Authentication and authorization in Jenkins and nectar 1

1©2011 CloudBees, Inc. All Rights Reserved

Authentication and Authorization in Jenkins and NectarJuly 27th, 2011

Stephen Connolly Harpreet SinghArchitectCloudBees, Inc.

Senior Director, Product ManagementCloudBees, Inc.

22

• The slides will be made available as well as a link to the replay of this webinar.

• Links will be sent in an email after the webinar has finished (2-3 days).

Housekeeping

©2011 CloudBees, Inc. All Rights Reserved

33

The PresentersWho exactly is talking?


44

Stephen Connolly

Responsible for• Most of this talk• Trying to answer the

questions

Harpreet Singh

Responsible for• Ensuring Stephen does

not go too fast/slow• Keeping track of

questions for the Q&A session

The Presenters


55

OverviewWhat we will be covering today


66

• Jenkins Security Architecture• Authentication Plugins• Authorization Plugins• CloudBees’ RBAC plugin• Common Use Cases & Walk-throughs• Questions & Answers

Overview


77

CloudBeesWho are we and what we can do for you?



About CloudBees

Our Mission

Strategy

Become the leading Platform as a Service (PaaS) for Java™

Why We’re Different

CloudBees services the complete lifecycle of Cloud application development and deployment.No Servers. No Virtual Machines. No IT. Nectar – CloudBees Pro version of Jenkins DEV@cloud – Cloud Services for Developers RUN@cloud – Frictionless

runtime PaaS for Java apps

99

CloudBees Jenkins Solutions


Professional support from the Experts

1010



CloudBees’ Pro version of Jenkinsproprietary add-ons, stable release cycle


1111



Self-service “Jenkins as a Service”pay-as-you-go public cloud

DEV@cloud



1212



Self-Service “Jenkins as a Service”for Enterprises



Self-service “Jenkins as a Service”pay-as-you-go public cloud

DEV@cloud

DEV@cloudPrivate Edition

1313

• Jenkins Security Architecture– Server security– Security Realms– Authorization Strategies–Master/Slave security

• Authentication Plugins• Authorization Plugins• CloudBees’ RBAC plugin• Common Use Cases & Walk-throughs• Questions & Answers

Overview


1414

Jenkins Security ArchitectureWhat goes where and which does what…


1515

• Security Realm provides user identity

• Authorization Strategy provides user’s permissions for each object.

• Actions can require a specific permission to be performed.

Jenkins Security Architecture


Security Realm

Authorization Strategy

Identity

Permission

Object

Access

Action

Plugins extension points

1616

• Depends on your server:– Operating System• Windows• Linux

– Servlet container• Winstone (java -jar jenkins.war)• Tomcat• Jetty• JBoss• etc

Server security


1717

• Checklist should include Server patches & hotfixes up to date Server firewall configured appropriately Server remote access locked down

oRemote desktop on WindowsoSSHD on *nix

Servlet container running as restricted user

Consider Apache HTTPD or nginx if exposing on a public network

Server security (cont.)


1818

What are they

• Core Jenkins extension point for Authentication

• Responsible for validating user identity

• Can only select one.

• Default for clean install:

None

What is available already• Core

– None– Unix PAM– Internal DB– Legacy Container

• Open Source Plugins– Active Directory– CAS v1– CollabNet– Crowd– MySQL DB– OpenID SSO– Script & Extended Script– SourceForge Enterprise Edition– …

Security Realms


1919

What are they

• Core Jenkins extension point for Authorization

• Responsible for deciding the permissions available to users.

• Can only select one.

• Default for clean install:

Unsecured

What is available already• Core

– Global Matrix– Project Matrix– Logged in user can do anything– Legacy Authorization

• Open Source Plugins– CollabNet– Role strategy– SourceForge Enterprise Edition– …

• CloudBees’ Plugins– RBAC

Authorization Strategies


2020

What are they

• The fine-grained activities that can be secured within Jenkins

• Some permissions aggregate others, e.g. Global Admin implies all other standard permissions

• Plugins can define their own permissions for their own actions

What is available• Overall

– Administer– Read

• Slave– Configure– Delete

• Job– Create– Delete– Configure– Read– Build– Workspace

• View– Create– Delete– Configure

• …

Permissions


2121

• Bi-directional channel between Master and Slaves.

