Sunday, March 14, 2021

Jenkins Manage Assign Roles - Role based Strategy

Here I am finding a solution for the users who belong to QA must have access only to the QA-related jobs. In this post, 

Situation
IT Organizations includes multiple teams such as: QA, Release, Developer and DBA or Middleware Engineers 
Jenkins Master - Container-based
Default all users have the same authorization.

I would like to share how to launch the Jenkins Master on a Docker Container. login with docker playground. As you have provision to Add Node from the left side click it. You will get a terminal to use for 4 hours to play with the Docker engine.

Jenkins Security Realm


 

To run the Jenkins inside docker container

  1. name: Jenkins-master
  2. run in detached mode -d
  3. Port forwarding from container port 8080 to host 8081 and 50000 to 50001
  4. Allocate disk space to run the Jenkins workspace use -v
  5. Docker image from Blue Ocean
Let's launch the Jenkins container using below command:
docker run --name jenkins-master -u root --rm \
 -d -p 8081:8080  -p 50001:50000 \
 -v jenkins-data:/var/jenkins_home \
 -v /var/run/docker.sock:/var/run/docker.sock \
 jenkinsci/blueocean 
check Jenkins master logs from the container Jenkins-master
docker logs jenkins-master 
Copy the encrypted InitalAdminPassword to start working on Jenkins
Jenkins runs on Docker

After complete regular steps execution on the Jenkins console installation of Suggested Plugins completed 
Once your Jenkins setup is completed you will see on the browser: Jenkins is ready! Start using Jenkins
to create the default Admin user which we will use for administrating users and managing roles assignment.

Jenkins Admin User
Jenkins Crate First Admin User

Click "save and Continue".

How to create a User in Jenkins?

These users can log into Jenkins. This will be maintained by Jenkins Master 'own user database'.
Let's crate User now, ensure you have login with 'administrator' user 

Navigation steps:
  1. Goto to 'Manage Jenkins'
  2. Select 'Manage Users' 
  3. Select 'Create User'
    1. Enter Username
    2. Enter Password and Confirm Password same
    3. Enter Full name  which will display the name on the top when you log in with this user
    4. In the organizations multi-user Jenkins, to track we must enter the email id
Jenkins User
Create User on Jenkins


Jenkins allows us to create multiple users but they are all set to the global role that means "Anyone can do Anything"  which is not good when you have a lot of users and a lot of projects run in the same Jenkins Security Realm. When the project grows on a large scale we must use 'Role' specific assignment to the users.

How to install 'Role-based Authorization Strategy' plugin?


There is a Jenkins Plugin 'Role Base Strategy' which will allow us to enable the different roles assigned to different team members (users). hence we need to install that plugin. 

Jenkins > Manage Jenkins > Manage Plugin > Available tab filter 'role'.
Select the 'Role-based Authorization Strategy





Enable user authorization using a Role-based strategy. Roles can be defined globally or for particular jobs or nodes selected by regular expressions.

How to configure Global Security for Role-based?

To secure Jenkins we can define who is allowed to access or use the Jenkins Master Configuration from the 'Configure Global Security.  To enable the Role-based Authorization do the following steps:
  • Manage Jenkins 
  • Under the Security section, Select Configure Global Security
  • 'Role-based Autoriaztion' select the radio button 
  • Save the Configuration
Global Configuration Security
Authorization - Role-based Strategy



How to add Global Role in Jenkins?


Navigate to 'Manage Jenkins' then select 'Manage and Assign Roles' from the right pane. 
On the 'Manage Roles's page top, you will see Global roles section, where you will see the admin role as default available with Full access to anything on the Jenkins.Now add the new global role as "devopsAdmin'.
Manage Global Roles

Full Global Role picture

Global Role in Jenkins
Jenkins Manage Global Roles



Now in the Global roles table under 'Overall' choices  'Read' permission. which will enable user to access the Jenkins dashboard. 
On the Global roles table for 'DevopsAdmin' role choose 'View all options.
At the bottom click on 'Apply' button to save and continue.

