Your SlideShare is downloading. ×
0
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Authentication and authorization in Jenkins and nectar 1
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Authentication and authorization in Jenkins and nectar 1

5,947

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
5,947
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
81
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Authentication and Authorization in Jenkins and Nectar<br />July 27th, 2011<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 2. The slides will be made available as well as a link to the replay of this webinar.<br />Links will be sent in an email after the webinar has finished (2-3 days).<br />Housekeeping<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 3. The Presenters<br />Who exactly is talking?<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 4. Stephen Connolly<br />Responsible for<br />Most of this talk<br />Trying to answer the questions<br />Harpreet Singh<br />Responsible for<br />Ensuring Stephen does not go too fast/slow<br />Keeping track of questions for the Q&A session<br />The Presenters<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 5. Overview<br />What we will be covering today<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 6. Jenkins Security Architecture<br />Authentication Plugins<br />Authorization Plugins<br />CloudBees’ RBAC plugin<br />Common Use Cases & Walk-throughs<br />Questions & Answers<br />Overview<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 7. CloudBees<br />Who are we and what we can do for you?<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 8. About CloudBees<br />©2011 CloudBees, Inc. All Rights Reserved<br />Our Mission<br />Become the leading Platform as a Service (PaaS) for Java™ <br />Why We’re Different<br />CloudBees services the complete lifecycle of Cloud application development and deployment.No Servers. No Virtual Machines. No IT.<br />Strategy<br /><ul><li>Nectar – CloudBees Pro version of Jenkins
  • 9. DEV@cloud – Cloud Services for Developers
  • 10. RUN@cloud–Frictionless runtime PaaS for Java apps</li></li></ul><li>CloudBees Jenkins Solutions<br />©2011 CloudBees, Inc. All Rights Reserved<br />Professional support from the Experts<br />
  • 11. CloudBees Jenkins Solutions<br />©2011 CloudBees, Inc. All Rights Reserved<br />CloudBees’ Pro version of Jenkinsproprietary add-ons, stable release cycle<br />Professional support from the Experts<br />
  • 12. CloudBees Jenkins Solutions<br />©2011 CloudBees, Inc. All Rights Reserved<br />Self-service “Jenkins as a Service”pay-as-you-go public cloud <br />DEV@cloud<br />CloudBees’ Pro version of Jenkinsproprietary add-ons, stable release cycle<br />Professional support from the Experts<br />
  • 13. CloudBees Jenkins Solutions<br />©2011 CloudBees, Inc. All Rights Reserved<br />Self-Service“Jenkins as a Service”for Enterprises<br />DEV@cloudPrivate Edition<br />Self-service “Jenkins as a Service”pay-as-you-go public cloud <br />DEV@cloud<br />CloudBees’ Pro version of Jenkinsproprietary add-ons, stable release cycle<br />Professional support from the Experts<br />
  • 14. Jenkins Security Architecture<br />Server security<br />Security Realms<br />Authorization Strategies<br />Master/Slave security<br />Authentication Plugins<br />Authorization Plugins<br />CloudBees’ RBAC plugin<br />Common Use Cases & Walk-throughs<br />Questions & Answers<br />Overview<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 15. Jenkins Security Architecture<br />What goes where and which does what…<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 16. Security Realm provides user identity<br />Authorization Strategy provides user’s permissions for each object.<br />Actions can require a specific permission to be performed.<br />Jenkins Security Architecture<br />©2011 CloudBees, Inc. All Rights Reserved<br />Security Realm<br />Object<br />Identity<br />Action<br />AuthorizationStrategy<br />Permission<br />Access<br />Plugins extension points<br />
  • 17. Depends on your server:<br />Operating System<br />Windows<br />Linux<br />Servlet container<br />Winstone (java -jar jenkins.war)<br />Tomcat<br />Jetty<br />JBoss<br />etc<br />Server security<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 18. Checklist should include<br /><ul><li>Server patches & hotfixes up to date
  • 19. Server firewall configured appropriately
  • 20. Server remote access locked down
  • 21. Remote desktop on Windows
  • 22. SSHD on *nix
  • 23. Servlet container running as restricted user
