Introduction
IntroductionPre-installation requirementsInstallingVerifying Docker imagesUninstalling
IntroductionPre-installation requirementsInstallingVerifying Docker imagesUninstalling
IntroductionPre-installation requirementsInstallingVerifying Docker imagesUninstalling
IntroductionPre-installation requirementsInstallingVerifying Docker imagesUninstalling
IntroductionPre-installation requirementsInstallingVerifying Docker imagesUninstalling
IntroductionPre-installation requirementsInstallingVerifying Docker imagesUninstalling
IntroductionSystem requirementsVerifying Docker imagesInstalling operations centerInstalling client controllersVerifying build componentsVerifying WAR files
IntroductionHA (active/active) fundamentalsInstallation on modern cloud platforms (active/active)Installation on traditional platforms (active/active)HA (active/active) considerationsSpecific High Availability (active/passive) installation for CloudBees CI on traditional platforms
IntroductionWhat is FIPS and FIPS 140 compliance?Install CloudBees CI on modern cloud platforms in FIPS modeCAP plugin support in a FIPS 140-2 environmentConfigure the Apache™ Ant plugin for FIPS complianceConfigure the Pipeline Maven API plugin for FIPS complianceKnown FIPS incompatibilities with CloudBees CI on modern cloud platformsJenkins core: FIPS 140-2 compliant artifacts with caveatsJenkins core: Non-compliant classes and libraries
Introduction
IntroductionPipeline termsPipeline project typesCloudBees Pipeline benefits
IntroductionUsing Pipeline development utilitiesDetermining plugin compatibilityPipeline best practices
IntroductionPrerequisitesCreating your first PipelineSelecting agentsCreating Pipelines in SCMCreating Pipelines in Web UIUsing Pipeline as Code
IntroductionConfig Adv ScriptedConfig Build StageConfig Deploy StageConfig Optional Step ArgsConfig Test StageCreating JenkinsfileCustomizing ParametersHandling FailuresString InterpolationUsing Multiple AgentsWorking With The EnvReusing Configuration Files
IntroductionManaging artifactsTracing artifactsTriggering jobs with a simple webhookRestoring filesVisualizing PipelineInserting checkpointsSecuring PipelinesConfiguring Pipelines with user-scoped credentialsUsing Pipeline PoliciesSpecifying a matrix of one or more dimensionsConverting a Freestyle project to a Declarative PipelinePipeline builds and HA (active/active)
IntroductionRestarting aborted buildsLong-running buildsSkip next buildConsolidated Build View pluginCloudBees Quiet Start pluginCloudBees Template pluginCloudBees Workspace Caching
IntroductionTrigger a job with a notification event using Cross Team CollaborationEnable external notification events with external HTTP endpointsCluster-wide copy artifactsCluster-wide job triggers
IntroductionSetting up a Pipeline Template CatalogDefining Pipeline Template CatalogsSetting Up A Pipeline TemplateUsing parameters in template.yamlManaging multibranch Pipeline options in template.yamlManaging Pipeline Template Catalogs in bulkExample full Maven/Java app Jenkinsfile
IntroductionUsing Declarative Pipeline syntaxUsing Scripted Pipeline syntax
IntroductionBranch SourceBitbucketGitBranch Property StrategyExamples
CloudBees Docker Build and Publish pluginCloudBees Docker TraceabilityDocker Pipeline pluginCloudBees Docker Hub/Registry Notification plugin
Introduction
Introduction
IntroductionGetting startedNavigating the operations centerProvisioning managed controllers in multiple Kubernetes clustersProvisioning agents in a separate Kubernetes cluster from a managed controllerProvisioning a controller in a different namespace than the operations centerProvisioning a controller in a different OpenShift project than the operations centerManaging controllersManage controllers in specific Kubernetes namespacesMigrating an existing managed controller to High Availability (HA)Managing agentsShared agentsShared configurationShared cloud configurationTrigger restrictionsChanging NFS storage locationQuiet startMove/Copy/PromoteCluster operationsInbound agentsUsing KanikoUsing Buildkit (docker buildx)Sidecar injector for self-signed certificates on KubernetesSidecar injector for self-signed certificates on OpenShiftUsing auto-scaling nodes on EKSUsing auto-scaling nodes on GKECloudBees Amazon Web Services Deploy EngineAmazon Web Services CLI PluginCloud Foundry CLI PluginIntegrate OpenShift CLIServiceNow integrationCreating projects based on GitHub repository structureUsing GitHub App authenticationCreate Multibranch Projects and Organization Folders with large repositoriesWikiText pluginController Lifecycle Notifications Plugin
