Introduction
IntroductionPre-installation requirementsInstallingVerifying Docker imagesUninstalling
IntroductionPre-installation requirementsInstallingVerifying Docker imagesUninstalling
IntroductionPre-installation requirementsInstallingVerifying Docker imagesUninstalling
IntroductionPre-installation requirementsInstallingVerifying Docker imagesUninstalling
IntroductionPre-installation requirementsInstallingVerifying Docker imagesUninstalling
IntroductionPre-installation requirementsInstallingVerifying Docker imagesUninstalling
IntroductionSystem requirementsVerifying Docker imagesInstalling operations centerInstalling client controllersVerifying build componentsVerifying WAR files
IntroductionHA (active/active) fundamentalsInstallation on modern cloud platforms (active/active)Installation on traditional platforms (active/active)HA (active/active) considerationsSpecific High Availability (active/passive) installation for CloudBees CI on traditional platforms
Introduction
IntroductionPipeline termsPipeline project typesCloudBees Pipeline benefits
IntroductionUsing Pipeline development utilitiesDetermining plugin compatibilityPipeline best practices
IntroductionPrerequisitesCreating your first PipelineSelecting agentsCreating Pipelines in SCMCreating Pipelines in Web UIUsing Pipeline as Code
IntroductionConfig Adv ScriptedConfig Build StageConfig Deploy StageConfig Optional Step ArgsConfig Test StageCreating JenkinsfileCustomizing ParametersHandling FailuresString InterpolationUsing Multiple AgentsWorking With The Env
IntroductionManaging artifactsTracing artifactsTriggering jobs with a simple webhookRestoring filesVisualizing PipelineInserting checkpointsSecuring PipelinesConfiguring Pipelines with user-scoped credentialsUsing Pipeline PoliciesSpecifying a matrix of one or more dimensionsConverting a Freestyle project to a Declarative PipelinePipeline builds and HA (active/active)
IntroductionRestarting aborted buildsLong-running buildsSkip next buildConsolidated Build View pluginCloudBees Quiet Start pluginCloudBees Template pluginCloudBees Workspace Caching
IntroductionTrigger a job with a notification event using Cross Team CollaborationEnable external notification events with external HTTP endpointsCluster-wide copy artifactsCluster-wide job triggers
IntroductionSetting up a Pipeline Template CatalogDefining Pipeline Template CatalogsSetting Up A Pipeline TemplateUsing parameters in template.yamlManaging multibranch Pipeline options in template.yamlManaging Pipeline Template Catalogs in bulkExample full Maven/Java app Jenkinsfile
IntroductionUsing Declarative Pipeline syntaxUsing Scripted Pipeline syntax
IntroductionBranch SourceBitbucketGitBranch Property StrategyExamples
CloudBees Docker Build and Publish pluginCloudBees Docker TraceabilityDocker Pipeline pluginCloudBees Docker Hub/Registry Notification plugin
Introduction
Introduction
IntroductionGetting startedNavigating the operations centerProvisioning managed controllers in multiple Kubernetes clustersProvisioning agents in a separate Kubernetes cluster from a managed controllerProvisioning a controller in a different namespace than the operations centerProvisioning a controller in a different OpenShift project than the operations centerManaging controllersManage controllers in specific Kubernetes namespacesMigrating an existing managed controller to High Availability (HA)Managing agentsShared agentsShared configurationShared cloud configurationTrigger restrictionsChanging NFS storage locationQuiet startMove/Copy/PromoteCluster operationsInbound agentsUsing KanikoUsing Buildkit (docker buildx)Sidecar injector for self-signed certificates on KubernetesSidecar injector for self-signed certificates on OpenShiftUsing auto-scaling nodes on EKSUsing auto-scaling nodes on GKECloudBees Amazon Web Services Deploy EngineAmazon Web Services CLI PluginCloud Foundry CLI PluginIntegrate OpenShift CLIServiceNow integrationCreating projects based on GitHub repository structureUsing GitHub App authenticationWikiText pluginController Lifecycle Notifications Plugin
IntroductionGetting startedNavigating the Operations CenterManaging client controllersMigrating from High Availability (active/passive) to High Availability (active/active) on CloudBees CI on traditional platformsManaging agentsShared agentsShared configurationShared cloud configurationTrigger restrictionsQuiet startMove/Copy/PromoteCluster operationsJava web start agentsServiceNow integrationCreating projects based on GitHub repository structureUsing GitHub App authenticationWikiText plugin
