You can configure global role-based access control (RBAC) by adding the rbac.yaml
file to the configuration bundle. Additionally, the authorizationStrategy
attribute must be added to the jenkins.yaml
file.
Prerequisites
The following software and plugins must be installed to use RBAC with CasC:
-
If using CloudBees CI 2.249.3.1 - 2.303.3.3: CloudBees CasC API Plugin (Deprecated), version 1.2 - 1.41
-
If using CloudBees CI 2.319.1.5 or later: CloudBees CasC Client Plugin, version 1.44 or later
-
Configuration as Code plugin
Required setup
You can define groups and roles at the controller-level using the Configuration as Code (CasC) for Controllers rbac.yaml
file.
-
Controller authorization strategy: To apply RBAC settings (
rbac.yaml
) to a controller using CasC, the controller’s authorization strategy must not be inherited from operations center. For more information, see Configuring the controller authorization strategy. -
User management: Users need to be created in your CloudBees CI system either by an identity provider (like LDAP) or manually. The examples below assume the users exist.
-
Item management: To apply RBAC groups and/or roles to items, the CasC configuration bundle must include an
items.yaml
file with the defined items. For more information, refer to Creating items with CasC for controllers.
Configuring the controller authorization strategy
To apply RBAC settings (rbac.yaml
) to an individual controller using Configuration as Code (CasC) for Controllers, the controller’s authorization strategy must not be inherited from the operations center.
If groups and roles are defined in the operations center or if RBAC is only used with the items.yaml file, you do not need to opt out of inheriting the operations center’s authorization strategy.
|
To configure the controller authorization strategy:
-
Ensure you are signed in to the operations center as a user with the Administer permission.
-
From the operations center dashboard, in the left pane, select Manage Jenkins.
-
Select Configure Global Security.
-
Scroll down to Client controller security and select Allow client controllers to opt-out.
-
Select Save.
For more information on how to customize the authorization strategy for an individual controller, refer to Configuring SSO in operations center. -
From the operations center dashboard, select the down arrow to the right of your controller’s name, and then select Configure.
Figure 1. Controller dropdown menu -
Scroll down to Security Setting Enforcement and select either Enforce Authentication only or Opt out of all security enforcement.
For more information on how to customize the authorization strategy for an individual controller, refer to Configuring options for individual controllers.
Exporting RBAC configurations
You can export role-based access control (RBAC) configurations from an existing controller. For more information, refer to Exporting a CasC configuration.
The exported file should be used as a starting point, as it may require modifications and adjustments to make it production-ready. |
Example CasC configuration bundle with RBAC
For this example, we will create four groups:
-
Administer: Full permissions on the controller.
-
Manager: Can manage the controller with the
Overall.MANAGE
permission. -
Developer: Can create pipelines/jobs and use them.
-
Browser: Read only users.
bundle.yaml
apiVersion: "1"
id: "0-casc-with-rbac"
description: "Bundle demo with rbac"
version: "1"
plugins:
- "plugins.yaml"
jcasc:
- "jenkins.yaml"
catalog:
- "plugin-catalog.yaml"
rbac:
- "rbac.yaml"
plugins.yaml
plugins:
- {id: configuration-as-code}
- {id: cloudbees-casc-api}
- {id: manage-permission}
- {id: nectar-rbac}
plugin-catalog.yaml
type: "plugin-catalog"
version: "1"
name: "cloudbees-assurance-program-extensions"
displayName: "Extensions to the CloudBees Assurance Program (CAP)"
configurations:
- description: "Extensions to the CAP"
includePlugins:
manage-permission: (1)
version: 1.0.1 (2)
1 | Add the manage-permission plugin to enable the Overall/Manage permission. This plugin is not required to configure RBAC with CasC. |
2 | Replace 1.0.1 with most recent version. |
jenkins.yaml
jenkins:
systemMessage: "Configured automatically by Configuration as Code - with RBAC \n\n"
authorizationStrategy: "cloudBeesRoleBasedAccessControl" (1)
1 | Mandatory to use CloudBees RBAC configured with CasC. |
rbac.yaml
removeStrategy:
rbac: "SYNC" (1)
groups:
- name: Administrators
members:
users:
- admin-user
roles:
- name: administer-role
grantedAt: current (2)
propagates: 'false'
- name: Managers
members:
users:
- manager-user
roles: (3)
- name: manager-role
grantedAt: current
- name: Developers
members:
users:
- dev-user
internal_groups: (4)
- managers
external_groups:
- ldap-developers
roles: (5)
- name: developer-role
grantedAt: child
- name: Browsers
members:
users:
- read-user
internal_groups:
- Administrators
- Managers
- Developers
roles: (6) (7)
- name: browser-role
roles:
- name: administer-role
filterable: 'false'
permissions:
- hudson.model.Hudson.Administer
- name: manager-role
filterable: 'false'
permissions:
- hudson.model.Hudson.Manage
- hudson.model.Hudson.Read
- name: developer-role
filterable: 'true'
permissions: (8)
- hudson.model.Hudson.Read
- hudson.model.View.Delete
- hudson.model.Item.Promote
- hudson.model.View.Configure
- hudson.model.Item.Configure
- hudson.model.Item.Cancel
- hudson.model.Item.Read
- hudson.model.Item.Build
- hudson.model.Item.Discover
- hudson.model.Hudson.Read
- hudson.model.Item.Create
- hudson.model.View.Read
- hudson.model.View.Create
- hudson.model.Item.Delete
- name: browser-role
filterable: 'true'
permissions:
- hudson.model.Hudson.Read
- name: authenticated (9)
filterable: false
permissions:
- hudson.model.Hudson.Read
- name: anonymous (10)
filterable: 'false'
1 | For security reasons, SYNC is here to remove groups/roles from CloudBees Continuous Integration when they are removed from this file. |
2 | Other options that could be used here include: "child" or "grandchild". |
3 | If propagates is not included, the default value is "true". |
4 | Team managers are also members of the developer group. |
5 | If propagates is not included, the default value is "true". |
6 | If grantedAt is not included, the default value is "current". |
7 | If propagates is not included, the default value is "true". |
8 | The list of permissions (Permission.id) to grant this role. |
9 | Overriding RBAC embedded role to lower the permissions. |
10 | Overriding RBAC embedded role to lower the permissions. If there isn’t list of permissions included, the role has no permissions. |