I'm using the Authorize User plugin in Jenkins, and I'm trying to setup a multi-tenant jenkins with genuine access control. I want to have a folder with a set of jobs which group A can see, and another folder with another set of jobs which group B can see.
At the master/controller, the $JENKINS_HOME/jobs/ folder creates a new job folder when a build is triggered. However this folder is created as the SYSTEM user, not the build user. The issue is although I could just put the build user into the SYSTEM user's group, this would ALSO give them access to any job on the filesystem, not just the folder they should have.
Is there a way to configure what user:group is set when a job folder is created?
Perhaps this helps:
https://support.cloudbees.com/hc/en-us/articles/204173600-How-do-I-limit-users-access-to-the-folders-to-which-they-belong-to-?page=94
It should also work with vanilla Jenkins.
Warning: untried ;-)
Related
I have set up a Jenkins server which builds multiple projects using "Github Organisation" Items. I now want to restrict some credentials so they can only be used in specific organisations.
I figured this should be possible, since such a Multibranch project just creates folders and the folder plugin integrates with the credentials plugin.
However, I have not found any documentation on how to restrict credentials to folders (only that it is possible).
In the meantime, I found out myself.
While being in a folder (or github organisation/multibranch project), click on "Credentials" (left sidebar).
After that, the same credentials entry gets a child entry, called "Folder". Click on it, and you can edit the credentials(-domains) scoped to the folder like usual.
Current Limitation: The folder plugin does only support "Username with password" credentials.
So I have been asked to create a job on a Jenkins system that is on the university servers. The problem is I was asked to create it in a specific folder. However I accidentally created in the root folder. Is there a way to move the job from the root to the specific folder or do I have to delete it and create a new one?
There is a move option on the GUI:
Stand on the little triangle near the job you want to move/copy/delete, and on the popup menu - choose the wanted operation. On move you can move to another folder.
But, There is also an open issue about this (opened on 2016):
https://issues.jenkins-ci.org/browse/JENKINS-35093
I had to restart Jenkins after doing it to a job with some history.
So maybe re-create/copy and delete is a better solution (but no history is saved).
Go to your job's configuration page and from 'Advanced Project Options' check 'Use custom workspace'. Enter the path of the directory where you want the files to be created.
I have multiple users on a Jenkins server, each with their own credentials for external secured servers needed to run their builds. I am using the credentials plugin to manage the stored credentials. Currently, when a user configures a project, they can use anyones credentials for doing external jobs. I need to make it so that each user only sees the credentials they own when they configure jobs on the jenkins server. How would I do this?
The Folders plugin allows to limit the scope of credentials to a specific folder.
If you're fine with restricting access of different users to different folders (e.g., with the Role Strategy plugin), then this could be a solution.
Just create the folder, enter the folder, then select the "Credentials" link on the sidebar. A new link should appear called "Folder" click that and then define your credentials. Jobs in other folders will not be able to use those.
I followed Empower Jenkins with Artifactory video on YouTube. Basically, I added a new user to artifactory and granted it deploy permissions. Then I configured system configuration on Jenkins and tested that the configurations were right.
I created a new job and tried to set the deployment task to deploy it to artifactory. The problem is there is no repository on the dropdown.
I want to know how to fix this.
Try saving the job and reloading it.
The logic behind this behavior is to avoid a long list of repositories. Some users have hundreds of local repositories which takes a long time to display. By entering credentials, you can display a filtered list containing only relevant repositories.
There is an open issue to add a refresh button so there will be no need to save the job prior to displaying the list.
Update
This issue was resolved with the release of version 2.2.3 of the plugin. For more info see HAP-483
Is there a way to restrict a build step for a user. I have added a build step using the templates plugin, this template is for the deployment.
I do not want any users who has access to create a job or modify a job to be able to use this build step. The new build step that has been added should only be used by the the administrator.
If people can modifying Job configuration, they can get around any limitation you would place.
If your step can be executed post-build, I suggest to take a look at Promoted Builds plugin. The promotions can be configured to be limited to certain users only. But again, if a user has ability to change job configuration, they can overcome that easily.
The only way I can think of, is to have an external script (or preferably a compiled program than cannot be simply "read" with text editor) that is expecting a password that only you now, before executing whatever secret stuff that you want.