Scoping to a job On Thu, 13 Feb 2020 at 11:23, Chris Kilding <chris+jenk...@chriskilding.com> wrote:
> I was unclear on point 2. Is this a way to… > - scope a credential to an individual job or jobs? > - scope a credential to an individual build or builds? > - provide ephemeral credentials that are created at the start of a build, > exist during the lifetime of the build, and are scrapped at the end? > > Ephemeral credentials would be harder, as we would have to reconcile the > long-lived nature of credentials (and the extra constraints of remote > credential providers) with the short-lived nature of builds. > > Chris > > On 13 Feb 2020, at 06:40, Tim Jacomb <timjaco...@gmail.com> wrote: > > Which bit were you unclear about? > Point 1? > > Point 1 is a request based authorisation, nothing is allowed to use it by > default, jobs request to use it and then an autrhorised person allows it > > On Wed, 12 Feb 2020 at 23:36, Chris Kilding < > chris+jenk...@chriskilding.com> wrote: > >> Point 2 (credentials scoped to a single build) could be relevant - if >> we’re adding a credentials concept to a general ACL, a user should be able >> to apply any kind of restriction that their ACL permits to the credentials >> objects. (Not just folder restrictions.) >> >> I’m a bit unclear about what you meant though - could you clarify, maybe >> with an example? >> >> Chris >> >> On 12 Feb 2020, at 18:01, Tim Jacomb <timjaco...@gmail.com> wrote: >> >> >> >> Not directly related, possibly even to this JEP, >> >> But wanted to add a couple of features I’ve seen in other systems, >> >> 1. Require authorisation, before allowed to use, I.e build is run and >> fails because the credential isn’t authorised for that job but then an >> administrator can authorise it and it will be allowed to use it on the next >> run, >> 2. Credentials scoped to a single build >> >> Thanks >> Tim >> >> On Wed, 12 Feb 2020 at 17:50, Chris Kilding < >> chris+jenk...@chriskilding.com> wrote: >> >>> The first thing to figure out is what role-based access control >>> solutions are already out there for Jenkins, so we can then decide how best >>> to fit this functionality in. >>> >>> I have encountered the following solutions which seem relevant, but I >>> know very little about them: >>> >>> - Cloudbees RBAC plugin (commercial) >>> - Role Strategy Plugin >>> - Jenkins permissions system >>> >>> Would someone who knows these components well be able to provide more >>> details, and thoughts on how we might add concepts of folders and >>> credentials to them, so that credential access constraints could be >>> formulated as standard rules? >>> >>> Chris >>> >>> > On 12 Feb 2020, at 16:29, Chris Kilding < >>> chris+jenk...@chriskilding.com> wrote: >>> > >>> > Hello, >>> > >>> > This is the discussion thread for JEP-225: Folder-based access control >>> for any credentials provider. >>> > >>> > A brief summary... >>> > >>> > The Cloudbees Folders Plugin has the ability to restrict access to >>> credentials on a per-folder basis. Unfortunately this feature is only >>> available for credentials stored in the Folders plugin's internal provider. >>> This JEP will extend that concept, and allow users to specify folder-based >>> access restrictions for any credential, from any provider. (For example, >>> the AWS Secrets Manager and Kubernetes providers.) >>> > >>> > This JEP is relevant in 2 notable cases: >>> > >>> > - Dev / Production environment isolation. (Ensure that only jobs in >>> the production environment can access production credentials, and vice >>> versa.) >>> > - Per-team isolation on a multi-tenant Jenkins. (Ensure that only a >>> given team or teams can access their credentials.) >>> > >>> > You can follow the pull request at >>> https://github.com/jenkinsci/jep/pull/266. >>> > >>> > Chris >>> > >>> > -- >>> > You received this message because you are subscribed to the Google >>> Groups "Jenkins Developers" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> an email to jenkinsci-dev+unsubscr...@googlegroups.com. >>> > To view this discussion on the web visit >>> https://groups.google.com/d/msgid/jenkinsci-dev/9567dfcf-b057-4616-8682-2eccf7b127b0%40www.fastmail.com >>> . >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Jenkins Developers" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to jenkinsci-dev+unsubscr...@googlegroups.com. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/jenkinsci-dev/21F4C984-6263-4B61-811F-DF5FFBB65014%40chriskilding.com >>> . >>> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Jenkins Developers" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to jenkinsci-dev+unsubscr...@googlegroups.com. >> >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/jenkinsci-dev/CAH-3BifzEig30bXEOmhf-rYzZ-o7aocJODJR3U5Go1_WGH6DaQ%40mail.gmail.com >> <https://groups.google.com/d/msgid/jenkinsci-dev/CAH-3BifzEig30bXEOmhf-rYzZ-o7aocJODJR3U5Go1_WGH6DaQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Jenkins Developers" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to jenkinsci-dev+unsubscr...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/jenkinsci-dev/4B4E063F-8E1A-41BC-9EE5-95EAE335A54B%40chriskilding.com >> <https://groups.google.com/d/msgid/jenkinsci-dev/4B4E063F-8E1A-41BC-9EE5-95EAE335A54B%40chriskilding.com?utm_medium=email&utm_source=footer> >> . >> > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to jenkinsci-dev+unsubscr...@googlegroups.com. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/CAH-3BicZnU-DyZnWYn-uvP3FRtChn5iX7j4Rp-9CqgntePfghQ%40mail.gmail.com > <https://groups.google.com/d/msgid/jenkinsci-dev/CAH-3BicZnU-DyZnWYn-uvP3FRtChn5iX7j4Rp-9CqgntePfghQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to jenkinsci-dev+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/C31B5C32-774E-43E0-9CCC-0852DF21B3AE%40chriskilding.com > <https://groups.google.com/d/msgid/jenkinsci-dev/C31B5C32-774E-43E0-9CCC-0852DF21B3AE%40chriskilding.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAH-3BicRiepXK6RecZdu_dYmjUwezE8TTo3woEb0mANQhSYkYw%40mail.gmail.com.
