I am trying groovy pipeline to provide Overall/Read permission to newly created user in Jenkins. Plugin which we are using for providing overall permissions to the user/group is "Project-based Matrix Authorization Strategy".
I have written the following groovy script to provide Overall read permission to the user but it's overwriting the existing configurations (Remove all the user's configurations of 'Project-based Matrix Authorization Strategy')
Any Help is appreciated. Thanks!!
Snippet referred from https://github.com/samrocketman/jenkins-bootstrap-shared/blob/main/scripts/configure-matrix-authorization-strategy.groovy
import jenkins.security.*
import hudson.security.*
import hudson.security.ProjectMatrixAuthorizationStrategy
import jenkins.model.Jenkins
def authz_strategy_config = [
strategy: 'ProjectMatrixAuthorizationStrategy',
user_permissions: [
'test-user': ['View Create']
]
]
def authz_strategy = hudson.security.ProjectMatrixAuthorizationStrategy.newInstance()
Map<String, Permission> permissionIds = Permission.all.findAll { permission ->
List<String> nonConfigurablePerms = ['RunScripts', 'UploadPlugins', 'ConfigureUpdateCenter']
permission.enabled &&
!permission.id.startsWith('hudson.security.Permission') &&
!(true in nonConfigurablePerms.collect { permission.id.endsWith(it) })
}.collect { permission ->
[ (shortName(permission)): permission ]
}.sum()
authz_strategy_config['user_permissions'].each { u, permissions ->
permissions.each { p ->
authz_strategy.append(permissionIds[p], u)
println " For user ${u} grant permission ${p}."
}
}
// configure global authorization
Jenkins.instance.authorizationStrategy = authz_strategy
// save settings to persist across restarts
Jenkins.instance.save()
Related
I'm using shared library to build CI/CD pipelines in Jenkins. And in my case, some of the stages need to send the execute info through web apis. In this case, we need to add stage id for current stage to api calls.
How can I access the stage id similar with ${STAGE_NAME}?
I use Pipeline REST API Plugin as well as HTTP Request Plugin
Your methods in Jenkinsfile can look like:
#NonCPS
def getJsonObjects(String data){
return new groovy.json.JsonSlurperClassic().parseText(data)
}
def getStageFlowLogUrl(){
def buildDescriptionResponse = httpRequest httpMode: 'GET', url: "${env.BUILD_URL}wfapi/describe", authentication: 'mtuktarov-creds'
def buildDescriptionJson = getJsonObjects(buildDescriptionResponse.content)
def stageDescriptionId = false
buildDescriptionJson.stages.each{ it ->
if (it.name == env.STAGE_NAME){
stageDescriptionId = stageDescription.id
}
}
return stageDescriptionId
}
Questiion is old but i found the solution: use some code from pipeline-stage-view-plugin( looks like it is already installed in jenkins by default)
we can take current job ( workflowrun ) and pass it as an argument to
com.cloudbees.workflow.rest.external.RunExt.create , and whoala: we have object that contains info about steps and time spent on it's execution.
Full code will looks like this:
import com.cloudbees.workflow.rest.external.RunExt
import com.cloudbees.workflow.rest.external.StageNodeExt
def getCurrentBuildStagesDuration(){
LinkedHashMap stagesInfo = [:]
def buildObject = com.cloudbees.workflow.rest.external.RunExt.create(currentBuild.getRawBuild())
for (StageNodeExt stage : buildObject.getStages()) {
stagesInfo.put(stage.getName(), stage.getDurationMillis())
}
return stagesInfo
}
Function will return
{SomeStage1=7, SomeStage2=1243, SomeStage3=5}
Tested with jenkins shared library and Jenkins 2.303.1
Hope it helps someone )
when generating Service Principal in Azure manually, as a result of the operation I'm provided a password.
It's not the case however if I create service principal with Terraform, the password is not among the outputs of this module:
+ azuread_service_principal.k8s_principal
id: <computed>
application_id: "${azuread_application.app.application_id}"
display_name: <computed>
Is there anything I missed? Why does the Terraform behavior differs in the output compared to CLI?
password is required INPUT to the azuread_service_principal_password block. As such, you can generate a random password and export it yourself. Complete Terraform code is something like this:
resource "azuread_application" "app" {
name = "${local.application_name}"
}
# Create Service Principal
resource "azuread_service_principal" "app" {
application_id = "${azuread_application.app.application_id}"
}
resource "random_string" "password" {
length = 32
special = true
}
# Create Service Principal password
resource "azuread_service_principal_password" "app" {
end_date = "2299-12-30T23:00:00Z" # Forever
service_principal_id = "${azuread_service_principal.app.id}"
value = "${random_string.password.result}"
}
output "sp_password" {
value = "${azuread_service_principal_password.app.value}"
sensitive = true
}
to who using newer version of Terraform, you don't need to preset the password, following code is working fine:
resource "azuread_service_principal_password" "auth_pwd" {
service_principal_id = azuread_service_principal.auth.id
}
output "auth_client_secret" {
value = azuread_service_principal_password.auth_pwd.value
description = "output password"
sensitive = true
}
then you can run the following cli to retrieve the password:
terraform output -raw auth_client_secret
tested on terraform 1.0.10, hashicorp/azuread provider 2.11
In the terraform document, the azuread_service_principal block only defines the Argument application_id and Attributes id, display_name, So you only could see these resources. Also, the azuread_service_principal_password block allows you to export the Key ID for the Service Principal Password. You still could not see the real password.
In the Azure CLI az ad sp create-for-rbac has an optional parameter --Password. So you could see the password output.
I'm quite new to Jenkins, Groovy and all that, so forgive me if this sounds dumb.
I'm using the Active Choices plugin, and from one of the AC Parameters inside the Groovy script I want to use a different plugin - Artifactory, to fetch a file and display each line inside it as an option.
try {
def server = Artifactory.newServer url: 'http://localhost:8081/artifactory/', username: 'user', password: 'pass'
def downloadSpec = """{
"files": [
{
"pattern": "example-repo-local/file.txt",
"target": "example/"
}
]
}"""
server.download(downloadSpec)
String text = readFile("example/file.txt")
return text.tokenize("\n")
} catch (Exception e) {
return [e]
}
However, the Active Choices Parameter doesn't seem to recognize other plugins, and it can't find the Artifactory property:
groovy.lang.MissingPropertyException: No such property: Artifactory for class: Script1
My question is - do I need to import the plugin somehow? If so, how do I determine what to import?
There is an option to also specify an "Additional classpath" near an Active Choice Parameter, but the plugin contains 75 jar files in its WEB-INF/lib directory. (just specifying the artifactory.jar one doesn't seem to change anything)
Just a note - the Pipeline recognizes the Artifactory plugin and it works fine - I can successfully connect and retreive a file and read it.
I can't fine any possibility to run Artifactory plugin in reasonable way. So i thing better option is use curl, and Artifactory API. For example my Active Choices Parameter based on Json file from Artifactory;
import groovy.json.JsonSlurper
def choices = []
def response = ["curl", "-k", "https://artifactory/app/file.json"].execute().text
def list = new JsonSlurper().parseText( response )
list.each { choices.push(it.name) }
return choices
Is there a way to get the username when a build is aborted by a user?
Preferably using jenkins pipeline code.
When a build is aborted by a user, it logs:
Aborted by <username>
so I hope it is stored as a variable for a brief period.
Use case: username to be later used to inform the user itself or other users via email or other means of messaging.
It seems that a InterruptedBuildAction object is inserted in to the list of build action if a job is aborted. This object can be used to retrieve the user that aborted the build. I use the following function in my Jenkinsfile:
#NonCPS
def getAbortUser()
{
def causee = ''
def actions = currentBuild.getRawBuild().getActions(jenkins.model.InterruptedBuildAction)
for (action in actions) {
def causes = action.getCauses()
// on cancellation, report who cancelled the build
for (cause in causes) {
causee = cause.getUser().getDisplayName()
cause = null
}
causes = null
action = null
}
actions = null
return causee
}
In fact you can have this information with the REST API, just use the following URL with an appropriate build:
/api/json?tree=actions[causes[*]]&pretty=true
And you should be able to find the requested information under actions[causes], e.g.:
{
"_class" : "jenkins.model.InterruptedBuildAction",
"causes" : [
{
"_class" : "jenkins.model.CauseOfInterruption$UserInterruption",
"shortDescription" : "Aborted by some_user_name"
}
]
},
Unfortunately there seem to be no other solutions at the moment but to tweak Jenkin's code itself and a workaround.
Post-Build actions → Editable Email Notification → Triggers → Add Trigger → Aborted → Send To → Add → Requestor → → ... Jenkins Mailer Plugin:
Sends email to the user who initiated the build.
There's no Aborter to add.
http://<jenkins>/job/<project name>/lastBuild/api/xml shows:
...
<result>ABORTED</result>
...
but there's no info who aborted the build either.
A workaround could be to curl http://<jenkins>/job/<project name>/<build #> in a Post build task script and to grep for <p>Aborted by user username</p>.
To create a new user in Jenkins, admin needs to provide a username, emialID and password. Being an admin, is there a way to add a large number of users to Jenkins at a time by providing their username as their mail id, display name as their name and a common password*?
*Assuming that password will be reset at the time of each user logging in
I am using the below groovy script to add a user to Jenkins and provide only build permission.
import hudson.model.*
import hudson.security.*
import hudson.tasks.Mailer
def userId = args[0]
def password = args[1]
def email = args[2]
def fullName= args[3]
def instance = jenkins.model.Jenkins.instance
def existingUser = instance.securityRealm.allUsers.find {it.id == userId}
if (existingUser == null) {
def user = instance.securityRealm.createAccount(userId, password)
user.addProperty(new Mailer.UserProperty(email));
user.setFullName(fullName)
def strategy = (GlobalMatrixAuthorizationStrategy)
instance.getAuthorizationStrategy()
strategy.add(hudson.model.Item.BUILD,userId)
instance.setAuthorizationStrategy(strategy)
instance.save()
}
The script is invoked using jenkins-cli.
It is easier to connect Jenkins to LDAP. See this plugin here
looks like the Jenkins cli doesn't support add users , but check this one - using groovy script you can do it.
Creating user in Jenkins via API
if you want give specific permissions per job , maybe you can use the CLI get-job & update-job commands.
Or you can try check this one - Jenkins Add permissions to jobs using groovy it discuses almost the same ...