  • 24. Consider Apache HTTPD or nginx if exposing on a public network</li></ul>Server security (cont.)<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 25. What are they<br />Core Jenkins extension point for Authentication<br />Responsible for validating user identity<br />Can only select one.<br />Default for clean install:<br />None<br />What is available already<br />Core<br />None<br />Unix PAM<br />Internal DB<br />Legacy Container<br />Open Source Plugins<br />Active Directory<br />CAS v1<br />CollabNet<br />Crowd<br />MySQL DB<br />OpenID SSO<br />Script & Extended Script<br />SourceForge Enterprise Edition<br />…<br />Security Realms<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 26. What are they<br />Core Jenkins extension point for Authorization<br />Responsible for deciding the permissions available to users.<br />Can only select one.<br />Default for clean install:<br />Unsecured<br />What is available already<br />Core<br />Global Matrix<br />Project Matrix<br />Logged in user can do anything<br />Legacy Authorization<br />Open Source Plugins<br />CollabNet<br />Role strategy<br />SourceForge Enterprise Edition<br />…<br />CloudBees’ Plugins<br />RBAC<br />Authorization Strategies<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 27. What are they<br />The fine-grained activities that can be secured within Jenkins<br />Some permissions aggregate others, e.g. Global Admin implies all other standard permissions<br />Plugins can define their own permissions for their own actions<br />What is available<br />Overall<br />Administer<br />Read<br />Slave<br />Configure<br />Delete<br />Job<br />Create<br />Delete<br />Configure<br />Read<br />Build<br />Workspace<br />View<br />Create<br />Delete<br />Configure<br />…<br />Permissions<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 28. Bi-directional channel between Master and Slaves.<br />To trust a slave it is necessary that you trust the JVM used to launch the slave.<br />That JVM can then fork less trusted JVMs for the builds if you want to<br />SCM security is a bigger risk<br />Can fork threads, etc as the user running the build<br />Checklist<br /><ul><li>Only run builds on slaves
  • 29. Use VM for slaves & reset VM image after every build
  • 30. Launch slave process with a read-only JVM
  • 31. Access to slaves should be as restricted as the Master
  • 32. Install build tools read-only</li></ul>Master / Slave security<br />©2011 CloudBees, Inc. All Rights Reserved<br />Take Away <br />SCM security sets the upper bound<br />
  • 33. <ul><li>Jenkins Security Architecture</li></ul>Authentication Plugins<br />Active Directory<br />Atlassian Crowd<br />LDAP<br />Open ID<br />Unix PAM<br />Authorization Plugins<br />CloudBees’ RBAC plugin<br />Common Use Cases & Walk-throughs<br />Questions & Answers<br />Overview<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 34. Authentication Plugins<br />Who are you and how can you prove it to me…<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 35. Not all plugins implement every feature<br />Key features to check for are:<br />Supports signup<br />Provides group details<br />Supports group lookup<br />Can logout<br />You may not need all/any of the above but it may restrict your choice of Authorization Strategy<br />Authentication Plugins<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 36. Authenticates the username and the password through Active Directory<br />Actually multiple implementations under the hood and one is chosen based on your environment<br />Active Directory (plugin)<br />©2011 CloudBees, Inc. All Rights Reserved<br />Notes:<br />Jenkins does not have to run on Windows to use this.<br />Can require a correctly configured DNS for Active Directory<br />
  • 37. Authenticates the username and password through Atlassian Crowd<br />Does not currently support SSO<br />Atlassian Crowd (plugin)<br />©2011 CloudBees, Inc. All Rights Reserved<br />Notes:<br /><ul><li>CloudBees have a fix for the group lookup issue currently under test</li></li></ul><li>Authenticates the username and the password against a basic built-in database<br />Jenkins’ own user database (core)<br />©2011 CloudBees, Inc. All Rights Reserved<br />Notes:<br />Not recommended for public facing instances.<br />
  • 38. Authenticates the username and the password through LDAP<br />Every LDAP server is different<br /><ul><li>Very flexible
  • 39. Harder to configure than some of the other providers</li></ul>LDAP (core)<br />©2011 CloudBees, Inc. All Rights Reserved<br />Notes:<br />Can use for Active Directory<br /><ul><li>No RFC covering how to map groups in LDAP
  • 40. Group details may be unavailable</li></li></ul><li>Authenticates the user via OpenID provider(s)<br />User is sent to the OpenID provider when required to authenticate<br />Supports the OpenID team extension => group details<br />OpenID(plugin)<br />©2011 CloudBees, Inc. All Rights Reserved<br />Notes:<br />This plugin has a special “on-the-side” mode whereby users can link their OpenID identities with e.g. their Active Directory user account<br />
  • 41. Authenticates the username and password through Unix Pluggable Authentication Modules<br />Requires that Jenkins be running on Linux / Mac OSX / Unix<br />Unix PAM (core)<br />©2011 CloudBees, Inc. All Rights Reserved<br />Notes:<br />Very quick to set-up<br />Handy if you already have a federated PAM configuration<br />If on a public network serve Jenkins over https://<br />
  • 42. Feature Matrix<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 43. <ul><li>Jenkins Security Architecture
  • 44. Authentication Plugins</li></ul>Authorization Plugins<br />Matrix Strategy<br />Project-based Matrix Strategy<br />Role strategy<br />CloudBees’ RBAC plugin<br />CloudBees’ RBAC plugin<br />Common Use Cases & Walk-throughs<br />Questions & Answers<br />Overview<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 45. Authorization Plugins<br />So tell me… who can do what?<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 46. A simple matrix of click-boxes.<br />Each row is a user/group*<br />Each column is a Permission<br />* If the Authentication plugin does not support group details then one row is required for each user<br />Matrix Strategy (core)<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 47. A simple matrix of click-boxes.<br />Each row is a user/group*<br />Each column is a Permission<br />Each project can add its own matrix<br />Project-based Matrix Strategy (core)<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 48. Allows grouping permissions into roles<br />Roles assigned to users/groups<br />‡ Project roles are defined using a regex for the project name to which the role is restricted.<br />* If the Authentication plugin does not support group details then one row is required for each user<br />§ Requires global Admin role<br />Role Strategy (plugin)<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 49. A simple matrix of click-boxesRow: roleColumn: permission<br />Define groups at any level<br />Assign roles to groups<br />Filter roles at any level<br />CloudBees’ RBAC Plugin (plugin)<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 50. Feature Matrix<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 51. <ul><li>Jenkins Security Architecture
  • 52. Authentication Plugins
  • 53. Authorization Plugins</li></ul>CloudBees’ RBAC plugin<br />Overview<br />Inheritance model<br />Filtering<br />Common Use Cases & Walk-throughs<br />Questions & Answers<br />Overview<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 54. CloudBees’ RBAC plugin<br />Our take on an Authorization Strategy<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 55. Roles defined in Nectar<br />External Groups from LDAP / AD / Atlassian Crowd / etc<br />Local Groups defined in Nectar<br />Configure Roles in Local Groups<br />Manage membership in Local Groups<br />Users / other Local Groups / External Groups<br />Role filtering to restrict inheritance<br />A layered approach<br />What<br />Who<br />Tweak<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 56. Adds new elements to the GUI<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 57. Groups are defined on objects<br />Per-slave permissions<br />Per-folder permissions (Folders Plugin)<br />Per-module permissions (Maven Projects)<br />Role definitions are global<br />Role assignments can be scoped<br />Object based permissions<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 58. Plan out your roles<br />Enable security<br />Add the roles<br />Save<br />Define Groups<br />Remove Admin permissions from Authenticated Role<br />Save<br />How to deploy<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 59. Inheritance model: Groups and roles<br />Have Dev role if in Devs group or Folder A Devs group<br />Dev<br />Folder A Devs<br />Have Dev role if in Devs group<br />Devs<br />Dev<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 60. Inheritance model: Pinned roles<br />Have Dev role if in Folder A Devs group<br />Dev<br />Folder A Devs<br />Devs<br />Dev<br />Nobody has Dev role<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 61. Filtering<br />Have Dev role if in Folder A Devs group<br />Dev<br />Folder A Devs<br />Have Dev role if in Devs group<br />Devs<br />Dev<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 62. <ul><li>Jenkins Security Architecture