• To trust a slave it is necessary that you trust the JVM used to launch the slave.– That JVM can then fork

less trusted JVMs for the builds if you want to

• SCM security is a bigger risk– Can fork threads, etc as the

user running the build

Checklist Only run builds on slaves Use VM for slaves & reset

VM image after every build

Launch slave process with a read-only JVM

Access to slaves should be as restricted as the Master

Install build tools read-only

Master / Slave security


Take Away SCM security sets the upper bound

2222

Jenkins Security Architecture

• Authentication Plugins– Active Directory– Atlassian Crowd– LDAP– Open ID– Unix PAM

• Authorization Plugins• CloudBees’ RBAC plugin• Common Use Cases & Walk-throughs• Questions & Answers

Overview


2323

Authentication PluginsWho are you and how can you prove it to me…


2424

• Not all plugins implement every feature

• Key features to check for are:– Supports signup– Provides group details– Supports group lookup– Can logout

• You may not need all/any of the above but it may restrict your choice of Authorization Strategy

Authentication Plugins


2525

• Authenticates the username and the password through Active Directory

• Actually multiple implementations under the hood and one is chosen based on your environment

Active Directory (plugin)


Feature - Supports signup

✓ Provides group details

✓ Supports group lookup

✓ Can logoutNotes:1. Jenkins does not have to

run on Windows to use this.

2. Can require a correctly configured DNS for Active Directory

2626

• Authenticates the username and password through Atlassian Crowd

• Does not currently support SSO

Atlassian Crowd (plugin)




-* Supports group lookup

✓ Can logoutNotes:* CloudBees have a fix for

the group lookup issue currently under test

2727

• Authenticates the username and the password against a basic built-in database

Jenkins’ own user database (core)


Feature

✓ Supports signup - Provides group

details - Supports group

lookup

✓ Can logoutNotes:1. Not recommended for

public facing instances.

2828

• Authenticates the username and the password through LDAP

• Every LDAP server is different- Very flexible - Harder to

configure than some of the other providers

LDAP (core)



✓* Provides group details

✓* Supports group lookup

✓ Can logoutNotes:1. Can use for Active

Directory

* No RFC covering how to map groups in LDAP

⇒ Group details may be unavailable

2929

• Authenticates the user via OpenID provider(s)

• User is sent to the OpenID provider when required to authenticate

• Supports the OpenID team extension => group details

OpenID (plugin)




- Supports group lookup

✓ Can logoutNotes:1. This plugin has a special

“on-the-side” mode whereby users can link their OpenID identities with e.g. their Active Directory user account

3030

• Authenticates the username and password through Unix Pluggable Authentication Modules

• Requires that Jenkins be running on Linux / Mac OS X / Unix

Unix PAM (core)


Feature

- Supports signup


✓ Supports group lookup

✓ Can logoutNotes:1. Very quick to set-up2. Handy if you already

have a federated PAM configuration

3. If on a public network serve Jenkins over https://

3131

Active Direct

ory

Atlassian

Crowd

Jenkins’ own

DB

LDAP OpenID

Unix PAM

Supports signup

- - ✓ - - -

Provides group details

✓ ✓ - ✓ ✓ ✓

Supports group lookup

✓ -* - ✓ - ✓

Can logout

✓ ✓ ✓ ✓ ✓ ✓

Feature Matrix


3232

Jenkins Security Architecture Authentication Plugins

• Authorization Plugins– Matrix Strategy– Project-based Matrix Strategy– Role strategy– CloudBees’ RBAC plugin

• CloudBees’ RBAC plugin• Common Use Cases & Walk-throughs• Questions & Answers

Overview


3333

Authorization PluginsSo tell me… who can do what?


3434

• A simple matrix of click-boxes.

• Each row is a user/group*

• Each column is a Permission

* If the Authentication plugin does not support group details then one row is required for each user

Authentication Features

Provides group details (Optional)

Supports group lookup (Optional)

Matrix Strategy (core)


Feature

- Per-project configuration

- Per-object configuration

- Subtractive permissions model

✓* Supports external groups

- Local group definition

- Delegate management

- Non-System Config config

3535

• A simple matrix of click-boxes.

• Each row is a user/group*

• Each column is a Permission

• Each project can add its own matrix




Project-based Matrix Strategy (core)


Feature

✓ Per-project configuration





✓ Delegate management

✓ Non-System Config config

3636

• Allows grouping permissions into roles

• Roles assigned to users/groups

‡ Project roles are defined using a regex for the project name to which the role is restricted.* If the Authentication plugin does not support group details then one row is required for each user§ Requires global Admin role




Role Strategy (plugin)


Feature

✓‡ Per-project configuration





-§ Delegate management

✓§ Non-System Config config

3737

• A simple matrix of click-boxesRow: roleColumn: permission

• Define groups at any level

• Assign roles to groups

• Filter roles at any level




CloudBees’ RBAC Plugin (plugin)


Feature

✓ Per-project configuration

✓ Per-object configuration

✓ Subtractive permissions model


✓ Local group definition

✓ Delegate management

✓ Non-System Config config

3838

Feature Matrix


Matrix Strategy

Project-based Matrix

Roles Strategy plugin

CloudBees RBAC plugin

Per-project configuration

- ✓ ✓‡ ✓

Per-object configuration

- - - ✓

Subtractive permissions model

- - - ✓

Supports external groups

✓* ✓* ✓* ✓*

Local group definition

- - - ✓

Delegate management

- ✓ -§ ✓

Non-System Config config

- ✓ ✓§ ✓

3939

Jenkins Security Architecture Authentication Plugins Authorization Plugins

• CloudBees’ RBAC plugin– Overview– Inheritance model– Filtering

• Common Use Cases & Walk-throughs• Questions & Answers

Overview


4040

CloudBees’ RBAC pluginOur take on an Authorization Strategy


4141

• Roles defined in Nectar

• External Groups from LDAP / AD / Atlassian Crowd / etc

• Local Groups defined in Nectar– Configure Roles in Local Groups– Manage membership in Local Groups• Users / other Local Groups / External

Groups

• Role filtering to restrict inheritance

A layered approach


What

Who

Tweak

4242

Adds new elements to the GUI

Icon What is it What is it for

User Users of Nectar

Group Defined within Nectar

External group Defined in LDAP / AD / etc

System identity Anonymous / Authenticated

Role A set of permissions

Pinned role A role tied to a specific object


4343

• Groups are defined on objects– Per-slave permissions– Per-folder permissions (Folders Plugin)– Per-module permissions (Maven

Projects)

• Role definitions are global• Role assignments can be scoped

Object based permissions


4444

1. Plan out your roles

2. Enable security3. Add the roles4. Save5. Define Groups6. Remove Admin

permissions from Authenticated Role

7. Save

How to deploy


4545

Root

Folder AJob 1

Job 2

Folder B

Job 1

Job 2

Job 3

Inheritance model: Groups and roles


Devs Dev

DevFolder A Devs

Have Dev role if in

Devs group or Folder A

Devs group

Have Dev role if in

Devs group

4646

Root

Folder AJob 1

Job 2

Folder B

Job 1

Job 2

Job 3

Inheritance model: Pinned roles


Devs Dev

DevFolder A Devs

Have Dev role if in Folder A

Devs group

Nobody has Dev

role

4747

Root

Folder AJob 1

Job 2

Folder B

Job 1

Job 2

Job 3

Filtering


Devs Dev

DevFolder A Devs

Have Dev role if in Folder A

Devs group

Have Dev role if in

Devs group

4848

Jenkins Security Architecture Authentication Plugins Authorization Plugins CloudBees’ RBAC plugin

• Common Use Cases & Walk-throughs– Authenticated only– Public read-only– Dev vs SQA– Multi-department– Secret skunk-works projects

• Questions & Answers

Overview


4949

Common use-cases & Walk-throughsYou’re not so different… here’s how you might do it…


5050

Use case• System is set up so that only

authenticated users can access.• Authenticated users can do

anything.

