Project Role based authorization on Jenkins
Posted By : Abhishek Kumar | 31-Mar-2017
In latest versions of Jenkins, users are stored in Jenkin's database and has permission "Logged in User can do anything".
There are two ways by which we can implement the Project based authentication.
- Project-based Matrix Authorization Strategy
- Role-based Strategy
"Project-based Matrix Authorization Strategy" is preinstalled and more easy to use for individual projects.
"Role-based strategy" is preferred when number of projects in Jenkins is very large. It uses pattern to match project names.
Project-based Matrix Authorization Strategy.
To use Project-based Matrix Authorization Strategy, First login with Admin user go to Manage Jenkins -> Configure Global Security.
In "Authorization", Select "Project-based Matrix Authorization Strategy". Then add "Admin" user and check all the checkbox to grant all permission to admin user.
Then add other users and only give them "Overall Read" permission then save. You can give them other permission based on requirement of project but "Overall Read" permission is required or else user will se error like "Overall/Read permission is required".
Now go to Project, say "PROJECT1" and select "Configure".
Check the "Enable Project based security" to enable project based security.
Then add user and give him required permission like check only "BUILD" to give him/her permission to deploy the build.
By this way we can manage each projects authorization.
Role-based strategy is not preinstalled. We need to install it before we can use it.
To Install, Login with Admin user, Then go to Manage Jenkins -> Manage Plugins.
In the "Available" tab search the plugin "Role-based Authorization Strategy" and install and restart Jenkins.
After installing go to MANAGE JENKINS -> CONFIGURE GLOBAL SECURITY. Then enable "Role-based strategy" and save.
Then go to back to MANAGE JENKINS -> MANAGE AND ASSIGN ROLES -> MANAGE ROLE.
First we need to create Role Both user based and Project based.
Now in GLOBAL ROLES, create Two Roles "Admin" and "Dev".
On Admin, Check all boxes to give full permission to Admin Group.
on Dev, check only "OVERALL READ" permission. You grant more permission depending on requirements but Overall read permission is required for user to login or else he will see error "Overall/Read permission is Required"
Now in PROJECT ROLES, Add a project role. Give name of the role in "Role to Add" and name of the project in "Pattern". All projects, slave which matches this pattern will the that role.
Then go to back to MANAGE JENKINS -> MANAGE AND ASSIGN ROLES -> ASSIGN ROLE.
In Global Roles Roles, add user and Give them desired role. Like create user "root" and "Dev1". On root select Admin and on "Dev1" select Dev role.
In Project Roles, add user and Select required roles to it. Then Save.
You can check the permission by login with Admin user and Dev user.
Overall Project-based authorization is good if you have few projects. But if you have large projects then "Role based authorization" provides better way to manage the permissions.
Abhishek is Redhat and AWS Certified and a keen python enthusiast. His hobbies are cycling and volleyball.