IntroductionGetting startedNavigating the operations centerManaging client controllersMigrating from High Availability (active/passive) to High Availability (active/active) on CloudBees CI on traditional platformsManaging agentsShared agentsShared configurationShared cloud configurationTrigger restrictionsQuiet startMove/Copy/PromoteCluster operationsJava web start agentsServiceNow integrationCreating projects based on GitHub repository structureUsing GitHub App authenticationCreate Multibranch Projects and Organization Folders with large repositoriesWikiText plugin
Introduction
Trust model
Pod Security Admission
Centrally managing security for controllers
Cyberark Credential Provider Plugin
HashiCorp Vault Plugin
Enabling advanced use cases: cross controller triggers and bulk operations
Restricting access and delegating administration with Role-Based Access Control
Creating secure folders with Role-Based Access Control Auto Configurer
Restricting job triggers
Setting up operations center access controls
Setting up access controls on connected controllers
Testing the SSH connection to an agent
Configuring restricted credentials with the CloudBees Restricted Credentials plugin
Folders
Folders Plus
Injecting secrets into builds
Managing build agents with Nodes Plus plugin
Extended security settings
Enhanced credentials masking
Understanding Beekeeper security warnings
Preventing unauthorized interaction between builds
Security recommendations
Using single sign-on (SSO)
CloudBees CI integration with Microsoft Entra ID
operations center specific permissions
Authentication mapping
Example configurations
Delegating administration
Data collection for the CloudBees Analytics Plugin
External secrets management
Replacing an expired certificate
List of URLs that need access
Blocking access to URL patterns using the CloudBees Request Filter Plugin
Serving resources from Jenkins
Verifying Helm Charts Published with a Signature
Introduction
Introduction$JENKINS_HOME directoryBest practices for backup and restoreBack up $JENKINS_HOME manuallyRestore $JENKINS_HOME manuallyRestore credentialsConfigure backups using the CloudBees Backup pluginSchedule backups in the CloudBees Backup pluginRestore backups created with the CloudBees Backup pluginBackup and restore on KubernetesBackup and restore on AWSBackup and restore Kubernetes clusters using VeleroRun backups using cluster operations
IntroductionConfiguring multiple client controllers with the Jenkins CLI toolConfigure an alias for the Jenkins CLI toolConfiguring Jenkins CLI tool with non-TrustStore TLS certificates
CloudBees Inactive Items Plugin
Jenkins Health Advisor by CloudBees
CloudBees Pull Request Builder for GitHub plugin
Count and monitor user licenses with the CloudBees User Activity Monitoring plugin
CloudBees CI Catalog Plugin - Catalog tool
Introduction
CasC fundamentals
CasC requirements
CasC permissions
IntroductionGetting startedCreating a bundleConfiguring the operations center on modern platformsConfiguring the operations center on traditional platformsRetrieving bundles using SCMUpdating a bundleBundle update timing for the operations centerViewing the operations center update logCreating itemsConfiguring RBACDetermining plugin compatibilityTroubleshooting
IntroductionGetting startedCreating a bundleAdding controller bundles to the operations centerUpdating a bundleBundle update timing for controllersViewing the controller update logConfiguring bundle availabilitySetting up a managed controllerSetting up a client controllerCreating itemsConfiguring RBACDetermining plugin compatibilityAdvanced topicsTroubleshooting
Plugin management with CasC
CasC CLI commands
CasC HTTP API
Support policies

