For some advanced use-cases, administrators will need to further tweak the cluster’s security configurations to ensure connected controllers have the correct permissions for those use cases.
Configuring permissions for cross-controller triggers
If all controllers in the CloudBees CI cluster will be managed controllers and there are teams who will need the ability to promote artifacts and trigger jobs on other teams’ controllers, administrators should also configure the CloudBees CI cluster’s Authentication Mapping to Trusted controller with equivalent security realm .
This will grant Anonymous users permissions to view a team’s controller and job configurations. These permissions will be used by a controller in the CloudBees CI cluster to discover any downstream jobs on another team’s that it needs to trigger - e.g. a developer team’s controller handing off an artifact to the QA team’s controller for testing.
Operations center acts as a gateway between each of the connected controllers, so a request from one connected controller to another will first be routed through operations center. Each request will be tagged with the authentication that originated the request.
Defining this default authentication mapping strategy standardizes client controllers’ level of trust or authentication/authorization strategies and enables the cross-controller communication necessary for teams to trigger jobs across their controllers.
Changing the authentication mapping strategy
For security reasons, the authentication mapping cannot be updated while controllers are connected to CloudBees Core. After changing the authentication mapping, the connected controllers must be reconnected to operations center because the authentication mapping is installed on connection to operations center’s remoting channel. |
Configuring permissions for bulk management operations in CloudBees CI
Administrators who anticipate performing bulk maintenance operations against their cluster’s controllers and update centers will need to grant the Ad-hoc cluster operations authenticator access control for builds within the operations center Global Security Configuration. This option captures which user is performing an ad-hoc cluster operation in operations center and will run that operation with that user’s permissions.