Authentication and authorization in Jenkins and nectar 1
Upcoming SlideShare
Loading in...5
×
 

Authentication and authorization in Jenkins and nectar 1

on

  • 5,868 views

 

Statistics

Views

Total Views
5,868
Views on SlideShare
5,865
Embed Views
3

Actions

Likes
2
Downloads
70
Comments
0

1 Embed 3

https://foresttechnologies.atlassian.net 3

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Authentication and authorization in Jenkins and nectar 1 Authentication and authorization in Jenkins and nectar 1 Presentation Transcript

  • Authentication and Authorization in Jenkins and Nectar
    July 27th, 2011
    ©2011 CloudBees, Inc. All Rights Reserved
  • The slides will be made available as well as a link to the replay of this webinar.
    Links will be sent in an email after the webinar has finished (2-3 days).
    Housekeeping
    ©2011 CloudBees, Inc. All Rights Reserved
  • The Presenters
    Who exactly is talking?
    ©2011 CloudBees, Inc. All Rights Reserved
  • Stephen Connolly
    Responsible for
    Most of this talk
    Trying to answer the questions
    Harpreet Singh
    Responsible for
    Ensuring Stephen does not go too fast/slow
    Keeping track of questions for the Q&A session
    The Presenters
    ©2011 CloudBees, Inc. All Rights Reserved
  • Overview
    What we will be covering today
    ©2011 CloudBees, Inc. All Rights Reserved
  • Jenkins Security Architecture
    Authentication Plugins
    Authorization Plugins
    CloudBees’ RBAC plugin
    Common Use Cases & Walk-throughs
    Questions & Answers
    Overview
    ©2011 CloudBees, Inc. All Rights Reserved
  • CloudBees
    Who are we and what we can do for you?
    ©2011 CloudBees, Inc. All Rights Reserved
  • About CloudBees
    ©2011 CloudBees, Inc. All Rights Reserved
    Our Mission
    Become the leading Platform as a Service (PaaS) for Java™
    Why We’re Different
    CloudBees services the complete lifecycle of Cloud application development and deployment.No Servers. No Virtual Machines. No IT.
    Strategy
    • Nectar – CloudBees Pro version of Jenkins
    • DEV@cloud – Cloud Services for Developers
    • RUN@cloud–Frictionless runtime PaaS for Java apps
  • CloudBees Jenkins Solutions
    ©2011 CloudBees, Inc. All Rights Reserved
    Professional support from the Experts
  • CloudBees Jenkins Solutions
    ©2011 CloudBees, Inc. All Rights Reserved
    CloudBees’ Pro version of Jenkinsproprietary add-ons, stable release cycle
    Professional support from the Experts
  • CloudBees Jenkins Solutions
    ©2011 CloudBees, Inc. All Rights Reserved
    Self-service “Jenkins as a Service”pay-as-you-go public cloud
    DEV@cloud
    CloudBees’ Pro version of Jenkinsproprietary add-ons, stable release cycle
    Professional support from the Experts
  • CloudBees Jenkins Solutions
    ©2011 CloudBees, Inc. All Rights Reserved
    Self-Service“Jenkins as a Service”for Enterprises
    DEV@cloudPrivate Edition
    Self-service “Jenkins as a Service”pay-as-you-go public cloud
    DEV@cloud
    CloudBees’ Pro version of Jenkinsproprietary add-ons, stable release cycle
    Professional support from the Experts
  • Jenkins Security Architecture
    Server security
    Security Realms
    Authorization Strategies
    Master/Slave security
    Authentication Plugins
    Authorization Plugins
    CloudBees’ RBAC plugin
    Common Use Cases & Walk-throughs
    Questions & Answers
    Overview
    ©2011 CloudBees, Inc. All Rights Reserved
  • Jenkins Security Architecture
    What goes where and which does what…
    ©2011 CloudBees, Inc. All Rights Reserved
  • Security Realm provides user identity
    Authorization Strategy provides user’s permissions for each object.
    Actions can require a specific permission to be performed.
    Jenkins Security Architecture
    ©2011 CloudBees, Inc. All Rights Reserved
    Security Realm
    Object
    Identity
    Action
    AuthorizationStrategy
    Permission
    Access
    Plugins extension points
  • Depends on your server:
    Operating System
    Windows
    Linux
    Servlet container
    Winstone (java -jar jenkins.war)
    Tomcat
    Jetty
    JBoss
    etc
    Server security
    ©2011 CloudBees, Inc. All Rights Reserved
  • Checklist should include
    • Server patches & hotfixes up to date
    • Server firewall configured appropriately
    • Server remote access locked down
    • Remote desktop on Windows
    • SSHD on *nix
    • Servlet container running as restricted user
    • Consider Apache HTTPD or nginx if exposing on a public network
    Server security (cont.)
    ©2011 CloudBees, Inc. All Rights Reserved
  • What are they
    Core Jenkins extension point for Authentication
    Responsible for validating user identity
    Can only select one.
    Default for clean install:
    None
    What is available already
    Core
    None
    Unix PAM
    Internal DB
    Legacy Container
    Open Source Plugins
    Active Directory
    CAS v1
    CollabNet
    Crowd
    MySQL DB
    OpenID SSO
    Script & Extended Script
    SourceForge Enterprise Edition

    Security Realms
    ©2011 CloudBees, Inc. All Rights Reserved
  • What are they
    Core Jenkins extension point for Authorization
    Responsible for deciding the permissions available to users.
    Can only select one.
    Default for clean install:
    Unsecured
    What is available already
    Core
    Global Matrix
    Project Matrix
    Logged in user can do anything
    Legacy Authorization
    Open Source Plugins
    CollabNet
    Role strategy
    SourceForge Enterprise Edition

    CloudBees’ Plugins
    RBAC
    Authorization Strategies
    ©2011 CloudBees, Inc. All Rights Reserved
  • What are they
    The fine-grained activities that can be secured within Jenkins
    Some permissions aggregate others, e.g. Global Admin implies all other standard permissions
    Plugins can define their own permissions for their own actions
    What is available
    Overall
    Administer
    Read
    Slave
    Configure
    Delete
    Job
    Create
    Delete
    Configure
    Read
    Build
    Workspace
    View
    Create
    Delete
    Configure

    Permissions
    ©2011 CloudBees, Inc. All Rights Reserved
  • Bi-directional channel between Master and Slaves.
    To trust a slave it is necessary that you trust the JVM used to launch the slave.
    That JVM can then fork less trusted JVMs for the builds if you want to
    SCM security is a bigger risk
    Can fork threads, etc as the user running the build
    Checklist
    • Only run builds on slaves
    • Use VM for slaves & reset VM image after every build
    • Launch slave process with a read-only JVM
    • Access to slaves should be as restricted as the Master
    • Install build tools read-only
    Master / Slave security
    ©2011 CloudBees, Inc. All Rights Reserved
    Take Away
    SCM security sets the upper bound
    • Jenkins Security Architecture
    Authentication Plugins
    Active Directory
    Atlassian Crowd
    LDAP
    Open ID
    Unix PAM
    Authorization Plugins
    CloudBees’ RBAC plugin
    Common Use Cases & Walk-throughs
    Questions & Answers
    Overview
    ©2011 CloudBees, Inc. All Rights Reserved
  • Authentication Plugins
    Who are you and how can you prove it to me…
    ©2011 CloudBees, Inc. All Rights Reserved
  • Not all plugins implement every feature
    Key features to check for are:
    Supports signup
    Provides group details
    Supports group lookup
    Can logout
    You may not need all/any of the above but it may restrict your choice of Authorization Strategy
    Authentication Plugins
    ©2011 CloudBees, Inc. All Rights Reserved
  • Authenticates the username and the password through Active Directory
    Actually multiple implementations under the hood and one is chosen based on your environment
    Active Directory (plugin)
    ©2011 CloudBees, Inc. All Rights Reserved
    Notes:
    Jenkins does not have to run on Windows to use this.
    Can require a correctly configured DNS for Active Directory
  • Authenticates the username and password through Atlassian Crowd
    Does not currently support SSO
    Atlassian Crowd (plugin)
    ©2011 CloudBees, Inc. All Rights Reserved
    Notes:
    • CloudBees have a fix for the group lookup issue currently under test
  • Authenticates the username and the password against a basic built-in database
    Jenkins’ own user database (core)
    ©2011 CloudBees, Inc. All Rights Reserved
    Notes:
    Not recommended for public facing instances.
  • Authenticates the username and the password through LDAP
    Every LDAP server is different
    • Very flexible
    • Harder to configure than some of the other providers
    LDAP (core)
    ©2011 CloudBees, Inc. All Rights Reserved
    Notes:
    Can use for Active Directory
    • No RFC covering how to map groups in LDAP
    • Group details may be unavailable
  • Authenticates the user via OpenID provider(s)
    User is sent to the OpenID provider when required to authenticate
    Supports the OpenID team extension => group details
    OpenID(plugin)
    ©2011 CloudBees, Inc. All Rights Reserved
    Notes:
    This plugin has a special “on-the-side” mode whereby users can link their OpenID identities with e.g. their Active Directory user account
  • Authenticates the username and password through Unix Pluggable Authentication Modules
    Requires that Jenkins be running on Linux / Mac OSX / Unix
    Unix PAM (core)
    ©2011 CloudBees, Inc. All Rights Reserved
    Notes:
    Very quick to set-up
    Handy if you already have a federated PAM configuration
    If on a public network serve Jenkins over https://
  • Feature Matrix
    ©2011 CloudBees, Inc. All Rights Reserved
    • Jenkins Security Architecture
    • Authentication Plugins
    Authorization Plugins
    Matrix Strategy
    Project-based Matrix Strategy
    Role strategy
    CloudBees’ RBAC plugin
    CloudBees’ RBAC plugin
    Common Use Cases & Walk-throughs
    Questions & Answers
    Overview
    ©2011 CloudBees, Inc. All Rights Reserved
  • Authorization Plugins
    So tell me… who can do what?
    ©2011 CloudBees, Inc. All Rights Reserved
  • A simple matrix of click-boxes.
    Each row is a user/group*
    Each column is a Permission
    * If the Authentication plugin does not support group details then one row is required for each user
    Matrix Strategy (core)
    ©2011 CloudBees, Inc. All Rights Reserved
  • A simple matrix of click-boxes.
    Each row is a user/group*
    Each column is a Permission
    Each project can add its own matrix
    Project-based Matrix Strategy (core)
    ©2011 CloudBees, Inc. All Rights Reserved
  • Allows grouping permissions into roles
    Roles assigned to users/groups
    ‡ Project roles are defined using a regex for the project name to which the role is restricted.
    * If the Authentication plugin does not support group details then one row is required for each user
    § Requires global Admin role
    Role Strategy (plugin)
    ©2011 CloudBees, Inc. All Rights Reserved
  • A simple matrix of click-boxesRow: roleColumn: permission
    Define groups at any level
    Assign roles to groups
    Filter roles at any level
    CloudBees’ RBAC Plugin (plugin)
    ©2011 CloudBees, Inc. All Rights Reserved
  • Feature Matrix
    ©2011 CloudBees, Inc. All Rights Reserved
    • Jenkins Security Architecture
    • Authentication Plugins
    • Authorization Plugins
    CloudBees’ RBAC plugin
    Overview
    Inheritance model
    Filtering
    Common Use Cases & Walk-throughs
    Questions & Answers
    Overview
    ©2011 CloudBees, Inc. All Rights Reserved
  • CloudBees’ RBAC plugin
    Our take on an Authorization Strategy
    ©2011 CloudBees, Inc. All Rights Reserved
  • Roles defined in Nectar
    External Groups from LDAP / AD / Atlassian Crowd / etc
    Local Groups defined in Nectar
    Configure Roles in Local Groups
    Manage membership in Local Groups
    Users / other Local Groups / External Groups
    Role filtering to restrict inheritance
    A layered approach
    What
    Who
    Tweak
    ©2011 CloudBees, Inc. All Rights Reserved
  • Adds new elements to the GUI
    ©2011 CloudBees, Inc. All Rights Reserved
  • Groups are defined on objects
    Per-slave permissions
    Per-folder permissions (Folders Plugin)
    Per-module permissions (Maven Projects)
    Role definitions are global
    Role assignments can be scoped
    Object based permissions
    ©2011 CloudBees, Inc. All Rights Reserved
  • Plan out your roles
    Enable security
    Add the roles
    Save
    Define Groups
    Remove Admin permissions from Authenticated Role
    Save
    How to deploy
    ©2011 CloudBees, Inc. All Rights Reserved
  • Inheritance model: Groups and roles
    Have Dev role if in Devs group or Folder A Devs group
    Dev
    Folder A Devs
    Have Dev role if in Devs group
    Devs
    Dev
    ©2011 CloudBees, Inc. All Rights Reserved
  • Inheritance model: Pinned roles
    Have Dev role if in Folder A Devs group
    Dev
    Folder A Devs
    Devs
    Dev
    Nobody has Dev role
    ©2011 CloudBees, Inc. All Rights Reserved
  • Filtering
    Have Dev role if in Folder A Devs group
    Dev
    Folder A Devs
    Have Dev role if in Devs group
    Devs
    Dev
    ©2011 CloudBees, Inc. All Rights Reserved
    • Jenkins Security Architecture
    • Authentication Plugins
    • Authorization Plugins
    • CloudBees’ RBAC plugin
    Common Use Cases & Walk-throughs
    Authenticated only
    Public read-only
