Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-2653

AdminFullControlAndLoggedReadAuthorizationStrategy new security strategy

XMLWordPrintable

    • Icon: New Feature New Feature
    • Resolution: Fixed
    • Icon: Major Major
    • _unsorted
    • None
    • Platform: All, OS: All

      Hello,
      I need a new security authorization strategy a mixte between
      FullControlOnceLoggedInAuthorizationStrategy and LegacyAuthorizationStrategy.

      users declared with role "admin" have full control.
      users declared with role "viewer" can read
      or users logged have the "viewer" role
      anonymous have no access.

      I will use the security realm delegate to servlet container.
      Tomcat server will be configured with jdbcRealm.

      In practice :
      In hudson\security\AuthorizationStrategy.java
      static

      { LIST.load(FullControlOnceLoggedInAuthorizationStrategy.class); LIST.load(GlobalMatrixAuthorizationStrategy.class); LIST.load(LegacyAuthorizationStrategy.class); LIST.load(ProjectMatrixAuthorizationStrategy.class); // ADD new strategy LIST.load(AdminFullControlAndLoggedReadAuthorizationStrategy.class); // can't do this in the constructor due to the initialization order LIST.add(Unsecured.DESCRIPTOR); }

      New classe
      hudson\security\AdminFullControlAndLoggedReadAuthorizationStrategy.java
      Something like that :

      package hudson.security;

      import hudson.model.Descriptor;
      import org.acegisecurity.acls.sid.GrantedAuthoritySid;
      import org.kohsuke.stapler.StaplerRequest;
      import net.sf.json.JSONObject;

      import java.util.Collection;
      import java.util.Collections;

      public final class AdminFullControlAndLoggedReadAuthorizationStrategy extends
      AuthorizationStrategy {
      private static final ACL LEGACY_ACL = new SparseACL(null) {{
      add(EVERYONE,Permission.READ,false);
      add(ANONYMOUS,Permission.READ,false);
      add(new GrantedAuthoritySid("admin"),Permission.FULL_CONTROL,true);
      add(new GrantedAuthoritySid("viewer"),Permission.READ,true);
      }};

      public ACL getRootACL()

      { return LEGACY_ACL; }

      public Collection<String> getGroups()

      { List list = new ArrayList(); list.add("admin"); list.add("viewer"); return Collections.singletonList(list); }

      public Descriptor<AuthorizationStrategy> getDescriptor()

      { return DESCRIPTOR; }

      public static final Descriptor<AuthorizationStrategy> DESCRIPTOR = new
      DescriptorImpl();

      public static final class DescriptorImpl extends
      Descriptor<AuthorizationStrategy> {
      private DescriptorImpl()

      { super(AdminFullControlAndLoggedReadAuthorizationStrategy.class); }

      public String getDisplayName()

      { return Messages.AdminFullControlAndLoggedReadAuthorizationStrategy_DisplayName(); }

      public String getHelpFile()

      { return "/help/security/admin-logged-auth-strategy.html"; }

      public AdminFullControlAndLoggedReadAuthorizationStrategy
      newInstance(StaplerRequest req, JSONObject formData) throws FormException

      { return new AdminFullControlAndLoggedReadAuthorizationStrategy(); }

      }

      static

      { LIST.add(DESCRIPTOR); }

      }

      In web.xml
      <security-role>
      <!-- admins can add/remove/configure projects -->
      <role-name>admin</role-name>
      <!-- viewer can read projects -->
      <role-name>viewer</role-name>
      </security-role>

            kohsuke Kohsuke Kawaguchi
            vdaburon vdaburon
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: