Manage Jenkins users roles using external database - jenkins

I'm looking for another way to manage users roles in Jenkins. Until now I'm using Role Strategy Plugin but it's highly inconvinient solution having many roles and users: priviliges table turned into one giant indecipherable matrix.
Is there any way to connect this plugin to an external SQL db, where I could store users and their privileges and change them using queries? Or mabye somehow turning it into DSL job is the solution?

You could possibly use the Active Directory plugin to manage users and roles.
Jenkins stores its information in xml files.
AFAIA, Jenkins doesn't have any plugins to integrate with databases.

Related

Jenkins - Role based authentication - Sing up with default role

I am setting up a Jenkins instance to run static-code-analysis for many projects. Each projects, on their own, create their code-analysis-jobs with their SCM and branches. I have the Role Strategy Plugin plugin installed but struck configuring the system with the below criteria.
The project leads should be able to signup the Jenkins and create/view/modify/run the jobs they only created. (Is it possible for this lead-role user to create user of developer role?)
The developers can view/build the jobs which they have privileges.
The project leads can assign the developers with jobs they can view/run.
How to do this, if at all possible? If not, how other ways you all do it considering the Jenkins to allow users signup, create/manage/run only their jobs (securing the jobs from other users)? (Also, the signed user should not be allowed to administer the Jenkins)
EDIT-1: I have an admin role (myself) user who has the all privileges to configure the system, but the admin to perform the role assignment of every user who signup.
The Role Strategy Plugin should suffice your request.
It even has regex pattern based setting where a user can only see certain projects.
I have been using this plugin extensively and its really helpful.

Jenkins - grant different permissions to different users

I want to be able to distinguish users who are permitted to execute builds on staging env from users who are permitted to deploy on prod.
Is there some kind of roles mechanism in Jenkins? I could not find any reference to it.
Thanks.
You use the Role Strategy plugin to do that.
In the Jenkins admin section, you can create project roles:
Next, you can affect these roles to users or groups (if you are using a user directory like LDAP):
I hope it will help :)

Security options in Jenkins

I am learning Jenkins and i am using version 1.605. I am learning about setting security options in jenkins. I found below options in jenkins configure global security page under the security realms:-
Delegate to servlet container
Jenkins'own user database
LDAP
I want to understand in which scenario, which option should be used?Please help me understand.
The "servlet container" refers to the web server that you are using to host Jenkins, typically Tomcat. The configuration file $CATALINA_BASE/conf/tomcat-users.xml may already be set up and managed by your organization. In this case: "why reinvent the wheel?". Use this if your organization already has a process that manages the Tomcat users configuration. This is also probably the most archaic solution.
The "own user database" is just what it sound like. Instead of relying on something else, Jenkins keeps it's own database of users. You can create and delete users through the Jenkins UI. You can even let new users sign up right from UI. If you don't know what to use, use this one. It's simple and self-contained.
The "LDAP" provides integration with LDAP/ Windows Active Directory. If you are in a corporate/small business environment that already utilizes LDAP for maintaining users and groups, it will be very beneficial to hook into that and off-load user management to the IT team that manages LDAP/AD. Note that unless you are that IT admin, you will need to contact the said admins for connection information/credentials to the LDAP/AD
Slav did a very clear answer.
If you choose the option 2 or 3, you can use the Role Stragegy plugin to create application roles and assign roles to Jenkins users, LDAP users or LDAP static/virtual groups.
If you have a lot of users, this plugin can save your life to assign permissions :)

Implementing security for users in jenkins

I am after a better solution for security in Jenkins. After my play around this space, my current solution is to implement the 'Project-based Matrix Authorization Strategy'. I was previously considering running Jenkins behind Apache and control security through Apache. But during my trial with matrix based security, I was able to assign full access to logged in users and block anonymous users from seeing anything on the dashboard except login-page.
Before I proceed with my beta servers, I would like to seek experts advice to understand what I am doing is correct ?or there is a better way to do this. At the moment I have around 30 users created in my system.
If matrix based solution is the best and easiest, I would like to know,
1) Is it possible to group users and assign access based on groups ? So that I don't have to give users on individual basis
2) I also saw a post about 'Role strategy plug-in', but I couldn't see that in my Jenkins. Not sure if this plug-in out of date and/or nomore supported
Thanks in advance.
I'm using the Role Strategy plugin with a LDPA directory and it works well.
You just have to install this plugin on your Jenkins server and to switch from "Matrix-based security" to "Role-Based Strategy".
Next, you will be able to define roles:
And assign them to users (or LDAP groups, if you have a LDAP directory):

Rails Subdomain Clustering

I am about to be writing a Ruby on Rails app which will use sub-domains to authenticate users. We will have two types of accounts:
user accounts
domain accounts
Users will thus be able to belong to multiple domain accounts using the same credentials. I hope to have the ability for a domain account administrator to be able to search for particular users and add them to their domain.
In addition to simply creating a domain account in the database, I want to setup an actual account on the machine (linux-based) so that users can drop files into a special directory and we can run some scripts to import that new data. Alternatively, I may write a client/server script to make this process easier.
All of this I believe I can do, however, as soon as the project attains a certain number of domain accounts, it will be necessary to figure out how to cluster the domain accounts appropriately so that we can have multiple machines.
From a database standpoint, this is fairly easy and there are lots of tutorials on how to cluster MySQL or whichever SQL server I decide to use. So my question really pertains more to machine accounts as well as how to cluster a Rails app.
If you want a comparison, think of this project like GitHub or Beanstalk but with data that isn't source control related.
Does anybody have any experience with this or know of any really good articles/books to get me started?
Thanks very much!
I suggest you look at using one of the PAM modules that lets you do account authentication against a SQL database. That way you just add the domain account to the SQL database and you get UNIX accounts (on all your servers) automagically, for free. So the clustering should just happen for free too...

Resources