    Devvs SQA
    Multi-department
    Secret skunk-works projects
    Questions & Answers
    Overview
    ©2011 CloudBees, Inc. All Rights Reserved
  • Common use-cases & Walk-throughs
    You’re not so different… here’s how you might do it…
    ©2011 CloudBees, Inc. All Rights Reserved
  • Use case
    System is set up so that only authenticated users can access.
    Authenticated users can do anything.
    Authenticated Only
    ©2011 CloudBees, Inc. All Rights Reserved
  • Authenticated Only
    ©2011 CloudBees, Inc. All Rights Reserved
  • Walk-through
    Authenticated Only use case
    ©2011 CloudBees, Inc. All Rights Reserved
  • Use case
    System is set up so that anonymous users can browse all projects
    Anonymous users cannot access the Job Workspaces, or change/trigger anything
    Authenticated users can do anything.
    Public read-only
    ©2011 CloudBees, Inc. All Rights Reserved
  • Public read-only
    ©2011 CloudBees, Inc. All Rights Reserved
  • Walk-through
    Public read-only use case
    ©2011 CloudBees, Inc. All Rights Reserved
  • Use case
    System is set up so that anonymous users can browse all projects.
    Anonymous users cannot access the Job Workspaces, or change/trigger anything.
    Authenticated Developers can trigger builds.
    Authenticate SQA can delete/tag builds.
    Devvs SQA
    ©2011 CloudBees, Inc. All Rights Reserved
  • Devvs SQA
    ©2011 CloudBees, Inc. All Rights Reserved
  • Walk-through
    Devvs SQA use case
    ©2011 CloudBees, Inc. All Rights Reserved
  • Use case
    System is set up so that anonymous users can browse all projects
    Anonymous users cannot access the Job Workspaces, or change/trigger anything
    Authenticated users can do anything to the projects in their department only. For projects outside their department they are like anonymous users.
    Multi-department
    ©2011 CloudBees, Inc. All Rights Reserved
  • Multi-department
    ©2011 CloudBees, Inc. All Rights Reserved
  • Walk-through
    Multi-department use case
    ©2011 CloudBees, Inc. All Rights Reserved
  • Use case
    A secret project is set up for a skunk-works team.
    Only the skunk-works team‡ can see the secret project.
    The skunk-works team are not otherwise restricted.
    ‡Someone with direct disk access to the master may be able to find the skunk-works project. The aim is to hide the project from the GUI.
    Secret skunk-works projects
    ©2011 CloudBees, Inc. All Rights Reserved
  • Impl matrix with each plugin
    Secret skunk-works projects
    ©2011 CloudBees, Inc. All Rights Reserved
  • Walk-through
    Secret skunk-works projects use case
    ©2011 CloudBees, Inc. All Rights Reserved
    • Jenkins Security Architecture
    • Authentication Plugins
    • Authorization Plugins
    • CloudBees’ RBAC plugin
    • Common Use Cases & Walk-throughs
    Questions & Answers
    Overview
    ©2011 CloudBees, Inc. All Rights Reserved
  • Support
    Nectar
    ©2011 CloudBees, Inc. All Rights Reserved
  • Releases every 6 months.
    Supported for 18 months.
    Patches every 6 weeks.
    Plugins supported for life of underlying release
    Support all plugins
    Nectar 10.10 and Nectar 11.04 released
    Nectar
    ©2011 CloudBees, Inc. All Rights Reserved
  • CloudBees Resources Page
    http://www.cloudbees.com/support.cb
    Try DEV@cloud& RUN@cloud
    https://grandcentral.cloudbees.com/account/signup
    CloudBees Eclipse Plugin
    http://cloudbees.com/eclipse-plugin.cb
    DEV@cloud Private Edition Beta Program (DEV@cloud for private clouds)
    http://www.cloudbees.com/dev-pe.cb
    CloudBees Resources
    ©2011 CloudBees, Inc. All Rights Reserved
  • Questions & Answers
    And if the questions are too tough, we’ll answer offline…
    ©2011 CloudBees, Inc. All Rights Reserved
  • Raise your hand if you have a question and type your question into the question box…
    Harpreet is keeping track of who is next…
    We will unmute you while it is your Q&A…
    If an answer is going too long, or we need to check some specifics we will distribute the answer off-line.
    Questions & Answers
    ©2011 CloudBees, Inc. All Rights Reserved
  • ©2011 CloudBees, Inc. All Rights Reserved