Authenticated Only


5151

Authenticated Only


Matrix Strategy




Supports Use-Case

✓ ✓ ✓ ✓

Notes This is the initial default setting for this strategy

5252

Walk-throughAuthenticated Only use case


http://localhost:8080/

5353

Use case• System is set up so that anonymous

users can browse all projects• Anonymous users cannot access the

Job Workspaces, or change/trigger anything

• Authenticated users can do anything.

Public read-only


5454

Public read-only


Matrix Strategy




Supports Use-Case

✓ ✓ ✓ ✓

Notes

5555

Walk-throughPublic read-only use case



5656


users can browse all projects.• Anonymous users cannot access the

Job Workspaces, or change/trigger anything.

• Authenticated Developers can trigger builds.

• Authenticate SQA can delete/tag builds.

Dev vs SQA


5757

Dev vs SQA


Matrix Strategy




Supports Use-Case

✓ ✓ ✓ ✓

Notes Authentication provider must have external group support

or

Create a role mapping for every user

Can use local groups if Authentication provider does not provide external group information

5858

Walk-throughDev vs SQA use case



5959


users can browse all projects• Anonymous users cannot access the

Job Workspaces, or change/trigger anything

• Authenticated users can do anything to the projects in their department only. For projects outside their department they are like anonymous users.

Multi-department


6060

Multi-department


Matrix Strategy




Supports Use-Case

- ✓§ ✓‡ ✓

Notes Does not support per-project configuration

Each project has its own security configuration

§ Need to modify every job if a user moves from department A to department B

Use a regex to match the department A jobs and the department B jobs

‡ Requires job naming policy or complex regex management

With Folders plugin you can put each department’s jobs in separate folders for even easier management

6161

Walk-throughMulti-department use case



6262

Use case• A secret project is set up for a

skunk-works team.• Only the skunk-works team‡ can see

the secret project. • The skunk-works team are not

otherwise restricted.

‡ Someone with direct disk access to the master may be able to find the

skunk-works project. The aim is to hide the project from the GUI.

Secret skunk-works projects


6363

• Impl matrix with each plugin

Secret skunk-works projects


Matrix Strategy




Supports Use-Case

- ✓§ ✓§ ✓

Notes Does not support per-project configuration

Need to plan ahead.

To support this use-case, all projects must be secret by default

§ Admins can see that the secret project exists

All secret projects must match a regex.

If a non-secret regex matches the secret regex => public

§ Admins can see that the secret project exists

Use role filters to make the project secret.

Can hide project in GUI even from Admins

6464

Walk-throughSecret skunk-works projects use case



6565

Jenkins Security Architecture Authentication Plugins Authorization Plugins CloudBees’ RBAC plugin Common Use Cases & Walk-throughs

• Questions & Answers

Overview


6666

SupportNectar


6767

• Releases every 6 months. • Supported for 18 months.• Patches every 6 weeks.• Plugins supported for life of

underlying release• Support all plugins• Nectar 10.10 and Nectar 11.04

released

Nectar


6868

• CloudBees Resources Page – http://www.cloudbees.com/support.cb

• Try DEV@cloud & RUN@cloud– https://grandcentral.cloudbees.com/account/signup

• CloudBees Eclipse Plugin– http://cloudbees.com/eclipse-plugin.cb

• DEV@cloud Private Edition Beta Program (DEV@cloud for private clouds)– http://www.cloudbees.com/dev-pe.cb

CloudBees Resources


http://www.cloudbees.com/support.cb

https://grandcentral.cloudbees.com/account/signup

http://cloudbees.com/eclipse-plugin.cb

http://www.cloudbees.com/dev-pe.cb

6969

Questions & AnswersAnd if the questions are too tough, we’ll answer offline…


7070

• Raise your hand if you have a question and type your question into the question box…

• Harpreet is keeping track of who is next…

• We will unmute you while it is your Q&A…

• If an answer is going too long, or we need to check some specifics we will distribute the answer off-line.

Questions & Answers


Authentication and authorization in Jenkins and nectar 1

Technology

Transcript of Authentication and authorization in Jenkins and nectar 1