authentication and authorization in jenkins and nectar 1
TRANSCRIPT
1©2011 CloudBees, Inc. All Rights Reserved
Authentication and Authorization in Jenkins and NectarJuly 27th, 2011
Stephen Connolly Harpreet SinghArchitectCloudBees, Inc.
Senior Director, Product ManagementCloudBees, Inc.
22
• The slides will be made available as well as a link to the replay of this webinar.
• Links will be sent in an email after the webinar has finished (2-3 days).
Housekeeping
©2011 CloudBees, Inc. All Rights Reserved
33
The PresentersWho exactly is talking?
©2011 CloudBees, Inc. All Rights Reserved
44
Stephen Connolly
Responsible for• Most of this talk• Trying to answer the
questions
Harpreet Singh
Responsible for• Ensuring Stephen does
not go too fast/slow• Keeping track of
questions for the Q&A session
The Presenters
©2011 CloudBees, Inc. All Rights Reserved
55
OverviewWhat we will be covering today
©2011 CloudBees, Inc. All Rights Reserved
66
• Jenkins Security Architecture• Authentication Plugins• Authorization Plugins• CloudBees’ RBAC plugin• Common Use Cases & Walk-throughs• Questions & Answers
Overview
©2011 CloudBees, Inc. All Rights Reserved
77
CloudBeesWho are we and what we can do for you?
©2011 CloudBees, Inc. All Rights Reserved
88©2011 CloudBees, Inc. All Rights Reserved
About CloudBees
Our Mission
Strategy
Become the leading Platform as a Service (PaaS) for Java™
Why We’re Different
CloudBees services the complete lifecycle of Cloud application development and deployment.No Servers. No Virtual Machines. No IT. Nectar – CloudBees Pro version of Jenkins DEV@cloud – Cloud Services for Developers RUN@cloud – Frictionless
runtime PaaS for Java apps
99
CloudBees Jenkins Solutions
©2011 CloudBees, Inc. All Rights Reserved
Professional support from the Experts
1010
CloudBees Jenkins Solutions
©2011 CloudBees, Inc. All Rights Reserved
CloudBees’ Pro version of Jenkinsproprietary add-ons, stable release cycle
Professional support from the Experts
1111
CloudBees Jenkins Solutions
©2011 CloudBees, Inc. All Rights Reserved
Self-service “Jenkins as a Service”pay-as-you-go public cloud
DEV@cloud
Professional support from the Experts
CloudBees’ Pro version of Jenkinsproprietary add-ons, stable release cycle
1212
CloudBees Jenkins Solutions
©2011 CloudBees, Inc. All Rights Reserved
Self-Service “Jenkins as a Service”for Enterprises
Professional support from the Experts
CloudBees’ Pro version of Jenkinsproprietary add-ons, stable release cycle
Self-service “Jenkins as a Service”pay-as-you-go public cloud
DEV@cloud
DEV@cloudPrivate Edition
1313
• Jenkins Security Architecture– Server security– Security Realms– Authorization Strategies–Master/Slave security
• Authentication Plugins• Authorization Plugins• CloudBees’ RBAC plugin• Common Use Cases & Walk-throughs• Questions & Answers
Overview
©2011 CloudBees, Inc. All Rights Reserved
1414
Jenkins Security ArchitectureWhat goes where and which does what…
©2011 CloudBees, Inc. All Rights Reserved
1515
• Security Realm provides user identity
• Authorization Strategy provides user’s permissions for each object.
• Actions can require a specific permission to be performed.
Jenkins Security Architecture
©2011 CloudBees, Inc. All Rights Reserved
Security Realm
Authorization Strategy
Identity
Permission
Object
Access
Action
Plugins extension points
1616
• Depends on your server:– Operating System• Windows• Linux
– Servlet container• Winstone (java -jar jenkins.war)• Tomcat• Jetty• JBoss• etc
Server security
©2011 CloudBees, Inc. All Rights Reserved
1717
• Checklist should include Server patches & hotfixes up to date Server firewall configured appropriately Server remote access locked down
oRemote desktop on WindowsoSSHD on *nix
Servlet container running as restricted user
Consider Apache HTTPD or nginx if exposing on a public network
Server security (cont.)
©2011 CloudBees, Inc. All Rights Reserved
1818
What are they
• Core Jenkins extension point for Authentication
• Responsible for validating user identity
• Can only select one.