Introduction
IntroductionTrust modelPod Security AdmissionCentrally managing security for controllersCyberark Credential Provider PluginHashiCorp Vault PluginEnabling advanced use cases: cross controller triggers and bulk operationsRestricting access and delegating administration with Role-Based Access ControlCreating secure folders with Role-Based Access Control Auto ConfigurerRestricting job triggersSetting up operations center access controlsSetting up access controls on connected controllersTesting the SSH connection to an agentConfiguring restricted credentials with the CloudBees Restricted Credentials pluginFoldersFolders PlusInjecting secrets into buildsManaging build agents with Nodes Plus pluginExtended security settingsEnhanced credentials maskingUnderstanding Beekeeper security warningsPreventing unauthorized interaction between buildsSecurity recommendationsUsing single sign-on (SSO)CloudBees CI integration with Microsoft Entra IDoperations center specific permissionsAuthentication mappingExample configurationsDelegating administrationData collection for the CloudBees Analytics PluginExternal secrets managementReplacing an expired certificateList of URLs that need accessBlocking access to URL patterns using the CloudBees Request Filter PluginServing resources from JenkinsVerifying Helm Charts Published with a Signature
IntroductionConfiguring network requirementsCentrally managing security for controllersCyberark Credential Provider PluginHashiCorp Vault PluginEnabling advanced use cases: cross-controller triggers and bulk operationsRestricting access and delegating administration with Role-Based Access ControlCreating secure folders with Role-Based Access Control Auto ConfigurerRestricting job triggersTesting the SSH connection to an agentConfiguring restricted credentials with the CloudBees Restricted Credentials pluginFoldersFolders PlusInjecting secrets into buildsManaging build agents with Nodes Plus pluginUnderstanding Beekeeper security warningsPreventing unauthorized interaction between buildsSecurity recommendationsExtended security settingsUsing single sign-on (SSO)CloudBees CI integration with Microsoft Entra IDOperations Center specific permissionsAuthentication mappingExample configurationsDelegating administrationData collection for the CloudBees Analytics PluginExternal secrets managementList of URLs that need accessBlocking access to URL patterns using the CloudBees Request Filter PluginServing resources from Jenkins
Introduction
Introduction$JENKINS_HOME directoryBest practices for backup and restoreBack up $JENKINS_HOME manuallyRestore $JENKINS_HOME manuallyRestore credentialsConfigure backups using the CloudBees Backup pluginSchedule backups in the CloudBees Backup pluginRestore backups created with the CloudBees Backup pluginBackup and restore on KubernetesBackup and restore on AWSBackup and restore Kubernetes clusters using VeleroRun backups using cluster operations
IntroductionGetting the Jenkins CLI toolUsing the Jenkins CLI toolExamples of usageConfiguring multiple client controllers with the Jenkins CLI toolConfiguring an alias for the Jenkins CLI toolConfiguring Jenkins CLI tool with non-TrustStore SSL certificatesCasC bundle management on operations center
CloudBees Inactive Items Plugin
Jenkins Health Advisor by CloudBees
CloudBees Pull Request Builder for GitHub plugin
Count and monitor user licenses with the CloudBees User Activity Monitoring plugin
CloudBees CI Catalog Plugin - Catalog tool
Introduction
CasC fundamentals
CasC requirements
CasC permissions
IntroductionGetting startedCreating a bundleConfiguring the operations center on modern platformsConfiguring the operations center on traditional platformsRetrieving bundles using SCMUpdating a bundleBundle update timing for the operations centerViewing the operations center update logCreating itemsConfiguring RBACDetermining plugin compatibilityTroubleshooting
IntroductionGetting startedCreating a bundleAdding controller bundles to the operations centerUpdating a bundleBundle update timing for controllersViewing the controller update logConfiguring bundle availabilitySetting up a managed controllerSetting up a client controllerCreating itemsConfiguring RBACDetermining plugin compatibilityAdvanced topicsTroubleshooting
Plugin management with CasC
CasC CLI commands
CasC HTTP API
Support policies

