jenkinsci/role-strategy-plugin

Oleg Nenashev

@oleg-nenashev

@Rupsa-Sarkar if you try to restrict Build permissions, you need a a Queue Item Authenticaror plugin to be installed, e.g. Authorize Project

Rupsa-Sarkar

@Rupsa-Sarkar

@oleg-nenashev I did use the Authorize Project plugin..

this is the setup for the job

this is the Global Security setup

The only other piece of the puzzle is I am using EC2-Plugin for launcing slaves

they are labels properly thoiugh

still it says "user" lacks permission on a slave

Abhyudaya Sharma

@AbhyudayaSharma

@AbhyudayaSharma can I create new roles for agents before the agent actually invoked/created?
I am using an EC2 Plugin and providing static name to agents
so at time init, I can create a agent role e.g "prodslave" in your plugin..and when the actual slave comes up with the name, the rules just applies to it?

@Rupsa-Sarkar Yes, the role would get applied to the agent that gets created as long as the name matches.

To create a role like, the easiest way is to use JCasC. Otherwises, you can either provision a temporary node with the same name and then create the role from the UI. After that, delete the agent - the role will still be there.

Rupsa-Sarkar

@Rupsa-Sarkar

@oleg-nenashev I did use the Authorize Project plugin..

@oleg-nenashev were you able to look into this issue?

Jose Miguel Diaz

@josemdiaza

Is the plugin working fine on Jenkins 2.176.3? I'm not able to see any project after assigning them...

Jose Miguel Diaz

@josemdiaza

Is even working? I've tried in three versions and it didn't worked in any of those.

Jose Miguel Diaz

@josemdiaza

@josemdiaza It's working, but I noticed that it doesn't work in Folders. Is that normal?

Oleg Nenashev

@oleg-nenashev

@josemdiaza it works in folders if regexps are configured properly

Jphyland15

@Jphyland15

Hi, all. I am a relatively new Open Source contributor, and I was hoping that someone may be able to provide some guidance as I try to understand how the code of Role-Strategy works. Specifically, could someone explain where Jenkins stores data about users who are assigned various roles? The reason for this is because I am trying to implement a feature where when a user is assigned a specific role (DevOps Engineer, Cloud Engineer, Trainee, etc.) they would get added to a list that automatically emails members with that specific role details about the status of any jobs/builds that are attached to that role. I feel that it would be relatively simple, if I can access the data, but I cannot figure out where it it stored. I guess the first thing I should ask is if it is even possible.

Jose Miguel Diaz

@josemdiaza

@oleg-nenashev cuold you please give me an example?

Oleg Nenashev

@oleg-nenashev

@josemdiaza For example, FolderA/.* in regexp will make the role apply to all jobs under FolderA in the root. And so on

@Jphyland15 Hi, thanks for the follow-up! The plugin stores its configurations directly in ${JENKINS_HOME}/config.xml. There is a authorizationStrategy section there

Jose Miguel Diaz

@josemdiaza

@josemdiaza For example, FolderA/.* in regexp will make the role apply to all jobs under FolderA in the root. And so on

@oleg-nenashev I've already tried this, and after giving a user the role with FolderA/.* is not able to see Folder A, so what I've noticed today is that you can add a role to match only the FolderA, after that I'm able to see both FolderA and all the jobs under Folder A. I want to know if it's possible to simplify this and make a single RegEx to include the Folder and the Jobs.

Abhyudaya Sharma

@AbhyudayaSharma

@josemdiaza How about FolderA.*? That should match both the folder and the contents inside it.

Oleg Nenashev

@oleg-nenashev

Abhyudaya Sharma

@AbhyudayaSharma

@josemdiaza If you're assigning roles based on Folders, you can also try the new Folder Authorization plugin: https://plugins.jenkins.io/folder-auth

Jose Miguel Diaz

@josemdiaza

@josemdiaza How about FolderA.*? That should match both the folder and the contents inside it.

Ok, I'll try. Thanks :)

@josemdiaza If you're assigning roles based on Folders, you can also try the new Folder Authorization plugin: https://plugins.jenkins.io/folder-auth

I'll take it into account. Thanks @oleg-nenashev & @AbhyudayaSharma ;)!

Jose Miguel Diaz

@josemdiaza

@AbhyudayaSharma patternFolderA.* works as you said. Now, I want to distinguish between -prod and -release jobs. Is this possible?

Jphyland15

@Jphyland15

@oleg-nenashev Thank you! I very much appreciate it!

Oleg Nenashev

@oleg-nenashev

Speaking of Role Strategy, I am about rolling out a new release tomorrow.

Abhyudaya Sharma

@AbhyudayaSharma

@josemdiaza I would say the simplest would be three roles, one for the top-level folder and one for each job inside the folders.

Oleg Nenashev

@oleg-nenashev

Or just .*-release if you want to match jobs in multiple folders

Rupsa-Sarkar

@Rupsa-Sarkar

@oleg-nenashev any clue if you are fixing the Role-Strategy issue with Slaves/Agents that I pointed out?

Oleg Nenashev

@oleg-nenashev

@Rupsa-Sarkar so far there no issue, just a chat conversation. I have not really looked into it after Oct 03, sorry. And I am not able to reproduce it on my instance

@Rupsa-Sarkar if you could submit a ticket with clear repro steps on a clean instance, it would help

Jose Miguel Diaz

@josemdiaza

@oleg-nenashev @AbhyudayaSharma Thanks!!

Jose Miguel Diaz

@josemdiaza

@AbhyudayaSharma patternFolderA.* works as you said. Now, I want to distinguish between -prod and -release jobs. Is this possible?

It works with FolderA(/.*prod)? and the same for release.

Abhyudaya Sharma

@AbhyudayaSharma

@josemdiaza That would work but you will need to remember that FolderA will be covered by two roles. This would a bit confusing in my opinion.

Jose Miguel Diaz

@josemdiaza

@AbhyudayaSharma That's exactly what I need :)

Jose Miguel Diaz

@josemdiaza

@AbhyudayaSharma finally, what I did to match every possible release/prod job and every possible folder or subfolder was:

Dev pattern: (?!.prod)FolderA.*

Rupsa-Sarkar

@Rupsa-Sarkar

@oleg-nenashev I am using the EC2-Plugin and assigned the slave a label "prodslave".. when I try to provide access to this slave to a specific user this way

and the user is assgined to this slave role ..

Rupsa-Sarkar

@Rupsa-Sarkar

Now when user2 is trying to deploy a job it shows me "user2 lacks permission to "EC2 (prodslave) **"

Oleg Nenashev

@oleg-nenashev

@Rupsa-Sarkar the display name of the agent seems to be "EC2 (prodslave) **" IIOC, and hence your regexp pattern will not work. Check the agent URL to make sure

Abhyudaya Sharma

@AbhyudayaSharma

@oleg-nenashev Would it make sense to release Folder auth 1.1 with the changes for human readable permissions in configuration export? Or should we continue with 1.0.3 like before?

Oleg Nenashev

@oleg-nenashev

@AbhyudayaSharma sorry for the review delays. I think it would be 1.1 , because it is a new feature

Abhyudaya Sharma

@AbhyudayaSharma

Thanks! I will try to do the release today.

Abhyudaya Sharma

@AbhyudayaSharma

Folder-auth 1.1 released: https://github.com/jenkinsci/folder-auth-plugin/releases/tag/folder-auth-1.1 🎉

Thanks a lot @casz for your contributions!

Where communities thrive

People

Repo info

Activity