Authentication and authorization in Jenkins and nectar 1
- 2. The slides will be made available as well as a link to the replay of this webinar. Links will be sent in an email after the webinar has finished (2-3 days). Housekeeping ©2011 CloudBees, Inc. All Rights Reserved
- 4. Stephen Connolly Responsible for Most of this talk Trying to answer the questions Harpreet Singh Responsible for Ensuring Stephen does not go too fast/slow Keeping track of questions for the Q&A session The Presenters ©2011 CloudBees, Inc. All Rights Reserved
- 5. Overview What we will be covering today ©2011 CloudBees, Inc. All Rights Reserved
- 6. Jenkins Security Architecture Authentication Plugins Authorization Plugins CloudBees’ RBAC plugin Common Use Cases & Walk-throughs Questions & Answers Overview ©2011 CloudBees, Inc. All Rights Reserved
- 7. CloudBees Who are we and what we can do for you? ©2011 CloudBees, Inc. All Rights Reserved
- 11. CloudBees Jenkins Solutions ©2011 CloudBees, Inc. All Rights Reserved CloudBees’ Pro version of Jenkinsproprietary add-ons, stable release cycle Professional support from the Experts
- 12. CloudBees Jenkins Solutions ©2011 CloudBees, Inc. All Rights Reserved Self-service “Jenkins as a Service”pay-as-you-go public cloud DEV@cloud CloudBees’ Pro version of Jenkinsproprietary add-ons, stable release cycle Professional support from the Experts
- 13. CloudBees Jenkins Solutions ©2011 CloudBees, Inc. All Rights Reserved Self-Service“Jenkins as a Service”for Enterprises DEV@cloudPrivate Edition Self-service “Jenkins as a Service”pay-as-you-go public cloud DEV@cloud CloudBees’ Pro version of Jenkinsproprietary add-ons, stable release cycle Professional support from the Experts
- 14. Jenkins Security Architecture Server security Security Realms Authorization Strategies Master/Slave security Authentication Plugins Authorization Plugins CloudBees’ RBAC plugin Common Use Cases & Walk-throughs Questions & Answers Overview ©2011 CloudBees, Inc. All Rights Reserved
- 16. Security Realm provides user identity Authorization Strategy provides user’s permissions for each object. Actions can require a specific permission to be performed. Jenkins Security Architecture ©2011 CloudBees, Inc. All Rights Reserved Security Realm Object Identity Action AuthorizationStrategy Permission Access Plugins extension points
- 17. Depends on your server: Operating System Windows Linux Servlet container Winstone (java -jar jenkins.war) Tomcat Jetty JBoss etc Server security ©2011 CloudBees, Inc. All Rights Reserved
- 24. Consider Apache HTTPD or nginx if exposing on a public networkServer security (cont.) ©2011 CloudBees, Inc. All Rights Reserved
- 25. What are they Core Jenkins extension point for Authentication Responsible for validating user identity Can only select one. Default for clean install: None What is available already Core None Unix PAM Internal DB Legacy Container Open Source Plugins Active Directory CAS v1 CollabNet Crowd MySQL DB OpenID SSO Script & Extended Script SourceForge Enterprise Edition … Security Realms ©2011 CloudBees, Inc. All Rights Reserved
- 26. What are they Core Jenkins extension point for Authorization Responsible for deciding the permissions available to users. Can only select one. Default for clean install: Unsecured What is available already Core Global Matrix Project Matrix Logged in user can do anything Legacy Authorization Open Source Plugins CollabNet Role strategy SourceForge Enterprise Edition … CloudBees’ Plugins RBAC Authorization Strategies ©2011 CloudBees, Inc. All Rights Reserved
- 27. What are they The fine-grained activities that can be secured within Jenkins Some permissions aggregate others, e.g. Global Admin implies all other standard permissions Plugins can define their own permissions for their own actions What is available Overall Administer Read Slave Configure Delete Job Create Delete Configure Read Build Workspace View Create Delete Configure … Permissions ©2011 CloudBees, Inc. All Rights Reserved
- 29. Use VM for slaves & reset VM image after every build
- 32. Install build tools read-onlyMaster / Slave security ©2011 CloudBees, Inc. All Rights Reserved Take Away SCM security sets the upper bound
- 35. Not all plugins implement every feature Key features to check for are: Supports signup Provides group details Supports group lookup Can logout You may not need all/any of the above but it may restrict your choice of Authorization Strategy Authentication Plugins ©2011 CloudBees, Inc. All Rights Reserved
- 36. Authenticates the username and the password through Active Directory Actually multiple implementations under the hood and one is chosen based on your environment Active Directory (plugin) ©2011 CloudBees, Inc. All Rights Reserved Notes: Jenkins does not have to run on Windows to use this. Can require a correctly configured DNS for Active Directory
- 41. Authenticates the username and password through Unix Pluggable Authentication Modules Requires that Jenkins be running on Linux / Mac OSX / Unix Unix PAM (core) ©2011 CloudBees, Inc. All Rights Reserved Notes: Very quick to set-up Handy if you already have a federated PAM configuration If on a public network serve Jenkins over https://
- 44. Authentication PluginsAuthorization Plugins Matrix Strategy Project-based Matrix Strategy Role strategy CloudBees’ RBAC plugin CloudBees’ RBAC plugin Common Use Cases & Walk-throughs Questions & Answers Overview ©2011 CloudBees, Inc. All Rights Reserved
