Questions:
If I have a user group related to clients added to a repository with read access, would they be able to clone the repository on their local system?
If yes, what measures should I take to keep a group or user restricted to issue tracker only and not the code, means they should be able to create,update and close the issues but they should not be able to clone the repository, is there any way to do it, as I do not want the client to have access to the code until he has paid for the whole project.
Bitbucket's permissions do not support what you want to do.
Users with read access can clone the repository:
View, clone, and fork the repository code. All public repositories grant all Bitbucket Cloud users read permissions automatically. Read access on a repository also allows users to create issues, comment on issues, and edit wiki pages.
There is no configuration that permits users to create and freely browse issues while restricting read access to the repository. The most likely setting would be private repository / public issue tracker, but in this case access to the issue tracker for users without repository access is restricted:
Only users who have access to the private repository can create an issue. Other Bitbucket users and any Internet browser can view the issue tracker if you publish the URL.
There may be other services that support your requirements.
Related
We have Jenkins setup in our organisation with two organisational folders which basically does builds for repo's from two different github organizations.
We use Keycloak to authenticate to Jenkins. (Not sure if that's relevant or not) and we authenticate using openid connect with Keycloak.
I would like to know if it is possible to restrict access for a certain group of users to only be able to view builds on one of the github organizations. So for example if we have two github organizations: mrrobot_org and evilcorp_org, then I would like to be able to make an evilcorp_org_devs_group and add users to that group which would then restrict those developers from only accesing builds from the evilcorp_org github organization.
Someone told me this might be possible to do from Keycloak, but it does not seem likely.
I've tried quite a few things already but from what I've read the best option seems to use this plugin
https://plugins.jenkins.io/role-strategy/
and match the organzation using a regex to match a folder:"Folders can be matched using expressions like
^foo/bar.*".
Any other suggestions how I could do this?
Thanks so much.
For anyone reading this. I ended up using the Folder auth plugin for Jenkins.
I ended up sticking to Keycloak for Authentication, but used the folder auth plugin for Authorization.
So this allows me to restrict access per Jenkins folder. Each folder containing the builds of a given github organization.
The plugin is pretty easy to use. You can check it out here:
https://github.com/jenkinsci/folder-auth-plugin
The docs are here:
https://github.com/jenkinsci/folder-auth-plugin/blob/master/docs/usage.md
I'm looking to test automated container builds on Dockerhub, and I see that I need to link my github account to my hub.docker.account.
However, when I click on the 'connect' button, I'm taken to a github authorization page that says:
Docker Hub Builder by docker wants to access your larryms account
Repositories
Public and private
This application will be able to read and write all public and private repository data.
This includes the following:
- Code
- Issues
- Pull requests
- Wikis
- Settings
- Webhooks and services
- Deploy keys
- Collaboration invites
This seems far too permissive and overly broad; if I'm understanding it correctly, I need to grant Docker Hub Builder read & write access to all my github repositories, both public and private.
Is there any way to do this using the principle of least privilege, eg only granting Docker Hub Builder necessary rights (hopefully read only) only to specific github repos?
OAuth scopes on GitHub are indeed wide (see https://developer.github.com/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/#available-scopes, where you cannot grant read access without granting write access as well). However, the scopes are applied together with the actual permissions the user has on the repo in question. That is, if the user has only read access to repo X, and the user granted an oauth token with read & write scope to dockerhub, dockerhub would only be able to read from repo X on behalf of this user. If the user gets admin access to repo X later on, the already granted access token will not allow admin access, as the scope of the token allows read & write access only.
With this in mind, you can create a dedicated user for dockerhub in your github org, and grant this user read access to relevant repos. Then connect dockerhub to your github account with this user, granting just read access to the selected repos.
I'm having a team in BitBucket which has around 200+ members & 500 repositories. I wanted do some auditing of all repos & using BitBucket API for most of my work. I came across a requirement where I need to find out Admin members of each repos ( even one repo at a time will do), I read documentation but didn't find anything useful.
Can someone could guide me on this.
Thanks,
Meghanand
There's this rest api defined to get the users of a repository with their permissions in the below link for BitBucket stash.
/rest/api/1.0/projects/{projectKey}/repos/{repositorySlug}/permissions/users.
May be this can be extended to BitBucket Cloud.
https://docs.atlassian.com/DAC/rest/stash/3.11.3/stash-rest.html#idp494288
In our GitHub we have around 20 repositories. For the CI Build we have enabled Git polling option.
Our Jenkins master has attached with multiple nodes. For Git Polling we usually add our Jenkins Master ssh key to repective user's GitHub under settings SSH key section. While adding the key getting Error: Key already in use. Let me know to add the same.
As per error message for other repository build we have already added our Jenkins Master key with different user's
account.
A SSH key can only be attached to a single user on GitHub, since it is used to authenticate and authorize this user. There is no way to add to multiple accounts.
GitHub provides a guide about dealing with SSH keys for automated scripts here: Managing deploy keys. The two interesting options are:
Typically, you would use deploy keys to gain access to a repository from a server. Deploy keys have a similar restriction as a user's SSH key though, and can only be attached to a single repository. This reduces the potential damage that can be done if the key is compromised. For build servers they are often not well suited, because it is often not possible to configure authentication per repository.
For your use case, a machine user seems to be the best option. This is a dedicated user account that is only used by your build server. Make sure to use a strong password and two factor authentication for this account, and add Jenkins' master key to it. You can then add the machine user as a collaborator on the repositories you need in Jenkins.
With regards to security, be as restrictive as possible: only the repositories that are required, and only with read permissions. This is also the reason why you should use a machine user instead of an actual user account. For Jenkins, you (usually) don't need write access to a repository. By limiting the access rights for the server key, the impact of a compromised key is reduced.
How can I add a limited access account for jenkins automation when I'm using Global GitHub OAuth Settings?
I'm using GitHub OAth for login to jenkins and I have python jenkinsapi scripts that I want to run as a user with read only access. At present, all my users are github users.
I can create a github account without access to my repositories and then limit that accounts access to jenkins but this seems cumbersome.
Is there a way to use multiple security realms or to create local users?
It seems that when jenkins contains a local user, that the plugin uses this first (plugin-source)
If you look at Manage Jenkins->Configure Global Security, you can see that you can select only one security realm.
I would say, for Jenkins use create a github service account specifically that user can be restricted to just a few repositories. You can also look at matrix based security or project based matrix security if you want to restrict authorization further