Configuring RBAC with CasC

4 minute readScalabilityAutomation

You can configure global role-based access control (RBAC) by adding the rbac.yaml file to the configuration bundle. Additionally, the authorizationStrategy attribute must be added to the jenkins.yaml file.

Prerequisites

The following software and plugins must be installed to use RBAC with CasC:

Required setup

You can define groups and roles at the controller-level using the Configuration as Code (CasC) for Controllers rbac.yaml file.

  • Controller authorization strategy: To apply RBAC settings (rbac.yaml) to a controller using CasC, the controller’s authorization strategy must not be inherited from operations center. For more information, see Configuring the controller authorization strategy.

  • User management: Users need to be created in your CloudBees CI system either by an identity provider (like LDAP) or manually. The examples below assume the users exist.

  • Item management: To apply RBAC groups and/or roles to items, the CasC configuration bundle must include an items.yaml file with the defined items. For more information, refer to Creating items with CasC for controllers.

Configuring the controller authorization strategy

To apply RBAC settings (rbac.yaml) to an individual controller using Configuration as Code (CasC) for Controllers, the controller’s authorization strategy must not be inherited from the operations center.

If groups and roles are defined in the operations center or if RBAC is only used with the items.yaml file, you do not need to opt out of inheriting the operations center’s authorization strategy.

To configure the controller authorization strategy:

  1. Ensure you are signed in to the operations center as a user with the Administer permission.

  2. From the operations center dashboard, in the left pane, select Manage Jenkins.

  3. Select Configure Global Security.

  4. Scroll down to Client controller security and select Allow client controllers to opt-out.

  5. Select Save.

    For more information on how to customize the authorization strategy for an individual controller, refer to Configuring SSO in operations center.
  6. From the operations center dashboard, select the down arrow to the right of your controller’s name, and then select Configure.

    Figure 1. Controller dropdown menu
  7. Scroll down to Security Setting Enforcement and select either Enforce Authentication only or Opt out of all security enforcement.

    For more information on how to customize the authorization strategy for an individual controller, refer to Configuring options for individual controllers.

Exporting RBAC configurations

You can export role-based access control (RBAC) configurations from an existing controller. For more information, refer to Exporting a CasC configuration.

The exported file should be used as a starting point, as it may require modifications and adjustments to make it production-ready.

Example CasC configuration bundle with RBAC

For this example, we will create four groups:

  1. Administer: Full permissions on the controller.

  2. Manager: Can manage the controller with the Overall.MANAGE permission.

  3. Developer: Can create pipelines/jobs and use them.

  4. Browser: Read only users.

bundle.yaml

apiVersion: "1"
id: "0-casc-with-rbac"
description: "Bundle demo with rbac"
version: "1"
plugins:
  - "plugins.yaml"
jcasc:
  - "jenkins.yaml"
catalog:
  - "plugin-catalog.yaml"
rbac:
  - "rbac.yaml"

plugins.yaml

plugins:
- {id: configuration-as-code}
- {id: cloudbees-casc-api}
- {id: manage-permission}
- {id: nectar-rbac}

plugin-catalog.yaml

type: "plugin-catalog"
version: "1"
name: "cloudbees-assurance-program-extensions"
displayName: "Extensions to the CloudBees Assurance Program (CAP)"
configurations:
- description: "Extensions to the CAP"
  includePlugins:
    manage-permission: (1)
      version: 1.0.1 (2)
1Add the manage-permission plugin to enable the Overall/Manage permission. This plugin is not required to configure RBAC with CasC.
2Replace 1.0.1 with most recent version.

jenkins.yaml

jenkins:
  systemMessage: "Configured automatically by Configuration as Code - with RBAC \n\n"
  authorizationStrategy: "cloudBeesRoleBasedAccessControl" (1)
1Mandatory to use CloudBees RBAC configured with CasC.

rbac.yaml

removeStrategy:
  rbac: "SYNC" (1)
groups:
- name: Administrators
  members:
    users:
    - admin-user
  roles:
  - name: administer-role
    grantedAt: current (2)
    propagates: 'false'
- name: Managers
  members:
    users:
    - manager-user
  roles: (3)
  - name: manager-role
    grantedAt: current
- name: Developers
  members:
    users:
    - dev-user
    internal_groups: (4)
    - managers
    external_groups:
    - ldap-developers
  roles: (5)
  - name: developer-role
    grantedAt: child
- name: Browsers
  members:
    users:
    - read-user
    internal_groups:
    - Administrators
    - Managers
    - Developers
  roles: (6) (7)
  - name: browser-role
roles:
- name: administer-role
  filterable: 'false'
  permissions:
  - hudson.model.Hudson.Administer
- name: manager-role
  filterable: 'false'
  permissions:
  - hudson.model.Hudson.Manage
  - hudson.model.Hudson.Read
- name: developer-role
  filterable: 'true'
  permissions: (8)
  - hudson.model.Hudson.Read
  - hudson.model.View.Delete
  - hudson.model.Item.Promote
  - hudson.model.View.Configure
  - hudson.model.Item.Configure
  - hudson.model.Item.Cancel
  - hudson.model.Item.Read
  - hudson.model.Item.Build
  - hudson.model.Item.Discover
  - hudson.model.Hudson.Read
  - hudson.model.Item.Create
  - hudson.model.View.Read
  - hudson.model.View.Create
  - hudson.model.Item.Delete
- name: browser-role
  filterable: 'true'
  permissions:
  - hudson.model.Hudson.Read
- name: authenticated (9)
  filterable: false
  permissions:
  - hudson.model.Hudson.Read
- name: anonymous (10)
  filterable: 'false'
1For security reasons, SYNC is here to remove groups/roles from CloudBees Continuous Integration when they are removed from this file.
2Other options that could be used here include: "child" or "grandchild".
3If propagates is not included, the default value is "true".
4Team managers are also members of the developer group.
5If propagates is not included, the default value is "true".
6If grantedAt is not included, the default value is "current".
7If propagates is not included, the default value is "true".
8The list of permissions (Permission.id) to grant this role.
9Overriding RBAC embedded role to lower the permissions.
10Overriding RBAC embedded role to lower the permissions. If there isn’t list of permissions included, the role has no permissions.