Re: [go-cd] LDAP Group Authentication/Roles/Permissions

[Chantry Conkle]

Thanks!

On Wed, Nov 22, 2023, 11:42 AM Chad Wilson  wrote:

> Editing agent attributes via the UI requires wider server administration
> permissions. Don't think there is anything finer grained specifically for
> agent administration.
>
> Generally speaking, to automate tagging resources and environments to
> agents it is done on the agent side configuration itself via "auto
> registration":
> https://docs.gocd.org/current/advanced_usage/agent_auto_register.html.
>
> You can then subsequently control which jobs are allowed to use which
> logical environments and resources (i.e which agents they are able to be
> scheduled on) when using pipelines as code on the permissions for a config
> repository - but I do not believe that finer grained control is available
> if users use the GoCD UI or APIs to edit their pipelines/jobs (i.e they
> have direct edit/admin permissions for pipeline groups).
>
> -Chad
>
> On Wed, Nov 22, 2023 at 10:11 PM  wrote:
>
>> Do you know if this plugin allows any configuration for static agent
>> modify/admin permissions? Its doing exactly what I was looking for and
>> mapping permissions from roles, and also applying the role permissions for
>> pipeline groups. I’m trying to see if I can give certain users permissions
>> to add resource tags or assign environments to agents without giving them
>> full admin access to the server.
>>
>>
>>
>> Thanks!
>>
>>
>>
>> *From:* chant...@gmail.com 
>> *Sent:* Wednesday, November 8, 2023 2:00 PM
>> *To:* go-cd@googlegroups.com
>> *Subject:* RE: [go-cd] LDAP Group Authentication/Roles/Permissions
>>
>>
>>
>> Thanks! I’ll take a look. We are using the bundled version.
>>
>>
>>
>> *From:* go-cd@googlegroups.com  *On Behalf Of *Chad
>> Wilson
>> *Sent:* Wednesday, November 8, 2023 1:09 PM
>> *To:* go-cd@googlegroups.com
>> *Subject:* Re: [go-cd] LDAP Group Authentication/Roles/Permissions
>>
>>
>>
>> There are multiple LDAP plugins, so it depends which one you are
>> referring to. Sounds like you might want to look at
>> https://github.com/gocd/gocd-ldap-authorization-plugin rather than the
>> bundled 'authentication-only' version?
>>
>>
>>
>> -Chad
>>
>>
>>
>> On Thu, 9 Nov 2023, 05:33 Funkycybermonk,  wrote:
>>
>> Hello!
>>
>> I'm trying to manage a pool of users that is going to change over time
>> and their permissions across multiple GoCD servers. (regional server split)
>>
>> I can add a group into permissions using the LDAP plugin, but it doesn't
>> seem initially like the user permissions are inherited or managed by that
>> group membership. Is it possible to do group based permissions from AD or
>> does it have to be per-user?
>>
>> I'm trying to minimize work since we'll have to manually replicate the
>> roles and permissions across several servers.
>>
>> Thanks!
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "go-cd" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to go-cd+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/go-cd/4183dab6-4dad-4fd3-9055-01333843d0dbn%40googlegroups.com
>> <https://groups.google.com/d/msgid/go-cd/4183dab6-4dad-4fd3-9055-01333843d0dbn%40googlegroups.com?utm_medium=email_source=footer>
>> .
>>
>> --
>> You received this message because you are subscribed to a topic in the
>> Google Groups "go-cd" group.
>> To unsubscribe from this topic, visit
>> https://groups.google.com/d/topic/go-cd/YXdA8U4UNEY/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to
>> go-cd+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/go-cd/CAA1RwH8fUnhEOODV7im%2BVU_xkTfkTEDkmpvsz_bhmDGcLrfWJA%40mail.gmail.com
>> <https://groups.google.com/d/msgid/go-cd/CAA1RwH8fUnhEOODV7im%2BVU_xkTfkTEDkmpvsz_bhmDGcLrfWJA%40mail.gmail.com?utm_medium=email_source=footer>
>> .
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "go-cd" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to go-cd+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/go-cd/063a01da1d4d%24d23be980%2476b3bc80%24%40gmail.com
>> <https://groups.google.com/d/m

Re: [go-cd] LDAP Group Authentication/Roles/Permissions

[Chad Wilson]

Editing agent attributes via the UI requires wider server administration
permissions. Don't think there is anything finer grained specifically for
agent administration.

