JW2016: Ownership Plugin Demo

Slide 1

Slide 1 text

Slide 2

Slide 2 text

Jenkins World #JenkinsWorld Ownership Plugin & Ownership- based Security Demo Oleg Nenashev • Jenkins core contributor • JAM and Jenkins Online Meetup organizer • Maintainer of plugins @oleg_nenashev oleg-nenashev onenashev

Slide 3

Slide 3 text

Slide 4

Slide 4 text

Slide 5

Slide 5 text

Jenkins World #JenkinsWorld Problem Statement • Need: Security engine for large-scale instances –Thousands of jobs –Hundreds of active users –Restricted access to jobs and nodes • Which is... –Easily manageable –Flexible –Fast, really fast © 2016 CloudBees, Inc. All Rights Reserved

Slide 6

Slide 6 text

Jenkins World #JenkinsWorld Common strategies do not “just work” •Project Matrix Authorization Strategy –Hard to manage –No support of Node permissions •Role-Based Strategy –Regular expression for each role –Hundreds of Regex checks every request ???? –Web UI easily hangs © 2016 CloudBees, Inc. All Rights Reserved

Slide 7

Slide 7 text

Jenkins World #JenkinsWorld Ownership-based Security © 2016 CloudBees, Inc. All Rights Reserved Role- Strategy Ownership Job Restrictions • First version have been developed at Synopsys, Inc. • Large instances powered by Jenkins OSS • Assign owners of jobs/nodes • Fancy UI • Auth strategy • Macro engine • Restrict runs of jobs and nodes

Slide 8

Slide 8 text

Slide 9

Slide 9 text

Slide 10

Slide 10 text

Jenkins World #JenkinsWorld Demo. What’s inside? © 2016 CloudBees, Inc. All Rights Reserved Ownership 0.9.0 Job Restrictions 0.5 Security Inspector 0.1-alpha-1 Jenkins core 2.7.4 (minimal – 1.625) Authorize Project 1.2.2 Dynamic Search View 0.2.2 Role Strategy 2.3.2

Slide 11

Slide 11 text

Slide 12

Slide 12 text

Jenkins World #JenkinsWorld Ownership Info. What Do you get? © 2016 CloudBees, Inc. All Rights Reserved • Ownership Summary Boxes • Ownership View Columns • View Filters • Also: @Me macro Customizable layout

Slide 13

Slide 13 text

Slide 14

Slide 14 text

Slide 15

Slide 15 text

Slide 16

Slide 16 text

Slide 17

Slide 17 text

Slide 18

Slide 18 text

Slide 19

Slide 19 text

Slide 20

Slide 20 text

Slide 21

Slide 21 text

Slide 22

Slide 22 text

Slide 23

Slide 23 text

Slide 24

Slide 24 text

Slide 25

Slide 25 text

Jenkins World #JenkinsWorld Out of scope: Extra features • Item-specific security –Plugging Matric Project Security into Ownership Engine • Ownership-based restrictions for triggering jobs • Ownership assignment policy on create/copy • Groovy API for System Scripts (needs some love) • “sudo” mode implementation for admins © 2016 CloudBees, Inc. All Rights Reserved

Slide 26

Slide 26 text

Jenkins World #JenkinsWorld Q&A? • Gitter: –https://gitter.im/jenkinsci/ownership-plugin • Also links: –https://wiki.jenkinsci.org/display/JENKINS/Ownership+Plugin © 2016 CloudBees, Inc. All Rights Reserved

Slide 27

Slide 27 text

Slide 28

Slide 28 text

Jenkins World #JenkinsWorld Concept © 2016 CloudBees, Inc. All Rights Reserved Authorization strategy Integrations • Queue dispatchers => hundreds tasks in queue • Permission checks in UI rendering => hundreds of items => different permissions