Upgrade to Pro — share decks privately, control downloads, hide ads and more …

JW2016: Ownership Plugin Demo

Oleg Nenashev
PRO
September 16, 2016
Programming
0
680

JW2016: Ownership Plugin Demo

The presentation contains slides from the Ownership Plugin demo I have conducted at the community booth during Jenkins World 2016. This demo addresses main features provided by the plugin:

* Ownership management of jobs, nodes and folders
* Ownership-based security (Role Strategy macros, Job restrictions, etc.)
* Provisioning of ownership info to classic and Pipeline jobs

Oleg Nenashev
PRO

September 16, 2016
Tweet

More Decks by Oleg Nenashev

See All by Oleg Nenashev
Mentorship programs. Growing new team and community leaders
onenashev
PRO
0
70
Workshop - Mocks as Code. Modeling services in Config Management integration tests
onenashev
PRO
0
61
DevoxxFR - Comment nous utilisons Kotlin et Gradle pour faire évoluer la communauté WireMock
onenashev
PRO
0
31
Ignite: Open Roadmaps for Your Open Communities
onenashev
PRO
0
11
Open roadmaps for your open communities. Not a success story, but you may have one
onenashev
PRO
0
84
Modern Java App CI/CD Observability with OpenTelemetry and Gradle
onenashev
PRO
0
210
Cloud Friendly(?) Jenkins. How we failed to make Jenkins cloud native and what we learned?
onenashev
PRO
0
150
Testcontainers for your Golang projects
onenashev
PRO
0
48
Quarkus, Gradle, WireMock. Dev Services for Gradle projects
onenashev
PRO
1
150

Other Decks in Programming

See All in Programming
ビルドツールとはなにか?からはじめるGradle超入門 / JJUG CCC 2024 Spring
nhayato
1
180
君は新しい日付/時刻API Temporal を知っているか?
luccafort
PRO
5
1k
並行処理を学びGuzzleと仲良くなる
shimabox
2
410
30分でわかるつくって、壊して、直して学ぶ Kubernetes入門
aoi1
6
780
Fluent UI Blazor 最新Update
tomokusaba
1
160
about #67401 //go:linkname
andpad
2
19k
Kotlin/Androidでテスト駆動開発をはじめよう
hiroaki404
1
250
スタートアップ企業が実践する「身の丈スクラム」の現在地 / Current State of 'Right-Sized Scrum' Practices in Startups
ar_tama
12
3.8k
IaCにおけるテスト考察 / Tests in IaC
linyows
2
250
#KotlinFest 2024 : Kotlin sealed classを用いた、ユーザーターゲティングDSL(専用言語)と実環境で秒間1,000万評価を行う処理系の事例紹介
kazukima
0
460
Kotlin Standard Library Gems
antonarhipov
2
310
タクシーアプリ『GO』の reCAPTCHA Enterprise 導入
mot_techtalk
1
110

Featured

See All Featured
A Philosophy of Restraint
colly
198
16k
The Mythical Team-Month
searls
217
42k
How GitHub Uses GitHub to Build GitHub
holman
471
290k
GraphQLの誤解/rethinking-graphql
sonatard
58
9.5k
Design by the Numbers
sachag
276
18k
KATA
mclloyd
18
12k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
30
1.8k
We Have a Design System, Now What?
morganepeng
45
6.9k
Bootstrapping a Software Product
garrettdimon
PRO
302
110k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
20
1.7k
Teambox: Starting and Learning
jrom
129
8.5k
A Modern Web Designer's Workflow
chriscoyier
689
190k

Transcript

  1. Jenkins World #JenkinsWorld Ownership Plugin & Ownership-based Security Demo Oleg

    Nenashev © 2016 CloudBees, Inc. All Rights Reserved

  2. Jenkins World #JenkinsWorld Ownership Plugin & Ownership- based Security Demo

    Oleg Nenashev • Jenkins core contributor • JAM and Jenkins Online Meetup organizer • Maintainer of plugins @oleg_nenashev oleg-nenashev onenashev

  3. Jenkins World #JenkinsWorld © 2016 CloudBees, Inc. All Rights Reserved

    Oleg’s “Hall of Shame”(c)

  4. Jenkins World #JenkinsWorld © 2016 CloudBees, Inc. All Rights Reserved

    Today: Ownership engine for Jenkins

  5. Jenkins World #JenkinsWorld Problem Statement • Need: Security engine for

    large-scale instances –Thousands of jobs –Hundreds of active users –Restricted access to jobs and nodes • Which is... –Easily manageable –Flexible –Fast, really fast © 2016 CloudBees, Inc. All Rights Reserved

  6. Jenkins World #JenkinsWorld Common strategies do not “just work” •Project

    Matrix Authorization Strategy –Hard to manage –No support of Node permissions •Role-Based Strategy –Regular expression for each role –Hundreds of Regex checks every request ???? –Web UI easily hangs © 2016 CloudBees, Inc. All Rights Reserved