• Default for clean install:
None
What is available already• Core
– None– Unix PAM– Internal DB– Legacy Container
• Open Source Plugins– Active Directory– CAS v1– CollabNet– Crowd– MySQL DB– OpenID SSO– Script & Extended Script– SourceForge Enterprise Edition– …
Security Realms
©2011 CloudBees, Inc. All Rights Reserved
1919
What are they
• Core Jenkins extension point for Authorization
• Responsible for deciding the permissions available to users.
• Can only select one.
• Default for clean install:
Unsecured
What is available already• Core
– Global Matrix– Project Matrix– Logged in user can do anything– Legacy Authorization
• Open Source Plugins– CollabNet– Role strategy– SourceForge Enterprise Edition– …
• CloudBees’ Plugins– RBAC
Authorization Strategies
©2011 CloudBees, Inc. All Rights Reserved
2020
What are they
• The fine-grained activities that can be secured within Jenkins
• Some permissions aggregate others, e.g. Global Admin implies all other standard permissions
• Plugins can define their own permissions for their own actions
What is available• Overall
– Administer– Read
• Slave– Configure– Delete
• Job– Create– Delete– Configure– Read– Build– Workspace
• View– Create– Delete– Configure
• …
Permissions
©2011 CloudBees, Inc. All Rights Reserved
2121
• Bi-directional channel between Master and Slaves.
• To trust a slave it is necessary that you trust the JVM used to launch the slave.– That JVM can then fork
less trusted JVMs for the builds if you want to
• SCM security is a bigger risk– Can fork threads, etc as the
user running the build
Checklist Only run builds on slaves Use VM for slaves & reset
VM image after every build
Launch slave process with a read-only JVM
Access to slaves should be as restricted as the Master
Install build tools read-only
Master / Slave security
©2011 CloudBees, Inc. All Rights Reserved
Take Away SCM security sets the upper bound
2222
Jenkins Security Architecture
• Authentication Plugins– Active Directory– Atlassian Crowd– LDAP– Open ID– Unix PAM
• Authorization Plugins• CloudBees’ RBAC plugin• Common Use Cases & Walk-throughs• Questions & Answers
Overview
©2011 CloudBees, Inc. All Rights Reserved
2323
Authentication PluginsWho are you and how can you prove it to me…
©2011 CloudBees, Inc. All Rights Reserved
2424
• Not all plugins implement every feature
• Key features to check for are:– Supports signup– Provides group details– Supports group lookup– Can logout
• You may not need all/any of the above but it may restrict your choice of Authorization Strategy
Authentication Plugins
©2011 CloudBees, Inc. All Rights Reserved
2525
• Authenticates the username and the password through Active Directory
• Actually multiple implementations under the hood and one is chosen based on your environment
Active Directory (plugin)
©2011 CloudBees, Inc. All Rights Reserved
Feature - Supports signup
✓ Provides group details
✓ Supports group lookup
✓ Can logoutNotes:1. Jenkins does not have to
run on Windows to use this.
2. Can require a correctly configured DNS for Active Directory
2626
• Authenticates the username and password through Atlassian Crowd
• Does not currently support SSO
Atlassian Crowd (plugin)
©2011 CloudBees, Inc. All Rights Reserved
Feature - Supports signup
✓ Provides group details
-* Supports group lookup
✓ Can logoutNotes:* CloudBees have a fix for
the group lookup issue currently under test
2727
• Authenticates the username and the password against a basic built-in database
Jenkins’ own user database (core)
©2011 CloudBees, Inc. All Rights Reserved
Feature
✓ Supports signup - Provides group
details - Supports group
lookup
✓ Can logoutNotes:1. Not recommended for
public facing instances.
