We have Jenkins setup in our organisation with two organisational folders which basically does builds for repo's from two different github organizations.
We use Keycloak to authenticate to Jenkins. (Not sure if that's relevant or not) and we authenticate using openid connect with Keycloak.
I would like to know if it is possible to restrict access for a certain group of users to only be able to view builds on one of the github organizations. So for example if we have two github organizations: mrrobot_org and evilcorp_org, then I would like to be able to make an evilcorp_org_devs_group and add users to that group which would then restrict those developers from only accesing builds from the evilcorp_org github organization.
Someone told me this might be possible to do from Keycloak, but it does not seem likely.
I've tried quite a few things already but from what I've read the best option seems to use this plugin
https://plugins.jenkins.io/role-strategy/
and match the organzation using a regex to match a folder:"Folders can be matched using expressions like
^foo/bar.*".
Any other suggestions how I could do this?
Thanks so much.
For anyone reading this. I ended up using the Folder auth plugin for Jenkins.
I ended up sticking to Keycloak for Authentication, but used the folder auth plugin for Authorization.
So this allows me to restrict access per Jenkins folder. Each folder containing the builds of a given github organization.
The plugin is pretty easy to use. You can check it out here:
https://github.com/jenkinsci/folder-auth-plugin
The docs are here:
https://github.com/jenkinsci/folder-auth-plugin/blob/master/docs/usage.md
Related
I've got Artifactory set up to allow SSO via an OIDC client in Keycloak. Keycloak talks to Active Directory in the background. I've also got the same Active Directory configured within Artifactory. I've also configured Keycloak to provide user groups in the userinfo structure.
What I'm trying to do is to get OAuth users to automatically be added to the imported LDAP groups within Artifactory. I don't mind if this is done via the userinfo structure or via a separate LDAP lookup when a user logs in. However I can't seem to figure out how to achieve this.
I know that Artifactory provides a plugin called synchronizeLdapGroups.groovy, which seems to advertise doing what I need, however it seems like the plugin is not actually taking effect. That is to say, users do not end up with the permissions that being in the LDAP groups would provide.
I've attempted to write a plugin myself to do what I need, but when I make the API call to add the groups to the user, the plugin crashes. It's unclear why at this point.
It seems like others have used the SCIM feature in Artifactory for something akin to this (mostly via SAML rather than OIDC though), however Keycloak doesn't support SCIM out of the box and the SCIM plugin I've tried using has similarly given me no results.
Has anyone done something similar to this, and has a working solution I could follow?
If it's a specific group you want all users to be in you could try:
Under Security - OAuth SSO settings tab - check "Auto Create Users"
Under Identity and Access - Groups - select the specific group and check "Automatically Join New Users To The Group"
I'm guessing you want to automatically sync user-group association between Keycloak and Artifactory. SCIM is what you're looking for but there's a known issue specifically with Keycloak SCIM plugin.
We're looking into the SCIM plugin for Keycloak (can't commit on a specific timeline for a fix but it should be sometime this quarter).
If you only need the association in the UI you could try SAML with "Auto associate groups" set. It won't apply the groups association for APIKey/Token calls but it would work for the UI.
EDIT:
after further investigation github.com/Captain-P-Goldfish/scim-for-keycloak isn't relevant here - it makes keycloak a SCIM client, not a SCIM server. There's no official support of SCIM in keycloak, see issues.redhat.com/browse/KEYCLOAK-2537 . and there's no working plugin for keycloak that makes it a SCIM server that I could find (tried a few, all broken). For now Artifactory can't support SCIM with Keycloak
Is there a way to share Jenkins service endpoint credentials across multiple TFS projects? We have close to 30 projects, and each build requires us to configure the same set of credentials.
I would like to set an environment variable or something that would allow us to manage those credentials in one place for all TFS projects.
For a specific project, you click the gear here:
And then enter the credentials here:
This is not possible yet, there is a Feature Request about it, you can up vote there.
To automate the process you can create the Jenkins endpoints with the Rest API Endpoints - Create.
No. Service connections are scoped at the Team Project level. Team Projects are intended to be largely isolated from one another, so there is limited ability to share things between them. If you need to manage a service endpoint across many projects, you'll need to look at the REST APIs and write a programmatic solution.
How can I add a limited access account for jenkins automation when I'm using Global GitHub OAuth Settings?
I'm using GitHub OAth for login to jenkins and I have python jenkinsapi scripts that I want to run as a user with read only access. At present, all my users are github users.
I can create a github account without access to my repositories and then limit that accounts access to jenkins but this seems cumbersome.
Is there a way to use multiple security realms or to create local users?
It seems that when jenkins contains a local user, that the plugin uses this first (plugin-source)
If you look at Manage Jenkins->Configure Global Security, you can see that you can select only one security realm.
I would say, for Jenkins use create a github service account specifically that user can be restricted to just a few repositories. You can also look at matrix based security or project based matrix security if you want to restrict authorization further
I am after a better solution for security in Jenkins. After my play around this space, my current solution is to implement the 'Project-based Matrix Authorization Strategy'. I was previously considering running Jenkins behind Apache and control security through Apache. But during my trial with matrix based security, I was able to assign full access to logged in users and block anonymous users from seeing anything on the dashboard except login-page.
Before I proceed with my beta servers, I would like to seek experts advice to understand what I am doing is correct ?or there is a better way to do this. At the moment I have around 30 users created in my system.
If matrix based solution is the best and easiest, I would like to know,
1) Is it possible to group users and assign access based on groups ? So that I don't have to give users on individual basis
2) I also saw a post about 'Role strategy plug-in', but I couldn't see that in my Jenkins. Not sure if this plug-in out of date and/or nomore supported
Thanks in advance.
I'm using the Role Strategy plugin with a LDPA directory and it works well.
You just have to install this plugin on your Jenkins server and to switch from "Matrix-based security" to "Role-Based Strategy".
Next, you will be able to define roles:
And assign them to users (or LDAP groups, if you have a LDAP directory):
I'm trying to create an oauth2 token for an organization. This seems to be impossible (or at least I'm not finding it). This will be used for various one of scripts (non-web use). This is also for an enterprise github (github.company.com/api/v3 vs api.github.com).
I created one under my user like this:
curl -u 'username:password' -d '{"scopes":["scripts!"],"note":"test?"}' https://github.company.com/api/v3/authorizations
and that worked as expected. What I can't figure out is the magical way to do this under an organization since an organization doesn't have basic auth credientals. I haven't been able to find any documentation that tells me how to give something a client id/secret and get an oauth token out of it, which seems like the thing I would want to do.
If anyone could help that would be much appreciated.
At the moment of this writting this is not supported
You can't create a token for the org directly, but if you have a dev account that has full access to the org, you can do this (sort of), just in a round about way.
Create the oauth token for that dev account.
When registering the token with a 3rd party (e.g. Confluence, Jira, etc...) you can specify the org as the "Team"/"Owner".
This will use the dev accounts credentials but only grant access to things under the org (not full access to the dev account's repos, etc...).
I came across your question when trying to link a github org account with my company's Jira account, so figured I'd share.
Hope that helps.
I'm pretty sure that's not possible currently. As you say -- the organization itself doesn't have any credentials associated with it. So, the only way to do it is to do it yourself, as a developer, with your credentials.
This might be a cool feature request to send to the GitHub folks.
Update: this setting is now under
Developer settings > OAuth Applications