  7. Jenkins World #JenkinsWorld Ownership-based Security © 2016 CloudBees, Inc. All

    Rights Reserved Role- Strategy Ownership Job Restrictions • First version have been developed at Synopsys, Inc. • Large instances powered by Jenkins OSS • Assign owners of jobs/nodes • Fancy UI • Auth strategy • Macro engine • Restrict runs of jobs and nodes

  8. Jenkins World #JenkinsWorld Ownership Plugin © 2016 CloudBees, Inc. All

    Rights Reserved

  9. Jenkins World #JenkinsWorld Ownership Info. Definition and Inheritance © 2016

    CloudBees, Inc. All Rights Reserved Folders Jobs Nodes Runs Sub- Projects

  10. Jenkins World #JenkinsWorld Demo. What’s inside? © 2016 CloudBees, Inc.

    All Rights Reserved Ownership 0.9.0 Job Restrictions 0.5 Security Inspector 0.1-alpha-1 Jenkins core 2.7.4 (minimal – 1.625) Authorize Project 1.2.2 Dynamic Search View 0.2.2 Role Strategy 2.3.2

  11. Jenkins World #JenkinsWorld Setting ownership info © 2016 CloudBees, Inc.

    All Rights Reserved

  12. Jenkins World #JenkinsWorld Ownership Info. What Do you get? ©

    2016 CloudBees, Inc. All Rights Reserved • Ownership Summary Boxes • Ownership View Columns • View Filters • Also: @Me macro Customizable layout

  13. Jenkins World #JenkinsWorld Quick administration contacts © 2016 CloudBees, Inc.

    All Rights Reserved Customizable template

  14. Jenkins World #JenkinsWorld #JenkinsWorld Ownership-Based Security. Role-Based Strategy Settings ©

    2016 CloudBees, Inc. All Rights Reserved Roles [1/2]

  15. Jenkins World #JenkinsWorld #JenkinsWorld Ownership-Based Security. Role-Based Strategy Settings ©

    2016 CloudBees, Inc. All Rights Reserved Roles [2/2]

  16. Jenkins World #JenkinsWorld #JenkinsWorld Ownership-Based Security. Role-Based Strategy Settings ©

    2016 CloudBees, Inc. All Rights Reserved Assignments

  17. Jenkins World #JenkinsWorld #JenkinsWorld Jobs. Securing access © 2016 CloudBees,

    Inc. All Rights Reserved Untrusted secondary owners!

  18. Jenkins World #JenkinsWorld #JenkinsWorld Jobs. Authorize Project © 2016 CloudBees,

    Inc. All Rights Reserved Jobs get authenticated as owners => • Permissions • Node access (Computer.BUILD)

  19. Jenkins World #JenkinsWorld #JenkinsWorld Using Data in Jobs. Freestyle ©

    2016 CloudBees, Inc. All Rights Reserved

  20. Jenkins World #JenkinsWorld #JenkinsWorld Using Data in Jobs. Pipeline ©

    2016 CloudBees, Inc. All Rights Reserved

  21. Jenkins World #JenkinsWorld #JenkinsWorld Jenkins nodes © 2016 CloudBees, Inc.

    All Rights Reserved • Similar Ownership Management • Special permission • Node Ownership Monitor • => info in the table

  22. Jenkins World #JenkinsWorld #JenkinsWorld Securing Nodes © 2016 CloudBees, Inc.

    All Rights Reserved

  23. Jenkins World #JenkinsWorld #JenkinsWorld Restricting job runs on nodes ©

    2016 CloudBees, Inc. All Rights Reserved

  24. Jenkins World #JenkinsWorld #JenkinsWorld Protecting Master © 2016 CloudBees, Inc.

    All Rights Reserved • NEVER let users run jobs on master • Only use it for system jobs owned by admins

  25. Jenkins World #JenkinsWorld Out of scope: Extra features • Item-specific

    security –Plugging Matric Project Security into Ownership Engine • Ownership-based restrictions for triggering jobs • Ownership assignment policy on create/copy • Groovy API for System Scripts (needs some love) • “sudo” mode implementation for admins © 2016 CloudBees, Inc. All Rights Reserved

  26. Jenkins World #JenkinsWorld Q&A? • Gitter: –https://gitter.im/jenkinsci/ownership-plugin • Also links:

    –https://wiki.jenkins- ci.org/display/JENKINS/Ownership+Plugin © 2016 CloudBees, Inc. All Rights Reserved

  27. Jenkins World #JenkinsWorld © 2016 CloudBees, Inc. All Rights Reserved

  28. Jenkins World #JenkinsWorld Concept © 2016 CloudBees, Inc. All Rights

    Reserved Authorization strategy Integrations • Queue dispatchers => hundreds tasks in queue • Permission checks in UI rendering => hundreds of items => different permissions