Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-10593

Project-based Matrix Authorization Strategy: allow a job to not inherit from global ACL

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Resolved (View Workflow)
    • Priority: Minor
    • Resolution: Fixed
    • Component/s: core
    • Labels:
      None
    • Environment:
      Jenkins 1.424
    • Similar Issues:

      Description

      It would be excellent if the Project-based Matrix Authorization Strategy allowed for a project to start its authorizations from zero instead of inheriting from the main configuration.

      For example, while the vast majority of projects may only need the default ACL, a restricted access project may need to be limited to only a few users or groups. As I understand it, the Project-based Matrix Authorization Strategy is additive. So to do this now. the global config would need to have the barest set of authorizations, and every job (except the very restricted one) would have to have the "Enable project-based security" configuration specified.

        Attachments

          Issue Links

            Activity

            Hide
            jhansche Joe Hansche added a comment -

            Pull request has been created at https://github.com/jenkinsci/jenkins/pull/622

            Show
            jhansche Joe Hansche added a comment - Pull request has been created at https://github.com/jenkinsci/jenkins/pull/622
            Hide
            jglick Jesse Glick added a comment -

            Just FYI, the Role-Based Access Control plugin in Jenkins Enterprise by CloudBees offers this functionality.

            Show
            jglick Jesse Glick added a comment - Just FYI, the Role-Based Access Control plugin in Jenkins Enterprise by CloudBees offers this functionality.
            Hide
            jhansche Joe Hansche added a comment -

            Thanks, didn't know about that. However, it appears that is only available in the CloudBees Jenkins Enterprise package, which is not free and must be installed as a separate Jenkins installation. It's also not part of the CloudBees Free Enterprise Plugin that is available in the update center.

            This solution isn't as feature-rich as CloudBees's, of course But it does solve the one-off use case when an administrator just wants to restrict a single job to a smaller subset of users than the rest of the instance is configured to allow. Though I may consider revising this once more just to make sure that only an "overall administrator" can enable the option – so that non-administrator users who have access to configure the job cannot lock out the instance administrators unwittingly.

            Show
            jhansche Joe Hansche added a comment - Thanks, didn't know about that. However, it appears that is only available in the CloudBees Jenkins Enterprise package, which is not free and must be installed as a separate Jenkins installation. It's also not part of the CloudBees Free Enterprise Plugin that is available in the update center. This solution isn't as feature-rich as CloudBees's, of course But it does solve the one-off use case when an administrator just wants to restrict a single job to a smaller subset of users than the rest of the instance is configured to allow. Though I may consider revising this once more just to make sure that only an "overall administrator" can enable the option – so that non-administrator users who have access to configure the job cannot lock out the instance administrators unwittingly.
            Hide
            schniedergers Klaus Schniedergers added a comment -

            This would solve my problem...I'm trying to restrict authenticated users from configuring just one job, but "authenticated" has job config permissions in global security.

            Did this ever get solved somehow?
            (without having to buy Cloudbee's product)

            Show
            schniedergers Klaus Schniedergers added a comment - This would solve my problem...I'm trying to restrict authenticated users from configuring just one job, but "authenticated" has job config permissions in global security. Did this ever get solved somehow? (without having to buy Cloudbee's product)
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Kohsuke Kawaguchi
            Path:
            src/main/java/hudson/security/AuthorizationMatrixProperty.java
            src/main/java/hudson/security/ProjectMatrixAuthorizationStrategy.java
            src/main/resources/hudson/security/AuthorizationMatrixProperty/config.jelly
            src/main/resources/hudson/security/AuthorizationMatrixProperty/help-blocksInheritance.html
            http://jenkins-ci.org/commit/matrix-auth-plugin/6411fffb41e4e7b217d0e841462ef23a8e62c45a
            Log:
            [FIXED JENKINS-10593] Merged pull request #622 to core

            Reference: https://github.com/jenkinsci/jenkins/pull/622

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: src/main/java/hudson/security/AuthorizationMatrixProperty.java src/main/java/hudson/security/ProjectMatrixAuthorizationStrategy.java src/main/resources/hudson/security/AuthorizationMatrixProperty/config.jelly src/main/resources/hudson/security/AuthorizationMatrixProperty/help-blocksInheritance.html http://jenkins-ci.org/commit/matrix-auth-plugin/6411fffb41e4e7b217d0e841462ef23a8e62c45a Log: [FIXED JENKINS-10593] Merged pull request #622 to core Reference: https://github.com/jenkinsci/jenkins/pull/622

              People

              • Assignee:
                jhansche Joe Hansche
                Reporter:
                oeuftete oeuftete
              • Votes:
                5 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: