Upgrade to Pro — share decks privately, control downloads, hide ads and more …

JW2016: Ownership Plugin Demo

Oleg Nenashev
PRO
September 16, 2016
Programming
0
700

JW2016: Ownership Plugin Demo

The presentation contains slides from the Ownership Plugin demo I have conducted at the community booth during Jenkins World 2016. This demo addresses main features provided by the plugin:

* Ownership management of jobs, nodes and folders
* Ownership-based security (Role Strategy macros, Job restrictions, etc.)
* Provisioning of ownership info to classic and Pipeline jobs

Oleg Nenashev
PRO

September 16, 2016
Tweet

More Decks by Oleg Nenashev

See All by Oleg Nenashev
OpenAPI: The Good, The Bad, The YAMLy - Gradle Edition
onenashev
PRO
0
5
KCD Austria: Modern Java CI/CD observability with Gradle/Quarkus
onenashev
PRO
0
41
Mentorship programs. Growing new team and community leaders
onenashev
PRO
0
120
Workshop - Mocks as Code. Modeling services in Config Management integration tests
onenashev
PRO
0
130
DevoxxFR - Comment nous utilisons Kotlin et Gradle pour faire évoluer la communauté WireMock
onenashev
PRO
0
81
Ignite: Open Roadmaps for Your Open Communities
onenashev
PRO
0
34
Open roadmaps for your open communities. Not a success story, but you may have one
onenashev
PRO
0
130
Modern Java App CI/CD Observability with OpenTelemetry and Gradle
onenashev
PRO
0
280
Cloud Friendly(?) Jenkins. How we failed to make Jenkins cloud native and what we learned?
onenashev
PRO
0
200

Other Decks in Programming

See All in Programming
3 Effective Rules for Using Signals in Angular
manfredsteyer
PRO
1
100
RubyLSPのマルチバイト文字対応
notfounds
0
120
Creating a Free Video Ad Network on the Edge
mizoguchicoji
0
120
subpath importsで始めるモック生活
10tera
0
300
タクシーアプリ『GO』のリアルタイムデータ分析基盤における機械学習サービスの活用
mot_techtalk
4
1.4k
OnlineTestConf: Test Automation Friend or Foe
maaretp
0
110
レガシーシステムにどう立ち向かうか 複雑さと理想と現実/vs-legacy
suzukihoge
14
2.2k
Amazon Qを使ってIaCを触ろう!
maruto
0
400
詳細解説! ArrayListの仕組みと実装
yujisoftware
0
580
「今のプロジェクトいろいろ大変なんですよ、app/services とかもあって……」/After Kaigi on Rails 2024 LT Night
junk0612
5
2.1k
Realtime API 入門
riofujimon
0
150
Macとオーディオ再生 2024/11/02
yusukeito
0
370

Featured

See All Featured
Fontdeck: Realign not Redesign
paulrobertlloyd
82
5.2k
Building Flexible Design Systems
yeseniaperezcruz
327
38k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
191
16k
Imperfection Machines: The Place of Print at Facebook
scottboms
265
13k
Intergalactic Javascript Robots from Outer Space
tanoku
269
27k
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
A designer walks into a library…
pauljervisheath
203
24k
Bootstrapping a Software Product
garrettdimon
PRO
305
110k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.7k
Building Your Own Lightsaber
phodgson
103
6.1k
Building an army of robots
kneath
302
43k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k

Transcript

  1. Jenkins World #JenkinsWorld Ownership Plugin & Ownership-based Security Demo Oleg

    Nenashev © 2016 CloudBees, Inc. All Rights Reserved

  2. Jenkins World #JenkinsWorld Ownership Plugin & Ownership- based Security Demo

    Oleg Nenashev • Jenkins core contributor • JAM and Jenkins Online Meetup organizer • Maintainer of plugins @oleg_nenashev oleg-nenashev onenashev

  3. Jenkins World #JenkinsWorld © 2016 CloudBees, Inc. All Rights Reserved

    Oleg’s “Hall of Shame”(c)

  4. Jenkins World #JenkinsWorld © 2016 CloudBees, Inc. All Rights Reserved

    Today: Ownership engine for Jenkins

  5. Jenkins World #JenkinsWorld Problem Statement • Need: Security engine for

    large-scale instances –Thousands of jobs –Hundreds of active users –Restricted access to jobs and nodes • Which is... –Easily manageable –Flexible –Fast, really fast © 2016 CloudBees, Inc. All Rights Reserved

  6. Jenkins World #JenkinsWorld Common strategies do not “just work” •Project

    Matrix Authorization Strategy –Hard to manage –No support of Node permissions •Role-Based Strategy –Regular expression for each role –Hundreds of Regex checks every request ???? –Web UI easily hangs © 2016 CloudBees, Inc. All Rights Reserved

  7. Jenkins World #JenkinsWorld Ownership-based Security © 2016 CloudBees, Inc. All

    Rights Reserved Role- Strategy Ownership Job Restrictions • First version have been developed at Synopsys, Inc. • Large instances powered by Jenkins OSS • Assign owners of jobs/nodes • Fancy UI • Auth strategy • Macro engine • Restrict runs of jobs and nodes

  8. Jenkins World #JenkinsWorld Ownership Plugin © 2016 CloudBees, Inc. All

    Rights Reserved

  9. Jenkins World #JenkinsWorld Ownership Info. Definition and Inheritance © 2016

    CloudBees, Inc. All Rights Reserved Folders Jobs Nodes Runs Sub- Projects

  10. Jenkins World #JenkinsWorld Demo. What’s inside? © 2016 CloudBees, Inc.

    All Rights Reserved Ownership 0.9.0 Job Restrictions 0.5 Security Inspector 0.1-alpha-1 Jenkins core 2.7.4 (minimal – 1.625) Authorize Project 1.2.2 Dynamic Search View 0.2.2 Role Strategy 2.3.2

  11. Jenkins World #JenkinsWorld Setting ownership info © 2016 CloudBees, Inc.

    All Rights Reserved

  12. Jenkins World #JenkinsWorld Ownership Info. What Do you get? ©

    2016 CloudBees, Inc. All Rights Reserved • Ownership Summary Boxes • Ownership View Columns • View Filters • Also: @Me macro Customizable layout

  13. Jenkins World #JenkinsWorld Quick administration contacts © 2016 CloudBees, Inc.

    All Rights Reserved Customizable template

  14. Jenkins World #JenkinsWorld #JenkinsWorld Ownership-Based Security. Role-Based Strategy Settings ©

    2016 CloudBees, Inc. All Rights Reserved Roles [1/2]

  15. Jenkins World #JenkinsWorld #JenkinsWorld Ownership-Based Security. Role-Based Strategy Settings ©

    2016 CloudBees, Inc. All Rights Reserved Roles [2/2]

  16. Jenkins World #JenkinsWorld #JenkinsWorld Ownership-Based Security. Role-Based Strategy Settings ©

    2016 CloudBees, Inc. All Rights Reserved Assignments

  17. Jenkins World #JenkinsWorld #JenkinsWorld Jobs. Securing access © 2016 CloudBees,

    Inc. All Rights Reserved Untrusted secondary owners!

  18. Jenkins World #JenkinsWorld #JenkinsWorld Jobs. Authorize Project © 2016 CloudBees,

    Inc. All Rights Reserved Jobs get authenticated as owners => • Permissions • Node access (Computer.BUILD)

  19. Jenkins World #JenkinsWorld #JenkinsWorld Using Data in Jobs. Freestyle ©

    2016 CloudBees, Inc. All Rights Reserved

  20. Jenkins World #JenkinsWorld #JenkinsWorld Using Data in Jobs. Pipeline ©

    2016 CloudBees, Inc. All Rights Reserved

  21. Jenkins World #JenkinsWorld #JenkinsWorld Jenkins nodes © 2016 CloudBees, Inc.

    All Rights Reserved • Similar Ownership Management • Special permission • Node Ownership Monitor • => info in the table

  22. Jenkins World #JenkinsWorld #JenkinsWorld Securing Nodes © 2016 CloudBees, Inc.

    All Rights Reserved

  23. Jenkins World #JenkinsWorld #JenkinsWorld Restricting job runs on nodes ©

    2016 CloudBees, Inc. All Rights Reserved

  24. Jenkins World #JenkinsWorld #JenkinsWorld Protecting Master © 2016 CloudBees, Inc.

    All Rights Reserved • NEVER let users run jobs on master • Only use it for system jobs owned by admins

  25. Jenkins World #JenkinsWorld Out of scope: Extra features • Item-specific

    security –Plugging Matric Project Security into Ownership Engine • Ownership-based restrictions for triggering jobs • Ownership assignment policy on create/copy • Groovy API for System Scripts (needs some love) • “sudo” mode implementation for admins © 2016 CloudBees, Inc. All Rights Reserved

  26. Jenkins World #JenkinsWorld Q&A? • Gitter: –https://gitter.im/jenkinsci/ownership-plugin • Also links:

    –https://wiki.jenkins- ci.org/display/JENKINS/Ownership+Plugin © 2016 CloudBees, Inc. All Rights Reserved

  27. Jenkins World #JenkinsWorld © 2016 CloudBees, Inc. All Rights Reserved

  28. Jenkins World #JenkinsWorld Concept © 2016 CloudBees, Inc. All Rights

    Reserved Authorization strategy Integrations • Queue dispatchers => hundreds tasks in queue • Permission checks in UI rendering => hundreds of items => different permissions