Delegating Administration

5 minute readSecurity

In some medium to large scale organizations, roles and responsibilities in software management and maintenance are distinct and well established. Because of the larger employee base and increased volume of work per area, tasks are separated and delegated to employees with specific expertise and understanding in a single area. For instance, some people may be in charge of the system administration, some of the security configuration, and others of the software configuration. While this separation of duties is necessary for medium to larger organizations to thrive, it can create complications when attempting to assign permissions securely and efficiently.

To reflect the needs of medium to larger organizations, two new permissions have been introduced with Jenkins v2.222 which enable a CloudBees CI administrator to delegate some parts of administration to a user without having to grant them the powerful Overall/Administrator permission.

The two new permissions include:

  • Overall/Manage: safely grant a user the ability to manage a subset of CloudBees CI configuration options.

  • Overall/SystemRead: grant a user the ability to view most of CloudBees CI configuration options, but in read only mode.

These new permissions are currently “Experimental” and disabled by default. When using the Role-based matrix authorization strategy in CloudBees CI, the administrator can grant a user/group the Overall/Manage and/or Overall/SystemRead permission to enable this functionality.

See JEP-223: "Manage" permission for managing non-security aspects of a Jenkins instance and JEP-224: Readonly system configuration, for more information.

Overall/Manage

The Overall/Manage permission allows a user to modify non-security related configuration settings. Examples of non-security settings include project naming restrictions, the system message, updating a CasC bundle, and managing nodes/clouds. Security related configuration, which is not accessible to a user with the Overall/Manage permission, includes items such as the script console, changing the security realm, and managing plugins.

Being able to delegate the ability to modify non-security related configuration settings is valuable, for instance in the case of a large enterprise environment where team leads are in charge of their team’s controller, but should not have the same admin access as the overall enterprise admin.

Top-level configuration settings available to a user with Overall/Manage
Figure 1. Top-level configuration settings available to a user with Overall/Manage

Overall/System Read

The Overall/System Read permission gives the user the ability to view, but not modify, the configuration of a CloudBees CI instance, including logs and monitoring information. There are a number of situations where being able to view the configuration is very valuable, such as:

  • To allow non-administrator users to see what configuration options are available to a plugin.

    Given the increased use of Configuration as Code, a lot of CloudBees CI instances are fully managed as code; therefore, changes are not allowed through the UI. In this situation you cannot know when new plugin versions are available, unless you have the Overall/Administer permission.

  • To allow non-administrator users to debug issues with their builds easier.

    In other words, given a CloudBees CI error message in a build the user can check which plugins are installed, and the version of the plugin. This situation allows the user to solve their issue themselves and makes it easier for the user to report an issue with a plugin directly to the maintainers.

A user with the Overall/SystemRead permission will notice some UX abnormalities, such as form fields being shown as disabled. Additionally, some fields will appear to be editable but there are no Save or Apply buttons, which prevent those changes from being persisted.

Enabling the new permissions

The new permissions are not enabled by default and must be manually enabled to use them in your instance.

Overall/Manage

To enable the Overall/Manage permission, do one of the following:

  • Install the Overall/Manage permission enabler plugin, which enables the new permission by default.

  • Pass the system property jenkins.security.ManagePermission=true when starting CloudBees CI.

    java -Djenkins.security.ManagePermission=true -jar jenkins.war

  • Use the script console to set the system property.

    Jenkins.MANAGE.setEnabled(true)
    This setting will be lost after restarting Jenkins.

Overall/System Read

To enable the Overall/System Read permission, do one of the following:

  • Install the Extended Read Permission plugin, which enables the new permission by default

  • Pass the system property jenkins.security.SystemReadPermission=true when starting Jenkins

    java -Djenkins.security.SystemReadPermission=true -jar jenkins.war

  • Use the script console to set the system property.

    Jenkins.SYSTEM_READ.setEnabled(true)
    This setting will be lost after restarting CloudBees CI.