2828
• Authenticates the username and the password through LDAP
• Every LDAP server is different- Very flexible - Harder to
configure than some of the other providers
LDAP (core)
©2011 CloudBees, Inc. All Rights Reserved
Feature - Supports signup
✓* Provides group details
✓* Supports group lookup
✓ Can logoutNotes:1. Can use for Active
Directory
* No RFC covering how to map groups in LDAP
⇒ Group details may be unavailable
2929
• Authenticates the user via OpenID provider(s)
• User is sent to the OpenID provider when required to authenticate
• Supports the OpenID team extension => group details
OpenID (plugin)
©2011 CloudBees, Inc. All Rights Reserved
Feature - Supports signup
✓ Provides group details
- Supports group lookup
✓ Can logoutNotes:1. This plugin has a special
“on-the-side” mode whereby users can link their OpenID identities with e.g. their Active Directory user account
3030
• Authenticates the username and password through Unix Pluggable Authentication Modules
• Requires that Jenkins be running on Linux / Mac OS X / Unix
Unix PAM (core)
©2011 CloudBees, Inc. All Rights Reserved
Feature
- Supports signup
✓ Provides group details
✓ Supports group lookup
✓ Can logoutNotes:1. Very quick to set-up2. Handy if you already
have a federated PAM configuration
3. If on a public network serve Jenkins over https://
3131
Active Direct
ory
Atlassian
Crowd
Jenkins’ own
DB
LDAP OpenID
Unix PAM
Supports signup
- - ✓ - - -
Provides group details
✓ ✓ - ✓ ✓ ✓
Supports group lookup
✓ -* - ✓ - ✓
Can logout
✓ ✓ ✓ ✓ ✓ ✓
Feature Matrix
©2011 CloudBees, Inc. All Rights Reserved
3232
Jenkins Security Architecture Authentication Plugins
• Authorization Plugins– Matrix Strategy– Project-based Matrix Strategy– Role strategy– CloudBees’ RBAC plugin
• CloudBees’ RBAC plugin• Common Use Cases & Walk-throughs• Questions & Answers
Overview
©2011 CloudBees, Inc. All Rights Reserved
3333
Authorization PluginsSo tell me… who can do what?
©2011 CloudBees, Inc. All Rights Reserved
3434
• A simple matrix of click-boxes.
• Each row is a user/group*
• Each column is a Permission
* If the Authentication plugin does not support group details then one row is required for each user
Authentication Features
Provides group details (Optional)
Supports group lookup (Optional)
Matrix Strategy (core)
©2011 CloudBees, Inc. All Rights Reserved
Feature
- Per-project configuration
- Per-object configuration
- Subtractive permissions model
✓* Supports external groups
- Local group definition
- Delegate management
- Non-System Config config
3535
• A simple matrix of click-boxes.
• Each row is a user/group*
• Each column is a Permission
• Each project can add its own matrix
Authentication Features
Provides group details (Optional)
Supports group lookup (Optional)
Project-based Matrix Strategy (core)
©2011 CloudBees, Inc. All Rights Reserved
Feature
✓ Per-project configuration
- Per-object configuration
- Subtractive permissions model
✓* Supports external groups
- Local group definition
✓ Delegate management
✓ Non-System Config config
3636
• Allows grouping permissions into roles
• Roles assigned to users/groups
‡ Project roles are defined using a regex for the project name to which the role is restricted.* If the Authentication plugin does not support group details then one row is required for each user§ Requires global Admin role
Authentication Features
Provides group details (Optional)
Supports group lookup (Optional)
Role Strategy (plugin)
©2011 CloudBees, Inc. All Rights Reserved
Feature
✓‡ Per-project configuration
- Per-object configuration
- Subtractive permissions model
✓* Supports external groups
- Local group definition
-§ Delegate management
✓§ Non-System Config config
3737
• A simple matrix of click-boxesRow: roleColumn: permission
• Define groups at any level
• Assign roles to groups
• Filter roles at any level
Authentication Features
Provides group details (Optional)
Supports group lookup (Optional)
CloudBees’ RBAC Plugin (plugin)
©2011 CloudBees, Inc. All Rights Reserved
Feature
✓ Per-project configuration
✓ Per-object configuration
✓ Subtractive permissions model
✓* Supports external groups
✓ Local group definition
✓ Delegate management