- 46. A simple matrix of click-boxes. Each row is a user/group* Each column is a Permission * If the Authentication plugin does not support group details then one row is required for each user Matrix Strategy (core) ©2011 CloudBees, Inc. All Rights Reserved
- 47. A simple matrix of click-boxes. Each row is a user/group* Each column is a Permission Each project can add its own matrix Project-based Matrix Strategy (core) ©2011 CloudBees, Inc. All Rights Reserved
- 48. Allows grouping permissions into roles Roles assigned to users/groups ‡ Project roles are defined using a regex for the project name to which the role is restricted. * If the Authentication plugin does not support group details then one row is required for each user § Requires global Admin role Role Strategy (plugin) ©2011 CloudBees, Inc. All Rights Reserved
- 49. A simple matrix of click-boxesRow: roleColumn: permission Define groups at any level Assign roles to groups Filter roles at any level CloudBees’ RBAC Plugin (plugin) ©2011 CloudBees, Inc. All Rights Reserved
- 53. Authorization PluginsCloudBees’ RBAC plugin Overview Inheritance model Filtering Common Use Cases & Walk-throughs Questions & Answers Overview ©2011 CloudBees, Inc. All Rights Reserved
- 55. Roles defined in Nectar External Groups from LDAP / AD / Atlassian Crowd / etc Local Groups defined in Nectar Configure Roles in Local Groups Manage membership in Local Groups Users / other Local Groups / External Groups Role filtering to restrict inheritance A layered approach What Who Tweak ©2011 CloudBees, Inc. All Rights Reserved
- 57. Groups are defined on objects Per-slave permissions Per-folder permissions (Folders Plugin) Per-module permissions (Maven Projects) Role definitions are global Role assignments can be scoped Object based permissions ©2011 CloudBees, Inc. All Rights Reserved
- 58. Plan out your roles Enable security Add the roles Save Define Groups Remove Admin permissions from Authenticated Role Save How to deploy ©2011 CloudBees, Inc. All Rights Reserved
- 59. Inheritance model: Groups and roles Have Dev role if in Devs group or Folder A Devs group Dev Folder A Devs Have Dev role if in Devs group Devs Dev ©2011 CloudBees, Inc. All Rights Reserved
- 60. Inheritance model: Pinned roles Have Dev role if in Folder A Devs group Dev Folder A Devs Devs Dev Nobody has Dev role ©2011 CloudBees, Inc. All Rights Reserved
- 61. Filtering Have Dev role if in Folder A Devs group Dev Folder A Devs Have Dev role if in Devs group Devs Dev ©2011 CloudBees, Inc. All Rights Reserved
- 65. CloudBees’ RBAC pluginCommon Use Cases & Walk-throughs Authenticated only Public read-only Devvs SQA Multi-department Secret skunk-works projects Questions & Answers Overview ©2011 CloudBees, Inc. All Rights Reserved
- 66. Common use-cases & Walk-throughs You’re not so different… here’s how you might do it… ©2011 CloudBees, Inc. All Rights Reserved
- 67. Use case System is set up so that only authenticated users can access. Authenticated users can do anything. Authenticated Only ©2011 CloudBees, Inc. All Rights Reserved
- 70. Use case System is set up so that anonymous users can browse all projects Anonymous users cannot access the Job Workspaces, or change/trigger anything Authenticated users can do anything. Public read-only ©2011 CloudBees, Inc. All Rights Reserved
- 73. Use case System is set up so that anonymous users can browse all projects. Anonymous users cannot access the Job Workspaces, or change/trigger anything. Authenticated Developers can trigger builds. Authenticate SQA can delete/tag builds. Devvs SQA ©2011 CloudBees, Inc. All Rights Reserved
- 76. Use case System is set up so that anonymous users can browse all projects Anonymous users cannot access the Job Workspaces, or change/trigger anything Authenticated users can do anything to the projects in their department only. For projects outside their department they are like anonymous users. Multi-department ©2011 CloudBees, Inc. All Rights Reserved
- 79. Use case A secret project is set up for a skunk-works team. Only the skunk-works team‡ can see the secret project. The skunk-works team are not otherwise restricted. ‡Someone with direct disk access to the master may be able to find the skunk-works project. The aim is to hide the project from the GUI. Secret skunk-works projects ©2011 CloudBees, Inc. All Rights Reserved
- 80. Impl matrix with each plugin Secret skunk-works projects ©2011 CloudBees, Inc. All Rights Reserved
- 86. Common Use Cases & Walk-throughsQuestions & Answers Overview ©2011 CloudBees, Inc. All Rights Reserved
- 88. Releases every 6 months. Supported for 18 months. Patches every 6 weeks. Plugins supported for life of underlying release Support all plugins Nectar 10.10 and Nectar 11.04 released Nectar ©2011 CloudBees, Inc. All Rights Reserved
- 89. CloudBees Resources Page http://www.cloudbees.com/support.cb Try DEV@cloud& RUN@cloud https://grandcentral.cloudbees.com/account/signup CloudBees Eclipse Plugin http://cloudbees.com/eclipse-plugin.cb DEV@cloud Private Edition Beta Program (DEV@cloud for private clouds) http://www.cloudbees.com/dev-pe.cb CloudBees Resources ©2011 CloudBees, Inc. All Rights Reserved
- 90. Questions & Answers And if the questions are too tough, we’ll answer offline… ©2011 CloudBees, Inc. All Rights Reserved
- 91. Raise your hand if you have a question and type your question into the question box… Harpreet is keeping track of who is next… We will unmute you while it is your Q&A… If an answer is going too long, or we need to check some specifics we will distribute the answer off-line. Questions & Answers ©2011 CloudBees, Inc. All Rights Reserved