Sunday, September 3, 2017

Jenkins - Project matrix based strategy

In this next article of Jenkins authorization ,we will see how the project based matrix authorization can be implemented in Jenkins. The difference between a matrix and project based authorization are in the matrix based users with permissions can be able to perform certain actions and in the case project based authorization, there will be permission on  jobs that users can perform. Let's see how this works
1. Choose the Project-based matrix security under the "Configure global Security" in "manage Jenkins". Now there will be a matrix and text box to add users. Add the admin user and worker user as earlier. Give all permissions to admin user and for the worker, give him the overall read permission.
2. Save and go to the specific project where you want your users to execute. Once the authorization is moved to project based, every project will have an Option called "Enable project-based security" in the configure project as below,
In the above case ,I have added worker user and given him the necessary permission. this needs to be done as a user who have admin access to the job so that he can give access to other users on the job 
3. Now logout and login as worker to see that he can see the execute permission on the job.

Read More

Jenkins authorization - Matrix based Strategy

Allowing what users can do when then login to a Jenkins server is quite important when running jenkins server in production. Jenkins does provide multiple ways of authorization. When we go to the "Manage Jenkins" -> Configure Global security, under the Authorization tab we can see the available authorization strategies as below, 
In this article ,we will see how we can use the Matrix Bases security and how it can be implemented. A matrix based security allows users to be configured in such a  way that only users will specific permission can be able to perform certain actions.
1. In the Manage Jenkins -> "Configure Global Security". Choose the "Matrix-based security". We will see a matrix with "user/group" details and there will be a text box below that to add users
2. Now add the admin user first and give full permissions by selecting all checkbox. This will make sure we will have one user who have all permissions to modify things in future and also work as admin users

3. Now to the "Manage Jenkins"-> "Add Users". Create a user "worker" for our session.
4. Now go back to the "Manage Jenkins" -> "Configure global security" and in the matrix based security, add the "worker" user and provide only access that are necessary. In the above case ,we have provided access to the worker user in job section as Read. We also need to provide a overall access permissions as "Read" so that the user can have overall read permissions. Now save the configuration and logout.
5. Once we login we can only see certain jobs that the user has read only permissions. we can see some thing like below,
We can see jobs that are given with a read permissions. Even though we try to execute the job it wont as we dont have enough permissions for the user.

This is how the matrix based security works

Read More

Saturday, September 2, 2017

Jenkins - Unix users/Groups

Authentication is one of the internal feature available in Jenkins. Jenkins does have its own internal database for holding user name and passwords. Jenkins also provides a way to allow login using underlying operating system usernames. This will allow users to login using their system login credentials. This uses Pluggable Authentication Modules (PAM), and also works fine with NIS.

1. In order to do this, first change the permission for the /etc/shadow file so that jenkins user can read them. This is since jenkins server is running using the jenkins userID

chmod g+r /etc/shadow
2. Now add root group to jenkins

[root@ip-10-149-198-16 jenkins]# usermod -a -G root jenkins
[root@ip-10-149-198-16 jenkins]# groups jenkins
jenkins : jenkins root

3. Once the above changes are done,
login to jenkins server with the admin account and in manage jenkins, select “unix user/groups” as authentication area
Once done , logout and you can login using an user name and password from unix machines
This is how we can use our existing system credentials to login to jenkins server
Read More