Enabling advanced use cases: cross-master triggers and bulk operations

2 minute readSecurity

For some advanced use-cases, administrators will need to further tweak the cluster’s security configurations to ensure connected masters have the correct permissions for those use cases.

Configuring permissions for cross-master triggers

If all masters in the CloudBees CI cluster will be Managed Masters and there are teams who will need the ability to promote artifacts and trigger jobs on other teams’ masters, administrators should also configure the CloudBees CI cluster’s Authentication Mapping to Trusted master with equivalent security realm .

This will grant Anonymous users permissions to view a team’s master and job configurations. These permissions will be used by a master in the CloudBees CI cluster to discover any downstream jobs on another team’s that it needs to trigger - e.g. a developer team’s master handing off an artifact to the QA team’s master for testing.

Operations Center acts as a gateway between each of the connected masters, so a request from one connected master to another will first be routed through Operations Center. Each request will be tagged with the authentication that originated the request.

Defining this default authentication mapping strategy standardizes Client Masters’ level of trust or authentication/authorization strategies and enables the cross-master communication necessary for teams to trigger jobs across their masters.

Changing the authentication mapping strategy

For security reasons, the authentication mapping cannot be updated while masters are connected to CloudBees Core.

After changing the authentication mapping, the connected masters must be reconnected to Operations Center because the authentication mapping is installed on connection to Operations Center’s remoting channel.

Configuring permissions for bulk management operations in CloudBees CI

Administrators who anticipate performing bulk maintenance operations against their cluster’s masters and update centers will need to grant the Ad-hoc cluster operations authenticator access control for builds within the Operations Center Global Security Configuration. This option captures which user is performing an ad-hoc cluster operation in Operations Center and will run that operation with that user’s permissions.