Authentication mapping

5 minute readSecurity

The operations center acts as a gateway between controllers, with requests sent from one controller to another controller and are routed through the operations center. Each request is tagged with the authentication that originated the request. Since different controllers can have different levels of trust, or use completely different authentication or authorization strategies, the operations center administrator must define the default authentication mapping strategy. Optionally, the operations center administrator can also define specific mapping strategies for individual controllers.

In general, requests from a controller have one of two origins:

  • User requests driven via the UI: These requests are tagged with the authentication of the user making the request. An example is using the path browser to select a job to trigger.

  • Build driven requests: For a default installation of Jenkins or CloudBees CI, these requests are tagged with the SYSTEM authentication. The authentication of a build can be modified.

Requests between controllers are mapped twice. The first mapping converts the source controller’s authentication into the authentication for the operations center. The second mapping converts the operations center’s authentication into the authentication for the target controller.

Authentication mapping also takes place for requests originating from the operations center to controllers; such requests are mapped once.

Cluster-wide triggers and authentication mapping

To trigger a job on a target controller, the user and the mapped authentication must have the required permissions:

  • The user triggering the source job must have Job/Build permissions on the source job.

  • The authentication that the source job runs as must have Agent/Build permissions on at least one node that the source job can run on.

  • The mapped authentication that triggers the target job must have Job/Build permissions on the target job.

  • The authentication that the target job runs as must have Agent/Build permissions on at least one node that the target job can run on.

Cluster operations and authentication mapping

When you run a cluster operation that has been configured as a job on the operations center, on a default installation of the operations center, the defined cluster operation runs using the SYSTEM authentication. It is expected that the operations center administrator will restrict the BUILD permission on the cluster operation to those users that are permitted to perform the operation.

Because ad-hoc cluster operations do not have a job where project authorization or control permissions can be configured, the operations center provides a built-in authorization for them. When running an ad-hoc cluster operation from the operations center, the authentication of the operation is always tagged with the authentication of the user who triggered it.

Credentials

By default, if the build authentication has the Job/Build permission, the credentials should include all of the credentials within the scope of the build job. Additionally, any credentials defined in that user’s personal credential store should also be included.

There are two system properties that enable additional permissions to control the credentials available:

  • -Dcom.cloudbees.plugins.credentials.UseOwnPermission=true: Enables the configuration of the Credentials/UseOwn permission.

    Users must have this permission on a job (or Jenkins/Administer that implies this permission) for their personal credential store to be available to the job when running as that user.

    The Credentials/UseOwn permission is normally implied by the Job/Build permission. When you enable the -Dcom.cloudbees.plugins.credentials UseOwnPermission=true system property, the permission changes to being implied by the Jenkins/Administer permission. This allows the configuration to be effectively useful and enables users to trigger builds, but not use their own credentials.

  • -Dcom.cloudbees.plugins.credentials.UseItemPermission=true: Enables the configuration of the Credentials/UseItem permission.

    Users must have this permission on a job (or Job/Configure that implies this permission) for their personal credential store to be available to the job when running as that user.

    If you enable either of these system properties on a controller, and you have configured the operations center to push RBAC to all controllers, CloudBees recommends enabling the system properties on the operations center and all controllers, to ensure role definitions are consistent.

If the plugins that use the credentials and use the credentials API correctly, enabling the Credentials/UseOwn and Credentials/UseItem permissions should allow fine-grained control over what credentials a job has access to when using any plugin that provides authorization for jobs.

Available authentication mapping strategies

The available authentication mapping strategies depends on how you have configured the Client controller security on the operations center:

  • With Do not enforce security settings on controllers, there is no guarantee that controllers are using the same security realm. As such, the username john may refer to different users. In some cases, it may be possible to map, for example, a user ID to/from an email address. Alternatively, there may be specific users the operations center administrator defines static mappings for.

  • With either Single Sign-On (security realm only) or Single Sign-On (security realm and authorization strategy), controllers are guaranteed to use the same security realm, and usernames can be mapped.

The strategies are then broken down in terms of the level of trust that the operations center administrator is prepared to forward to the controller.

  • The highest level of trust assumes that the SYSTEM authentication of the controller can act as SYSTEM on the operations center.

  • An intermediate level of trust would be where the administration of a controller has been delegated to some of that controller’s users. Those users would thus have Jenkins/Administer on the controller but not on the operations center. As such, they could use their super-user permissions as a route to gain additional permissions on the operations center. If you select an authentication mapping that maps SYSTEM when coming from the controller into ANONYMOUS, the operations center administrator can remove the risk. With this mapping, the user authentication can be trusted, and idempotent mapping of usernames (if the security realms are equivalent) is appropriate.

  • The lowest level of trust is to map all of the authentications that come from the controller to the ANONYMOUS authentication. This level of trust is appropriate when the controller integrity is unknown to the operations center administrator. For example, when the ad-hoc or experimental project teams want their controller connected to the operations center, and the operations center administrator does not know what plugins the team is installing.

When you select any strategy other than the highest level of trust, you may need to install a plugin that provides authorization for jobs on all of the controllers, and on the operations center if any inter-controller operations are required.

This is because when build jobs running as SYSTEM have their authentication mapped through the operations center, it is converted to ANONYMOUS, and may not have the required permissions on the target controller.

Change the authentication mapping strategy

Authentication mapping is installed into the remoting channel as the very first step of establishing the remoting connection between the client and the operations center.

For security reasons, the authentication mapping of a connection cannot be updated while the connection is active.

If you reconfigure the authentication mapping, the new authentication mapping is only updated once the controller has been disconnected from and reconnected to the operations center.

Operations Center specific permissions
Example configurations