Configuring the new permissions

Once the new permissions are enabled, you can assign them to a user or group when using Role-based matrix authorization as your Global Security Authorization Strategy provided by the CloudBees Role-Based Access Control plugin.

overall manage role
For the Overall/Manage permission to be functional, it must be assigned with the Overall/Read permission as illustrated in the image above.
It is possible to give both Overall/Manage and Overall/System Read permissions to the same user/group, allowing that user to view the CloudBees CI configuration allowed by Overall/System Read, but only persist changes to those things specifically allowed by Overall/Manage. In some cases, there will be form fields that appear editable, but are not currently allowed to be changed by a user with Overall/Manage. Attempts to save such settings will be safely ignored.
Modern Cloud Platforms

The following content applies only to CloudBees CI on modern cloud platforms.

Using the Overall/Manage permission with Teams

The Overall/Manage permission is not included in the Team roles created by default (Team Admin, Team Member and Team Guest).

It is necessary to create a custom role (or use one previously created), and add the Overall/Manage permission to it.

In the following examples, the cli script is a simplification for the whole Jenkins CLI command. See Jenkins CLI tool for more information.

Prerequisites

Overall/Manage permission is enabled

To add the Overall/Manage permission to a custom role:

  1. Retrieve the name of the team controller where you want to apply the permission using the following Jenkins CLI command: cli teams

    Sample output
    {
    "data": [
        {
            "displayName": "A Team",
            "name": "YOUR_TEAM_NAME",
            "status": {
      		            "team": "READY"
            },
            "provisioningRecipe": "basic"
        }
    ],
    "version": "1"
}

  2. Create a custom role which you will assign the Overall/Manage permission using the following Jenkins CLI command: cli team-roles YOUR_TEAM_NAME --add ROLE_OVERALL_MANAGE --display 'Team Overall/Manage'

    Sample output
    {
   "version":"1",
   "data":{
      "id":"YOUR_TEAM_NAME",
      "message":"Role [ROLE_OVERALL_MANAGE] was added to the team",
      "status":"success"
   }
}

  3. Assign the Overall/Manage permission to your custom role using the following Jenkins CLI command: cli team-permissions YOUR_TEAM_NAME ROLE_OVERALL_MANAGE --add jenkins.model.Jenkins.Manage --type jenkins

    Sample output
    {
  "version": "1",
  "data": {
	    "id": "ROLE_OVERALL_MANAGE",
    "message": "Permission added correctly",
    "status": "success"
  }
}
To configure all of the permissions of the role using a JSON input:

  1. Create a "team-overall-manage-permissions.json" file with the following content:

{
   "data":{
      "jenkinsInstancePermissions":[
        "hudson.model.Hudson.Read",
        "hudson.model.Hudson.Manage",
        "hudson.model.Item.Read",
        "hudson.model.Item.Configure",
        "hudson.model.Item.Create",
      ],
      "role": "ROLE_OVERALL_MANAGE",
      "teamPermissions":[
        "hudson.model.Item.Read",
        "hudson.model.Item.Configure",
        "hudson.model.Item.Create"
      ]
   },
   "version":"1"
}

+ NOTE: The additional permissions to "jenkins.model.Jenkins.Manage" are added as examples of permissions a team may want to add. Your team may need different permissions depending on your needs.

  1. Run the following Jenkins CLI command: cli team-permissions YOUR_TEAM_NAME ROLE_OVERALL_MANAGE --put < team-overall-manage-permissions.json

    Sample output
    {
  "version": "1",
  "data": {
    "id": "ROLE_OVERALL_MANAGE",
    "message": "Permissions set correctly",
    "status": "success"
  }
}

  2. (Optional) Check that the new permissions were saved successfully by running the following Jenkins CLI command: cli team-permissions YOUR_TEAM_NAME ROLE_OVERALL_MANAGE

    Sample output
    {
  "version": "1",
  "data": {
    "role": "ROLE_OVERALL_MANAGE",
    "jenkinsInstancePermissions": [
      "jenkins.model.Jenkins.Read",
      "jenkins.model.Jenkins.Manage",
      "hudson.model.Item.Read",
      "hudson.model.Item.Configure",
      "hudson.model.Item.Create"
    ],
    "teamPermissions": [
      "hudson.model.Item.Read",
      "hudson.model.Item.Configure",
      "hudson.model.Item.Create"
    ]
  }
}
Example configurations
Data collection for the CloudBees Analytics Plugin