Generally speaking, to automate tagging resources and environments to
agents it is done on the agent side configuration itself via "auto
registration":
https://docs.gocd.org/current/advanced_usage/agent_auto_register.html.

You can then subsequently control which jobs are allowed to use which
logical environments and resources (i.e which agents they are able to be
scheduled on) when using pipelines as code on the permissions for a config
repository - but I do not believe that finer grained control is available
if users use the GoCD UI or APIs to edit their pipelines/jobs (i.e they
have direct edit/admin permissions for pipeline groups).

-Chad

On Wed, Nov 22, 2023 at 10:11 PM  wrote:

> Do you know if this plugin allows any configuration for static agent
> modify/admin permissions? Its doing exactly what I was looking for and
> mapping permissions from roles, and also applying the role permissions for
> pipeline groups. I’m trying to see if I can give certain users permissions
> to add resource tags or assign environments to agents without giving them
> full admin access to the server.
>
>
>
> Thanks!
>
>
>
> *From:* chant...@gmail.com 
> *Sent:* Wednesday, November 8, 2023 2:00 PM
> *To:* go-cd@googlegroups.com
> *Subject:* RE: [go-cd] LDAP Group Authentication/Roles/Permissions
>
>
>
> Thanks! I’ll take a look. We are using the bundled version.
>
>
>
> *From:* go-cd@googlegroups.com  *On Behalf Of *Chad
> Wilson
> *Sent:* Wednesday, November 8, 2023 1:09 PM
> *To:* go-cd@googlegroups.com
> *Subject:* Re: [go-cd] LDAP Group Authentication/Roles/Permissions
>
>
>
> There are multiple LDAP plugins, so it depends which one you are referring
> to. Sounds like you might want to look at
> https://github.com/gocd/gocd-ldap-authorization-plugin rather than the
> bundled 'authentication-only' version?
>
>
>
> -Chad
>
>
>
> On Thu, 9 Nov 2023, 05:33 Funkycybermonk,  wrote:
>
> Hello!
>
> I'm trying to manage a pool of users that is going to change over time and
> their permissions across multiple GoCD servers. (regional server split)
>
> I can add a group into permissions using the LDAP plugin, but it doesn't
> seem initially like the user permissions are inherited or managed by that
> group membership. Is it possible to do group based permissions from AD or
> does it have to be per-user?
>
> I'm trying to minimize work since we'll have to manually replicate the
> roles and permissions across several servers.
>
> Thanks!
>
> --
> You received this message because you are subscribed to the Google Groups
> "go-cd" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to go-cd+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/go-cd/4183dab6-4dad-4fd3-9055-01333843d0dbn%40googlegroups.com
> <https://groups.google.com/d/msgid/go-cd/4183dab6-4dad-4fd3-9055-01333843d0dbn%40googlegroups.com?utm_medium=email_source=footer>
> .
>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "go-cd" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/go-cd/YXdA8U4UNEY/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> go-cd+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/go-cd/CAA1RwH8fUnhEOODV7im%2BVU_xkTfkTEDkmpvsz_bhmDGcLrfWJA%40mail.gmail.com
> <https://groups.google.com/d/msgid/go-cd/CAA1RwH8fUnhEOODV7im%2BVU_xkTfkTEDkmpvsz_bhmDGcLrfWJA%40mail.gmail.com?utm_medium=email_source=footer>
> .
>
> --
> You received this message because you are subscribed to the Google Groups
> "go-cd" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to go-cd+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/go-cd/063a01da1d4d%24d23be980%2476b3bc80%24%40gmail.com
> <https://groups.google.com/d/msgid/go-cd/063a01da1d4d%24d23be980%2476b3bc80%24%40gmail.com?utm_medium=email_source=footer>
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"go-cd" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to go-cd+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/go-cd/CAA1RwH8-uVFze56viifrbiYTUStdp6%2BG87EmZQadv4dyy6Q3yA%40mail.gmail.com.

RE: [go-cd] LDAP Group Authentication/Roles/Permissions

[chantryc]

Do you know if this plugin allows any configuration for static agent 
modify/admin permissions? Its doing exactly what I was looking for and mapping 
permissions from roles, and also applying the role permissions for pipeline 
groups. I’m trying to see if I can give certain users permissions to add 
resource tags or assign environments to agents without giving them full admin 
access to the server. 

 

Thanks!

 

From: chant...@gmail.com  
Sent: Wednesday, November 8, 2023 2:00 PM
To: go-cd@googlegroups.com
Subject: RE: [go-cd] LDAP Group Authentication/Roles/Permissions

 

Thanks! I’ll take a look. We are using the bundled version. 

 

From: go-cd@googlegroups.com <mailto:go-cd@googlegroups.com>  
mailto:go-cd@googlegroups.com> > On Behalf Of Chad 
Wilson
Sent: Wednesday, November 8, 2023 1:09 PM
To: go-cd@googlegroups.com <mailto:go-cd@googlegroups.com> 
Subject: Re: [go-cd] LDAP Group Authentication/Roles/Permissions

 

There are multiple LDAP plugins, so it depends which one you are referring to. 
Sounds like you might want to look at 
https://github.com/gocd/gocd-ldap-authorization-plugin rather than the bundled 
'authentication-only' version?

 

-Chad

 

On Thu, 9 Nov 2023, 05:33 Funkycybermonk, mailto:chant...@gmail.com> > wrote:

Hello!

I'm trying to manage a pool of users that is going to change over time and 
their permissions across multiple GoCD servers. (regional server split)

I can add a group into permissions using the LDAP plugin, but it doesn't seem 
initially like the user permissions are inherited or managed by that group 
membership. Is it possible to do group based permissions from AD or does it 
have to be per-user?

I'm trying to minimize work since we'll have to manually replicate the roles 
and permissions across several servers. 

Thanks! 

-- 
You received this message because you are subscribed to the Google Groups 
"go-cd" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to go-cd+unsubscr...@googlegroups.com 
<mailto:go-cd+unsubscr...@googlegroups.com> .
To view this discussion on the web visit 
https://groups.google.com/d/msgid/go-cd/4183dab6-4dad-4fd3-9055-01333843d0dbn%40googlegroups.com
 
<https://groups.google.com/d/msgid/go-cd/4183dab6-4dad-4fd3-9055-01333843d0dbn%40googlegroups.com?utm_medium=email_source=footer>
 .

-- 
You received this message because you are subscribed to a topic in the Google 
Groups "go-cd" group.
To unsubscribe from this topic, visit 
https://groups.google.com/d/topic/go-cd/YXdA8U4UNEY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to 
go-cd+unsubscr...@googlegroups.com <mailto:go-cd+unsubscr...@googlegroups.com> .
To view this discussion on the web visit 
https://groups.google.com/d/msgid/go-cd/CAA1RwH8fUnhEOODV7im%2BVU_xkTfkTEDkmpvsz_bhmDGcLrfWJA%40mail.gmail.com
 
<https://groups.google.com/d/msgid/go-cd/CAA1RwH8fUnhEOODV7im%2BVU_xkTfkTEDkmpvsz_bhmDGcLrfWJA%40mail.gmail.com?utm_medium=email_source=footer>
 .

-- 
You received this message because you are subscribed to the Google Groups 
"go-cd" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to go-cd+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/go-cd/063a01da1d4d%24d23be980%2476b3bc80%24%40gmail.com.

RE: [go-cd] LDAP Group Authentication/Roles/Permissions

[chantryc]

Thanks! I’ll take a look. We are using the bundled version. 

 

From: go-cd@googlegroups.com  On Behalf Of Chad Wilson
Sent: Wednesday, November 8, 2023 1:09 PM
To: go-cd@googlegroups.com
Subject: Re: [go-cd] LDAP Group Authentication/Roles/Permissions

 

There are multiple LDAP plugins, so it depends which one you are referring to. 
Sounds like you might want to look at 
https://github.com/gocd/gocd-ldap-authorization-plugin rather than the bundled 
'authentication-only' version?