How to setup Project roles?

On the same page of 'Manage Roles' we can add project-specific roles. Here for test purpose, we are using three roles: 

  1. DBA TEAM - dba
  2. DEVELOPER TEAM - developer
  3. TESTING TEAM - qa


Project roles in Jenkins
Manage roles for Project item

Once all set in the Manage Roles page, go to the 'Assign Roles' option from the 'Manage and Assign Roles' under the Security section.

Assign Global roles for each user

Add the Jenkins users, which were created earlier in our example srini, rajashekhar, melvin are created.
Select the global role which you have created in the Global roles on the 'Manage Roles' page.


After you assign users 'Srini, Melvin, Rajshekhar' the in place of  global roles they automatically turn to dev, dba, qa : 




Similarly, we can assign 'users' - 'Srini, Melvin, Rajsekhar' then the roles for Item (Project-based) as shown below


User adding to Project roles in Jenkins

Finally, we have succeeded in implementing a role-based authorization for the Jenkins system.

Admin full access to all jobs
Jenkins limited access to developer role




Please write your experience with the steps.



.

No comments:

Categories

Kubernetes (24) Docker (20) git (13) Jenkins (12) AWS (7) Jenkins CI (5) Vagrant (5) K8s (4) VirtualBox (4) CentOS7 (3) docker registry (3) docker-ee (3) ucp (3) Jenkins Automation (2) Jenkins Master Slave (2) Jenkins Project (2) containers (2) create deployment (2) docker EE (2) docker private registry (2) dockers (2) dtr (2) kubeadm (2) kubectl (2) kubelet (2) openssl (2) Alert Manager CLI (1) AlertManager (1) Apache Maven (1) Best DevOps interview questions (1) CentOS (1) Container as a Service (1) DevOps Interview Questions (1) Docker 19 CE on Ubuntu 19.04 (1) Docker Tutorial (1) Docker UCP (1) Docker installation on Ubunutu (1) Docker interview questions (1) Docker on PowerShell (1) Docker on Windows (1) Docker version (1) Docker-ee installation on CentOS (1) DockerHub (1) Features of DTR (1) Fedora (1) Freestyle Project (1) Git Install on CentOS (1) Git Install on Oracle Linux (1) Git Install on RHEL (1) Git Source based installation (1) Git line ending setup (1) Git migration (1) Grafana on Windows (1) Install DTR (1) Install Docker on Windows Server (1) Install Maven on CentOS (1) Issues (1) Jenkins CI server on AWS instance (1) Jenkins First Job (1) Jenkins Installation on CentOS7 (1) Jenkins Master (1) Jenkins automatic build (1) Jenkins installation on Ubuntu 18.04 (1) Jenkins integration with GitHub server (1) Jenkins on AWS Ubuntu (1) Kubernetes Cluster provisioning (1) Kubernetes interview questions (1) Kuberntes Installation (1) Maven (1) Maven installation on Unix (1) Operations interview Questions (1) Oracle Linux (1) Personal access tokens on GitHub (1) Problem in Docker (1) Prometheus (1) Prometheus CLI (1) RHEL (1) SCM (1) SCM Poll (1) SRE interview questions (1) Troubleshooting (1) Uninstall Git (1) Uninstall Git on CentOS7 (1) Universal Control Plane (1) Vagrantfile (1) amtool (1) aws IAM Role (1) aws policy (1) caas (1) chef installation (1) create organization on UCP (1) create team on UCP (1) docker CE (1) docker UCP console (1) docker command line (1) docker commands (1) docker community edition (1) docker container (1) docker editions (1) docker enterprise edition (1) docker enterprise edition deep dive (1) docker for windows (1) docker hub (1) docker installation (1) docker node (1) docker releases (1) docker secure registry (1) docker service (1) docker swarm init (1) docker swarm join (1) docker trusted registry (1) elasticBeanStalk (1) global configurations (1) helm installation issue (1) mvn (1) namespaces (1) promtool (1) service creation (1) slack (1)