JW2016: Ownership Plugin Demo

Transcript

1. Jenkins World #JenkinsWorld Ownership Plugin & Ownership-based Security Demo Oleg

   Nenashev © 2016 CloudBees, Inc. All Rights Reserved

2. Jenkins World #JenkinsWorld Ownership Plugin & Ownership- based Security Demo

   Oleg Nenashev • Jenkins core contributor • JAM and Jenkins Online Meetup organizer • Maintainer of plugins @oleg_nenashev oleg-nenashev onenashev

3. Jenkins World #JenkinsWorld © 2016 CloudBees, Inc. All Rights Reserved

   Oleg’s “Hall of Shame”(c)

4. Jenkins World #JenkinsWorld © 2016 CloudBees, Inc. All Rights Reserved

   Today: Ownership engine for Jenkins

5. Jenkins World #JenkinsWorld Problem Statement • Need: Security engine for

   large-scale instances –Thousands of jobs –Hundreds of active users –Restricted access to jobs and nodes • Which is... –Easily manageable –Flexible –Fast, really fast © 2016 CloudBees, Inc. All Rights Reserved

6. Jenkins World #JenkinsWorld Common strategies do not “just work” •Project

   Matrix Authorization Strategy –Hard to manage –No support of Node permissions •Role-Based Strategy –Regular expression for each role –Hundreds of Regex checks every request ???? –Web UI easily hangs © 2016 CloudBees, Inc. All Rights Reserved

7. Jenkins World #JenkinsWorld Ownership-based Security © 2016 CloudBees, Inc. All

   Rights Reserved Role- Strategy Ownership Job Restrictions • First version have been developed at Synopsys, Inc. • Large instances powered by Jenkins OSS • Assign owners of jobs/nodes • Fancy UI • Auth strategy • Macro engine • Restrict runs of jobs and nodes

8. Jenkins World #JenkinsWorld Ownership Plugin © 2016 CloudBees, Inc. All

   Rights Reserved

9. Jenkins World #JenkinsWorld Ownership Info. Definition and Inheritance © 2016

   CloudBees, Inc. All Rights Reserved Folders Jobs Nodes Runs Sub- Projects

10. Jenkins World #JenkinsWorld Demo. What’s inside? © 2016 CloudBees, Inc.

    All Rights Reserved Ownership 0.9.0 Job Restrictions 0.5 Security Inspector 0.1-alpha-1 Jenkins core 2.7.4 (minimal – 1.625) Authorize Project 1.2.2 Dynamic Search View 0.2.2 Role Strategy 2.3.2

11. Jenkins World #JenkinsWorld Setting ownership info © 2016 CloudBees, Inc.

    All Rights Reserved

12. Jenkins World #JenkinsWorld Ownership Info. What Do you get? ©

    2016 CloudBees, Inc. All Rights Reserved • Ownership Summary Boxes • Ownership View Columns • View Filters • Also: @Me macro Customizable layout

13. Jenkins World #JenkinsWorld Quick administration contacts © 2016 CloudBees, Inc.

    All Rights Reserved Customizable template

14. Jenkins World #JenkinsWorld #JenkinsWorld Ownership-Based Security. Role-Based Strategy Settings ©

    2016 CloudBees, Inc. All Rights Reserved Roles [1/2]

15. Jenkins World #JenkinsWorld #JenkinsWorld Ownership-Based Security. Role-Based Strategy Settings ©

    2016 CloudBees, Inc. All Rights Reserved Roles [2/2]

16. Jenkins World #JenkinsWorld #JenkinsWorld Ownership-Based Security. Role-Based Strategy Settings ©

    2016 CloudBees, Inc. All Rights Reserved Assignments

17. Jenkins World #JenkinsWorld #JenkinsWorld Jobs. Securing access © 2016 CloudBees,

    Inc. All Rights Reserved Untrusted secondary owners!

18. Jenkins World #JenkinsWorld #JenkinsWorld Jobs. Authorize Project © 2016 CloudBees,

    Inc. All Rights Reserved Jobs get authenticated as owners => • Permissions • Node access (Computer.BUILD)

19. Jenkins World #JenkinsWorld #JenkinsWorld Using Data in Jobs. Freestyle ©

    2016 CloudBees, Inc. All Rights Reserved

20. Jenkins World #JenkinsWorld #JenkinsWorld Using Data in Jobs. Pipeline ©

    2016 CloudBees, Inc. All Rights Reserved

21. Jenkins World #JenkinsWorld #JenkinsWorld Jenkins nodes © 2016 CloudBees, Inc.

    All Rights Reserved • Similar Ownership Management • Special permission • Node Ownership Monitor • => info in the table

22. Jenkins World #JenkinsWorld #JenkinsWorld Securing Nodes © 2016 CloudBees, Inc.

    All Rights Reserved

23. Jenkins World #JenkinsWorld #JenkinsWorld Restricting job runs on nodes ©

    2016 CloudBees, Inc. All Rights Reserved

24. Jenkins World #JenkinsWorld #JenkinsWorld Protecting Master © 2016 CloudBees, Inc.

    All Rights Reserved • NEVER let users run jobs on master • Only use it for system jobs owned by admins

25. Jenkins World #JenkinsWorld Out of scope: Extra features • Item-specific

    security –Plugging Matric Project Security into Ownership Engine • Ownership-based restrictions for triggering jobs • Ownership assignment policy on create/copy • Groovy API for System Scripts (needs some love) • “sudo” mode implementation for admins © 2016 CloudBees, Inc. All Rights Reserved

26. Jenkins World #JenkinsWorld Q&A? • Gitter: –https://gitter.im/jenkinsci/ownership-plugin • Also links:

    –https://wiki.jenkins- ci.org/display/JENKINS/Ownership+Plugin © 2016 CloudBees, Inc. All Rights Reserved

27. Jenkins World #JenkinsWorld © 2016 CloudBees, Inc. All Rights Reserved

28. Jenkins World #JenkinsWorld Concept © 2016 CloudBees, Inc. All Rights

    Reserved Authorization strategy Integrations • Queue dispatchers => hundreds tasks in queue • Permission checks in UI rendering => hundreds of items => different permissions