Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-43912

Multibranch pipelines should support role restrictions

    Details

    • Similar Issues:

      Description

      A very usual scenario consists on using multibranch pipelines in projects with two branches: develop and master. This creates two subprojects, one for each branch:

      App_Pipeline

          |---master

          |---develop

      We use Role Strategy plugin to control the authorization (visibility and execution) of the pipelines depending on the assigned role, for instance:

      Project Roles:

      • manager: Uses a regexp App_.*
      • developer: Uses a regexp App_.*

      With these roles, obviously both types of users see the superproject (App_Pipeline), and can see and run both subprojects.

      The point is that we would need some roles (developers) to be able to see and run only the develop subproject and some others (managers) to view and run both subprojects, master and develop.

      Right now there is no way to configure this per subproject. There isn't either an alternative such as programmatically checking the user role in the script to abort the execution.

        Attachments

          Activity

          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          I believe that the use-case is already supported in Role Strategy, you just need more advanced regular expressions which take the developer/master into account. If it does not work, likely a Pipelline Multi-Branch plugin patch is needed

          Show
          oleg_nenashev Oleg Nenashev added a comment - I believe that the use-case is already supported in Role Strategy, you just need more advanced regular expressions which take the developer/master into account. If it does not work, likely a Pipelline Multi-Branch plugin patch is needed
          Hide
          venosov Víctor Martín Molina added a comment - - edited

          It's supported with two-level security structure, example:

          rol1 ".*holaArtifactoryMultibranch.*" --> read

          rol2 ".*holaArtifactoryMultibranch/master.*" --> build

          Now, you can associate a user/group to rol1 and rol2

           

           

           

          Show
          venosov Víctor Martín Molina added a comment - - edited It's supported with two-level security structure, example: rol1 ".* holaArtifactoryMultibranch. *" --> read rol2 ".* holaArtifactoryMultibranch/master. *" --> build Now, you can associate a user/group to rol1 and rol2      
          Hide
          codependent Jose A. Iñigo added a comment - - edited

          I'd like to give some more context to this problem: The origin of my pipelines is the branch source plugin which creates a structure with a parent folder of my Bitbucket organization and one subfolder per repository, each containing a pipeline per branch with a Jenkinsfile. Thus the Jenkins folder hierachy is as follows:

          Organization
               |-Repo1
                   |---master 
                   |---develop 
               |-Repo2          
                   |---master        
                   |---develop 
               |-Poc-Repo1
                    |---master
                    |---develop 
               |-Poc-Repo2
                    |---master
                    |---develop
              

          I need to setup permissions so that some users can ONLY see and build repos with the pattern Organization/Poc-.*

          Other users can see any repo

          Others can see and build any repo

          The problem is the regexp Organization/Poc-*. doesn't work. Users with this role can't see anything

          Show
          codependent Jose A. Iñigo added a comment - - edited I'd like to give some more context to this problem: The origin of my pipelines is the branch source plugin which creates a structure with a parent folder of my Bitbucket organization and one subfolder per repository, each containing a pipeline per branch with a Jenkinsfile. Thus the Jenkins folder hierachy is as follows: Organization      |-Repo1          |---master        |---develop      |-Repo2          |---master        |---develop      |-Poc-Repo1          |---master        |---develop      |-Poc-Repo2          |---master        |---develop     I need to setup permissions so that some users can ONLY see and build repos with the pattern Organization/Poc-.* Other users can see any repo Others can see and build any repo The problem is the regexp Organization/Poc-*. doesn't work. Users with this role can't see anything
          Hide
          venosov Víctor Martín Molina added a comment - - edited

          I see your point, if you have an intermediate folder:

          rol1 "^FOLDER$" --> read

          rol2 "^FOLDER\/holaArtifactoryMultibranch.*$"--> read

          you'll see the holaArtifactoryMultibranch folder, but not others.

          Show
          venosov Víctor Martín Molina added a comment - - edited I see your point, if you have an intermediate folder: rol1 "^FOLDER$" --> read rol2 "^FOLDER\/holaArtifactoryMultibranch.*$"--> read you'll see the holaArtifactoryMultibranch folder, but not others.
          Hide
          codependent Jose A. Iñigo added a comment - - edited

          Víctor Martín Molina's answer solves the problem. Anyway I would suggest an update in the documentation since this is a usual use case and sorting it out is not straightforward.

          Show
          codependent Jose A. Iñigo added a comment - - edited Víctor Martín Molina 's answer solves the problem. Anyway I would suggest an update in the documentation since this is a usual use case and sorting it out is not straightforward.

            People

            • Assignee:
              Unassigned
              Reporter:
              codependent Jose A. Iñigo
            • Votes:
              4 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

              • Created:
                Updated: