Role-based Authorization Strategy2.6.0Minimum Jenkins requirement: 1.625.3ID: role-strategy
About this plugin
This plugin adds a new role-based strategy to ease and fasten users management. This strategy allows:
- Creating global roles, such as admin, job creator, anonymous, etc., allowing to set Overall, Slave, Job, Run, View and SCM permissions on a global basis.
- Creating project roles, allowing to set only Job and Run permissions on a project basis.
- Creating slave roles, allowing to set node-related permissions.
- Assigning these roles to users.
Table of contents
Using the plugin is fairly simple:
- Activate the Role-Based Strategy by using the standard Manage Jenkins > Configure System screen:
- Define and assign roles by using the Manages Roles item which appears in the Manage Jenkins screen:
You then get following options:
#* Manage Roles is the place where to set up roles:
There's nothing much to say here, this is self-explanatory. The only tricky field is the Pattern one. This field consists in a regular expression aimed at matching the full name (including the folder name, if you're using Cloudbees Folders Plugin) of the jobs which the role will apply to. For example, if you set the field to "
Roger-.*", then the role will match all jobs which name starts with "Roger-". Note that the pattern is case-sensitive. To perform a case-insensitive match, use
(?i)notation: upper, "
Roger-.*" vs. lower, "
roger-.*" vs. case-insensitive, "
(?i)roger-.*". If you have a nested folder structure where you want to provide the particular access to the second folder (or deeper), consider having a two-level security structure as well (Say you want to provide exclusive write/ modify type access to foo/bar and not everything else under "foo": First, assign that user/ group to read/ discover permissions with pattern " ^foo.* ", then assign that same user/ group to the more particular permissions with pattern " ^foo/bar.* " - Similar to what you'd do in a Unix/ Linux environment.
- #* Assign Roles is the place where to assign the defined roles to users:
Global Roles vs. Project Roles
It should be noted that the Global Roles override anything you specify in the Project Roles. That is, when you give a role the right to Job-Read in the Global Roles, then this role is allowed to read all Jobs, no matter what you specify in the Project Roles.
It may therefore be advisable to leave most (all) options unchecked in Job, Run and SCM in the Global Roles section for normal users.
There are two built-in roles:
*Anonymous* — Users who have not logged in
authenticated — Logged in users
Macros support (since 2.1.0)
Macros allow to extend analysis of user's access rights (see @RoleMacroExtension). If user's sid meets criteria in Roles and Assignments, then analysis will be propagated to extension, which makes decisions according to instance and parameters.
You can get list of available macros and theirs descriptions at the JENKINS_URL/role-strategy/list-macros page. At the current state, plugin has minimal set of available macros, but they can be added by extensions from plugins.
- Built-in: @BuildableJob
- Ownership plugin: Ownership-based roles: @Owner and @CoOwner (will be released in ownership-0.2)
Macros can be used in the following fields:
- RoleMacros - name of the role
- UserMacros - Not supported yet
Macro format: @macroName[:id][(parameter1, parameter2, ...)]>
- macroName - name of the macro (see available macros in the table below)
- id - identifier of the macro. Technical parameter, which allows to use same macros for multiple patterns
- parameter - additional parameters. At the current state, they don't support variables or TokenMacros
Macro string examples:
- @BuildableJob - Primitive macro invocation. Such invocation can be used only once in each roles category.
- @BuildableJob:1 - Macro with id
- @ParameterizedMacro(param1) - Invokes macro with one parameter
- @ParameterizedMacro:2(param1,param2) - Invokes macro with two parameters. Id prevents naming conflicts
The management interface becomes difficult to use with a large number of users and/or roles. Several Greasemonkey userscripts exist to make the UI easier to use (Jira issue):
Jenkins Role Strategy UI enhancer
This userscript adds a tooltip to the checkboxes indicating the row (e.g. user name) and column (e.g. permission).
Jenkins Role Strategy Role Management Enhancer and Jenkins Role Strategy Role Assignment Enhancer
These userscripts rotate the text in the column title cells on the Role Strategy configuration pages by 90 degrees so they use less horizontal space. Additionally, the first (header) column is repeated at the end of the table.
Version 2.6.0 (Aug 28, 2017)
- PR #30 - Add REST API endpoints to get and unassign roles
- Unassign role: curl -X POST localhost:8080/role-strategy/strategy/unassignRole --data "type=globalRoles&roleName=AMD&sid=username"
- List roles: curl -X GET localhost:8080/role-strategy/strategy/allRoles
- Update Jenkins core minimal requirement to 1.625.3
Version 2.5.1 (July 10, 2017)
Version 2.5.0 (Jun 02, 2017)
- JENKINS-37178 - Add REST API, which allows managing roles and assignments
- Add Role: curl -X POST localhost:8080/role-strategy/strategy/addRole --data "type=globalRoles&roleName=ADM&permissionIds=hudson.model.Item.Discover,hudson.model.Item.ExtendedRead&overwrite=true"
- Remove Role(s): curl -X POST localhost:8080/role-strategy/strategy/removeRoles --data "type=globalRoles&roleNames=ADMIN,DEV"
- Assign Role: curl -X POST localhost:8080/role-strategy/strategy/assignRole --data "type=globalRoles&roleName=ADMIN&sid=username"
- Delete SID from all roles: curl -X POST localhost:8080/role-strategy/strategy/deleteSid --data "type=globalRoles&sid=username"
- Type: globalRoles, projectRoles, slaveRoles
- Type: globalRoles, projectRoles, slaveRoles
- JENKINS-18377 - Improve speed of fetching roles by permission
- JENKINS-43058 - Stop mentioning "slaves" in the plugin UI and Javadoc
Version 2.4.0 (Apr 10, 2017)
This change is a part of the Security release in Jenkins.
- SECURITY-410 - Prohibit dangerous permissions by default
- Permissions like "Jenkins.RUN_SCRIPTS" cannot be granted to non-admin users by default
- After the upgrade to 2.4.0, such dangerous permission configurations will be disabled and reported in the Administrative Monitor
- "org.jenkinsci.plugins.rolestrategy.permissions.DangerousPermissionHandlingMode.enableDangerousPermissions" system property can be used to allow these dangerous permissions (not recommended)
- See the referenced issue for more info
- Fixed escaping of descriptions in the Role Strategy Macros list (JENKINS-38230)
Version 2.3.2 (06/13/2016)
- Performance: Disable user authorities resolution in permission checks by default (JENKINS-35515)
- It has been done due to the reported performance degradation in 2.3.0
- The 2.3.0 behavior can be restored by the org.jenkinsci.plugins.rolestrategy.Settings.treatUserAuthoritiesAsRoles system property
- If you enable it, the performance can be also tweaked by org.jenkinsci.plugins.rolestrategy.Settings.userDetailsCacheMaxSize and org.jenkinsci.plugins.rolestrategy.Settings.userDetailsCacheExpircationTimeSec
- Authorities resolution: Catch Runtime Exceptions from underlying Security Realms. Prevents Jenkins DoS in such case (JENKINS-35652)
- Generalize the help message for role patterns (JENKINS-35250)
2.3.1 is skipped due to the typo in the property name
Version 2.3.0 (06/07/2016)
- Threat user authorities as roles (https://github.com/jenkinsci/role-strategy-plugin/pull/13)
- Escape all form entry fields by default (prevent unintentional HTML injection by admins)
- Migration to the new Jenkins plugin parent POM
- Fixes of minor issues discovered by FindBugs
There are performance regressions reported to this version. Upgrade only after testing
Version 2.2.0 (06/29/2014)
- Support of Create Job permissions since jenkins-1.566 (JENKINS-19934)
- The permission requires the specific item name validation strategy, which should be selected in Jenkins global configuration
- Fixed help links in manage-roles pages (JENKINS-15030)
- Slave permissions: Allow assignment of permissions, which don't belong to "Slave" group (JENKINS-18978)
Version 2.1.0 (07/20/2013)
- Added support of individual permission assignments for slave nodes (JENKINS-18748)
- Added support of Macro roles (JENKINS-18700)
Version 1.1.3 (07/10/2013)
- Prevented exceptions in case of missing roles (JENKINS-18648)
- Prevented exceptions in case of deleted Permissions
- Support of folders plugin (JENKINS-17482)
- Upgraded to Jenkins 1.424
Version 1.1.2 (10/14/2011)
- Implemented JENKINS-9325: Permissions contributed by plugins can now be managed at the project roles level
- Upgraded to Jenkins 1.409
Version 1.1.1 (09/19/2011)
- Fixed JENKINS-8058: "<" and ">" characters were not supported in regular expression patterns
Version 1.1 (06/08/2011)
- SCM permissions (e.g. Tag) can now be handled at the project roles level
- Improved UI to handle large installations:
- Deletion buttons are now also displayed on the left of each table
- When having table with more than 20 entries, a footer is now added which repeats header
- It is now possible to edit already defined patterns by double-clicking on them in the Project roles table
- Fixed some typos
- Fixed some image display issues
Version 1.0 (09/20/2010)
- Initial release
Previous Security Warnings
Dangerous permissions can be configured independently of Administer permission
- Affects version 2.3.2 and earlier
CSRF vulnerability in security configuration
- Affects version 2.5.0 and earlier