✓ Non-System Config config
3838
Feature Matrix
©2011 CloudBees, Inc. All Rights Reserved
Matrix Strategy
Project-based Matrix
Roles Strategy plugin
CloudBees RBAC plugin
Per-project configuration
- ✓ ✓‡ ✓
Per-object configuration
- - - ✓
Subtractive permissions model
- - - ✓
Supports external groups
✓* ✓* ✓* ✓*
Local group definition
- - - ✓
Delegate management
- ✓ -§ ✓
Non-System Config config
- ✓ ✓§ ✓
3939
Jenkins Security Architecture Authentication Plugins Authorization Plugins
• CloudBees’ RBAC plugin– Overview– Inheritance model– Filtering
• Common Use Cases & Walk-throughs• Questions & Answers
Overview
©2011 CloudBees, Inc. All Rights Reserved
4040
CloudBees’ RBAC pluginOur take on an Authorization Strategy
©2011 CloudBees, Inc. All Rights Reserved
4141
• Roles defined in Nectar
• External Groups from LDAP / AD / Atlassian Crowd / etc
• Local Groups defined in Nectar– Configure Roles in Local Groups– Manage membership in Local Groups• Users / other Local Groups / External
Groups
• Role filtering to restrict inheritance
A layered approach
©2011 CloudBees, Inc. All Rights Reserved
What
Who
Tweak
4242
Adds new elements to the GUI
Icon What is it What is it for
User Users of Nectar
Group Defined within Nectar
External group Defined in LDAP / AD / etc
System identity Anonymous / Authenticated
Role A set of permissions
Pinned role A role tied to a specific object
©2011 CloudBees, Inc. All Rights Reserved
4343
• Groups are defined on objects– Per-slave permissions– Per-folder permissions (Folders Plugin)– Per-module permissions (Maven
Projects)
• Role definitions are global• Role assignments can be scoped
Object based permissions
©2011 CloudBees, Inc. All Rights Reserved
4444
1. Plan out your roles
2. Enable security3. Add the roles4. Save5. Define Groups6. Remove Admin
permissions from Authenticated Role
7. Save
How to deploy
©2011 CloudBees, Inc. All Rights Reserved
4545
Root
Folder AJob 1
Job 2
Folder B
Job 1
Job 2
Job 3
Inheritance model: Groups and roles
©2011 CloudBees, Inc. All Rights Reserved
Devs Dev
DevFolder A Devs
Have Dev role if in
Devs group or Folder A
Devs group
Have Dev role if in
Devs group
4646
Root
Folder AJob 1
Job 2
Folder B
Job 1
Job 2
Job 3
Inheritance model: Pinned roles
©2011 CloudBees, Inc. All Rights Reserved
Devs Dev
DevFolder A Devs
Have Dev role if in Folder A
Devs group
Nobody has Dev
role
4747
Root
Folder AJob 1
Job 2
Folder B
Job 1
Job 2
Job 3
Filtering
©2011 CloudBees, Inc. All Rights Reserved
Devs Dev
DevFolder A Devs
Have Dev role if in Folder A
Devs group
Have Dev role if in
Devs group
4848
Jenkins Security Architecture Authentication Plugins Authorization Plugins CloudBees’ RBAC plugin
• Common Use Cases & Walk-throughs– Authenticated only– Public read-only– Dev vs SQA– Multi-department– Secret skunk-works projects
• Questions & Answers
Overview
©2011 CloudBees, Inc. All Rights Reserved
4949
Common use-cases & Walk-throughsYou’re not so different… here’s how you might do it…
©2011 CloudBees, Inc. All Rights Reserved
5050
Use case• System is set up so that only
authenticated users can access.• Authenticated users can do
anything.
Authenticated Only
©2011 CloudBees, Inc. All Rights Reserved
5151
Authenticated Only
©2011 CloudBees, Inc. All Rights Reserved
Matrix Strategy
Project-based Matrix
Roles Strategy plugin
CloudBees RBAC plugin
Supports Use-Case
✓ ✓ ✓ ✓
Notes This is the initial default setting for this strategy
5252
Walk-throughAuthenticated Only use case
©2011 CloudBees, Inc. All Rights Reserved
5353
Use case• System is set up so that anonymous
users can browse all projects• Anonymous users cannot access the
Job Workspaces, or change/trigger anything
• Authenticated users can do anything.
Public read-only
©2011 CloudBees, Inc. All Rights Reserved
5454
Public read-only
©2011 CloudBees, Inc. All Rights Reserved
Matrix Strategy
Project-based Matrix
Roles Strategy plugin
CloudBees RBAC plugin
Supports Use-Case
✓ ✓ ✓ ✓
Notes
5555
Walk-throughPublic read-only use case
©2011 CloudBees, Inc. All Rights Reserved
5656
Use case• System is set up so that anonymous
users can browse all projects.• Anonymous users cannot access the
Job Workspaces, or change/trigger anything.
