Inc. All Rights Reserved
    • Roles defined in Nectar
      External Groups from LDAP / AD / Atlassian Crowd / etc
      Local Groups defined in Nectar
      Configure Roles in Local Groups
      Manage membership in Local Groups
      Users / other Local Groups / External Groups
      Role filtering to restrict inheritance
      A layered approach
      What
      Who
      Tweak
      ©2011 CloudBees, Inc. All Rights Reserved
    • Adds new elements to the GUI
      ©2011 CloudBees, Inc. All Rights Reserved
    • Groups are defined on objects
      Per-slave permissions
      Per-folder permissions (Folders Plugin)
      Per-module permissions (Maven Projects)
      Role definitions are global
      Role assignments can be scoped
      Object based permissions
      ©2011 CloudBees, Inc. All Rights Reserved
    • Plan out your roles
      Enable security
      Add the roles
      Save
      Define Groups
      Remove Admin permissions from Authenticated Role
      Save
      How to deploy
      ©2011 CloudBees, Inc. All Rights Reserved
    • Inheritance model: Groups and roles
      Have Dev role if in Devs group or Folder A Devs group
      Dev
      Folder A Devs
      Have Dev role if in Devs group
      Devs
      Dev
      ©2011 CloudBees, Inc. All Rights Reserved
    • Inheritance model: Pinned roles
      Have Dev role if in Folder A Devs group
      Dev
      Folder A Devs
      Devs
      Dev
      Nobody has Dev role
      ©2011 CloudBees, Inc. All Rights Reserved
    • Filtering
      Have Dev role if in Folder A Devs group
      Dev
      Folder A Devs
      Have Dev role if in Devs group
      Devs
      Dev
      ©2011 CloudBees, Inc. All Rights Reserved
      • Jenkins Security Architecture
      • Authentication Plugins
      • Authorization Plugins
      • CloudBees’ RBAC plugin
      Common Use Cases & Walk-throughs
      Authenticated only
      Public read-only
      Devvs SQA
      Multi-department
      Secret skunk-works projects
      Questions & Answers
      Overview
      ©2011 CloudBees, Inc. All Rights Reserved
    • Common use-cases & Walk-throughs
      You’re not so different… here’s how you might do it…
      ©2011 CloudBees, Inc. All Rights Reserved
    • Use case
      System is set up so that only authenticated users can access.
      Authenticated users can do anything.
      Authenticated Only
      ©2011 CloudBees, Inc. All Rights Reserved
    • Authenticated Only
      ©2011 CloudBees, Inc. All Rights Reserved
    • Walk-through
      Authenticated Only use case
      ©2011 CloudBees, Inc. All Rights Reserved
    • Use case
      System is set up so that anonymous users can browse all projects
      Anonymous users cannot access the Job Workspaces, or change/trigger anything
      Authenticated users can do anything.
      Public read-only
      ©2011 CloudBees, Inc. All Rights Reserved
    • Public read-only
      ©2011 CloudBees, Inc. All Rights Reserved
    • Walk-through
      Public read-only use case
      ©2011 CloudBees, Inc. All Rights Reserved
    • Use case
      System is set up so that anonymous users can browse all projects.
      Anonymous users cannot access the Job Workspaces, or change/trigger anything.
      Authenticated Developers can trigger builds.
      Authenticate SQA can delete/tag builds.
      Devvs SQA
      ©2011 CloudBees, Inc. All Rights Reserved
    • Devvs SQA
      ©2011 CloudBees, Inc. All Rights Reserved
    • Walk-through
      Devvs SQA use case
      ©2011 CloudBees, Inc. All Rights Reserved
    • Use case
      System is set up so that anonymous users can browse all projects
      Anonymous users cannot access the Job Workspaces, or change/trigger anything
      Authenticated users can do anything to the projects in their department only. For projects outside their department they are like anonymous users.
      Multi-department
      ©2011 CloudBees, Inc. All Rights Reserved
    • Multi-department
      ©2011 CloudBees, Inc. All Rights Reserved
    • Walk-through
      Multi-department use case
      ©2011 CloudBees, Inc. All Rights Reserved
    • Use case
      A secret project is set up for a skunk-works team.
      Only the skunk-works team‡ can see the secret project.
      The skunk-works team are not otherwise restricted.
      ‡Someone with direct disk access to the master may be able to find the skunk-works project. The aim is to hide the project from the GUI.
      Secret skunk-works projects
      ©2011 CloudBees, Inc. All Rights Reserved
    • Impl matrix with each plugin
      Secret skunk-works projects
      ©2011 CloudBees, Inc. All Rights Reserved
    • Walk-through
      Secret skunk-works projects use case
      ©2011 CloudBees, Inc. All Rights Reserved
      • Jenkins Security Architecture
      • Authentication Plugins
      • Authorization Plugins
      • CloudBees’ RBAC plugin
      • Common Use Cases & Walk-throughs
      Questions & Answers
      Overview
      ©2011 CloudBees, Inc. All Rights Reserved
    • Support
      Nectar
      ©2011 CloudBees, Inc. All Rights Reserved
    • Releases every 6 months.
      Supported for 18 months.
      Patches every 6 weeks.
      Plugins supported for life of underlying release
      Support all plugins
      Nectar 10.10 and Nectar 11.04 released
      Nectar
      ©2011 CloudBees, Inc. All Rights Reserved
    • CloudBees Resources Page
      http://www.cloudbees.com/support.cb
      Try DEV@cloud& RUN@cloud
      https://grandcentral.cloudbees.com/account/signup
      CloudBees Eclipse Plugin
      http://cloudbees.com/eclipse-plugin.cb
      DEV@cloud Private Edition Beta Program (DEV@cloud for private clouds)
      http://www.cloudbees.com/dev-pe.cb
      CloudBees Resources
      ©2011 CloudBees, Inc. All Rights Reserved
    • Questions & Answers
      And if the questions are too tough, we’ll answer offline…
      ©2011 CloudBees, Inc. All Rights Reserved
    • Raise your hand if you have a question and type your question into the question box…
      Harpreet is keeping track of who is next…
      We will unmute you while it is your Q&A…
      If an answer is going too long, or we need to check some specifics we will distribute the answer off-line.
      Questions & Answers
      ©2011 CloudBees, Inc. All Rights Reserved
    • ©2011 CloudBees, Inc. All Rights Reserved