 

-Chad

 

On Thu, 9 Nov 2023, 05:33 Funkycybermonk, mailto:chant...@gmail.com> > wrote:

Hello!

I'm trying to manage a pool of users that is going to change over time and 
their permissions across multiple GoCD servers. (regional server split)

I can add a group into permissions using the LDAP plugin, but it doesn't seem 
initially like the user permissions are inherited or managed by that group 
membership. Is it possible to do group based permissions from AD or does it 
have to be per-user?

I'm trying to minimize work since we'll have to manually replicate the roles 
and permissions across several servers. 

Thanks! 

-- 
You received this message because you are subscribed to the Google Groups 
"go-cd" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to go-cd+unsubscr...@googlegroups.com 
<mailto:go-cd+unsubscr...@googlegroups.com> .
To view this discussion on the web visit 
https://groups.google.com/d/msgid/go-cd/4183dab6-4dad-4fd3-9055-01333843d0dbn%40googlegroups.com
 
<https://groups.google.com/d/msgid/go-cd/4183dab6-4dad-4fd3-9055-01333843d0dbn%40googlegroups.com?utm_medium=email_source=footer>
 .

-- 
You received this message because you are subscribed to a topic in the Google 
Groups "go-cd" group.
To unsubscribe from this topic, visit 
https://groups.google.com/d/topic/go-cd/YXdA8U4UNEY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to 
go-cd+unsubscr...@googlegroups.com <mailto:go-cd+unsubscr...@googlegroups.com> .
To view this discussion on the web visit 
https://groups.google.com/d/msgid/go-cd/CAA1RwH8fUnhEOODV7im%2BVU_xkTfkTEDkmpvsz_bhmDGcLrfWJA%40mail.gmail.com
 
<https://groups.google.com/d/msgid/go-cd/CAA1RwH8fUnhEOODV7im%2BVU_xkTfkTEDkmpvsz_bhmDGcLrfWJA%40mail.gmail.com?utm_medium=email_source=footer>
 .

-- 
You received this message because you are subscribed to the Google Groups 
"go-cd" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to go-cd+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/go-cd/00e101da127e%24279ed1b0%2476dc7510%24%40gmail.com.

Re: [go-cd] LDAP Group Authentication/Roles/Permissions

[Chad Wilson]

There are multiple LDAP plugins, so it depends which one you are referring
to. Sounds like you might want to look at
https://github.com/gocd/gocd-ldap-authorization-plugin rather than the
bundled 'authentication-only' version?

-Chad


On Thu, 9 Nov 2023, 05:33 Funkycybermonk,  wrote:

> Hello!
>
> I'm trying to manage a pool of users that is going to change over time and
> their permissions across multiple GoCD servers. (regional server split)
>
> I can add a group into permissions using the LDAP plugin, but it doesn't
> seem initially like the user permissions are inherited or managed by that
> group membership. Is it possible to do group based permissions from AD or
> does it have to be per-user?
>
> I'm trying to minimize work since we'll have to manually replicate the
> roles and permissions across several servers.
>
> Thanks!
>
> --
> You received this message because you are subscribed to the Google Groups
> "go-cd" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to go-cd+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/go-cd/4183dab6-4dad-4fd3-9055-01333843d0dbn%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"go-cd" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to go-cd+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/go-cd/CAA1RwH8fUnhEOODV7im%2BVU_xkTfkTEDkmpvsz_bhmDGcLrfWJA%40mail.gmail.com.

[go-cd] LDAP Group Authentication/Roles/Permissions

[Funkycybermonk]

Hello!

I'm trying to manage a pool of users that is going to change over time and 
their permissions across multiple GoCD servers. (regional server split)

I can add a group into permissions using the LDAP plugin, but it doesn't 
seem initially like the user permissions are inherited or managed by that 
group membership. Is it possible to do group based permissions from AD or 
does it have to be per-user?

I'm trying to minimize work since we'll have to manually replicate the 
roles and permissions across several servers. 

Thanks!

-- 
You received this message because you are subscribed to the Google Groups 
"go-cd" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to go-cd+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/go-cd/4183dab6-4dad-4fd3-9055-01333843d0dbn%40googlegroups.com.