  • 63. Authentication Plugins
  • 64. Authorization Plugins
  • 65. CloudBees’ RBAC plugin</li></ul>Common Use Cases & Walk-throughs<br />Authenticated only<br />Public read-only<br />Devvs SQA<br />Multi-department<br />Secret skunk-works projects<br />Questions & Answers<br />Overview<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 66. Common use-cases & Walk-throughs<br />You’re not so different… here’s how you might do it…<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 67. Use case<br />System is set up so that only authenticated users can access.<br />Authenticated users can do anything.<br />Authenticated Only<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 68. Authenticated Only<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 69. Walk-through<br />Authenticated Only use case<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 70. Use case<br />System is set up so that anonymous users can browse all projects<br />Anonymous users cannot access the Job Workspaces, or change/trigger anything<br />Authenticated users can do anything.<br />Public read-only<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 71. Public read-only<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 72. Walk-through<br />Public read-only use case<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 73. Use case<br />System is set up so that anonymous users can browse all projects.<br />Anonymous users cannot access the Job Workspaces, or change/trigger anything.<br />Authenticated Developers can trigger builds.<br />Authenticate SQA can delete/tag builds.<br />Devvs SQA<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 74. Devvs SQA<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 75. Walk-through<br />Devvs SQA use case<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 76. Use case<br />System is set up so that anonymous users can browse all projects<br />Anonymous users cannot access the Job Workspaces, or change/trigger anything<br />Authenticated users can do anything to the projects in their department only. For projects outside their department they are like anonymous users.<br />Multi-department<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 77. Multi-department<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 78. Walk-through<br />Multi-department use case<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 79. Use case<br />A secret project is set up for a skunk-works team.<br />Only the skunk-works team‡ can see the secret project. <br />The skunk-works team are not otherwise restricted.<br />‡Someone with direct disk access to the master may be able to find the skunk-works project. The aim is to hide the project from the GUI.<br />Secret skunk-works projects<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 80. Impl matrix with each plugin<br />Secret skunk-works projects<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 81. Walk-through<br />Secret skunk-works projects use case<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 82. <ul><li>Jenkins Security Architecture
  • 83. Authentication Plugins
  • 84. Authorization Plugins
  • 85. CloudBees’ RBAC plugin
  • 86. Common Use Cases & Walk-throughs</li></ul>Questions & Answers<br />Overview<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 87. Support<br />Nectar<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 88. Releases every 6 months. <br />Supported for 18 months.<br />Patches every 6 weeks.<br />Plugins supported for life of underlying release<br />Support all plugins<br />Nectar 10.10 and Nectar 11.04 released<br />Nectar<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 89. CloudBees Resources Page <br />http://www.cloudbees.com/support.cb<br />Try DEV@cloud& RUN@cloud<br />https://grandcentral.cloudbees.com/account/signup<br />CloudBees Eclipse Plugin<br />http://cloudbees.com/eclipse-plugin.cb<br />DEV@cloud Private Edition Beta Program (DEV@cloud for private clouds)<br />http://www.cloudbees.com/dev-pe.cb<br />CloudBees Resources<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 90. Questions & Answers<br />And if the questions are too tough, we’ll answer offline…<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 91. Raise your hand if you have a question and type your question into the question box…<br />Harpreet is keeping track of who is next…<br />We will unmute you while it is your Q&A…<br />If an answer is going too long, or we need to check some specifics we will distribute the answer off-line.<br />Questions & Answers<br />©2011 CloudBees, Inc. All Rights Reserved<br />
  • 92. ©2011 CloudBees, Inc. All Rights Reserved<br />

×