• Authenticated Developers can trigger builds.
• Authenticate SQA can delete/tag builds.
Dev vs SQA
©2011 CloudBees, Inc. All Rights Reserved
5757
Dev vs SQA
©2011 CloudBees, Inc. All Rights Reserved
Matrix Strategy
Project-based Matrix
Roles Strategy plugin
CloudBees RBAC plugin
Supports Use-Case
✓ ✓ ✓ ✓
Notes Authentication provider must have external group support
or
Create a role mapping for every user
Can use local groups if Authentication provider does not provide external group information
5858
Walk-throughDev vs SQA use case
©2011 CloudBees, Inc. All Rights Reserved
5959
Use case• System is set up so that anonymous
users can browse all projects• Anonymous users cannot access the
Job Workspaces, or change/trigger anything
• Authenticated users can do anything to the projects in their department only. For projects outside their department they are like anonymous users.
Multi-department
©2011 CloudBees, Inc. All Rights Reserved
6060
Multi-department
©2011 CloudBees, Inc. All Rights Reserved
Matrix Strategy
Project-based Matrix
Roles Strategy plugin
CloudBees RBAC plugin
Supports Use-Case
- ✓§ ✓‡ ✓
Notes Does not support per-project configuration
Each project has its own security configuration
§ Need to modify every job if a user moves from department A to department B
Use a regex to match the department A jobs and the department B jobs
‡ Requires job naming policy or complex regex management
With Folders plugin you can put each department’s jobs in separate folders for even easier management
6161
Walk-throughMulti-department use case
©2011 CloudBees, Inc. All Rights Reserved
6262
Use case• A secret project is set up for a
skunk-works team.• Only the skunk-works team‡ can see
the secret project. • The skunk-works team are not
otherwise restricted.
‡ Someone with direct disk access to the master may be able to find the
skunk-works project. The aim is to hide the project from the GUI.
Secret skunk-works projects
©2011 CloudBees, Inc. All Rights Reserved
6363
• Impl matrix with each plugin
Secret skunk-works projects
©2011 CloudBees, Inc. All Rights Reserved
Matrix Strategy
Project-based Matrix
Roles Strategy plugin
CloudBees RBAC plugin
Supports Use-Case
- ✓§ ✓§ ✓
Notes Does not support per-project configuration
Need to plan ahead.
To support this use-case, all projects must be secret by default
§ Admins can see that the secret project exists
All secret projects must match a regex.
If a non-secret regex matches the secret regex => public
§ Admins can see that the secret project exists
Use role filters to make the project secret.
Can hide project in GUI even from Admins
6464
Walk-throughSecret skunk-works projects use case
©2011 CloudBees, Inc. All Rights Reserved
6565
Jenkins Security Architecture Authentication Plugins Authorization Plugins CloudBees’ RBAC plugin Common Use Cases & Walk-throughs
• Questions & Answers
Overview
©2011 CloudBees, Inc. All Rights Reserved
6666
SupportNectar
©2011 CloudBees, Inc. All Rights Reserved
6767
• Releases every 6 months. • Supported for 18 months.• Patches every 6 weeks.• Plugins supported for life of
underlying release• Support all plugins• Nectar 10.10 and Nectar 11.04
released
Nectar
©2011 CloudBees, Inc. All Rights Reserved
6868
• CloudBees Resources Page – http://www.cloudbees.com/support.cb
• Try DEV@cloud & RUN@cloud– https://grandcentral.cloudbees.com/account/signup
• CloudBees Eclipse Plugin– http://cloudbees.com/eclipse-plugin.cb
• DEV@cloud Private Edition Beta Program (DEV@cloud for private clouds)– http://www.cloudbees.com/dev-pe.cb
CloudBees Resources
©2011 CloudBees, Inc. All Rights Reserved
6969
Questions & AnswersAnd if the questions are too tough, we’ll answer offline…
©2011 CloudBees, Inc. All Rights Reserved
7070
• Raise your hand if you have a question and type your question into the question box…
• Harpreet is keeping track of who is next…
• We will unmute you while it is your Q&A…
• If an answer is going too long, or we need to check some specifics we will distribute the answer off-line.
Questions & Answers
©2011 CloudBees, Inc. All Rights Reserved
71©2011 CloudBees, Inc. All Rights Reserved