In practice, there are multiple teams that need Jenkins to achieve continuous delivery, but they want to isolate different teams. Each project has its own view, and only the Jenkins Job of its own project can be seen.

However, Jenkins’ default Authorization management system does not support the configuration of user groups or roles. Role-based Authorization Strategy is used here to achieve the above purposes

Permission Role Configuration

Skip the plug-in installation and show you how to configure based on project.

1. Enable the role-based Authorization Strategy

Choose System > Configure Global Security and Configure as follows. The policy is enabled

Note: After a policy is enabled, modification is not prohibited! Policies are independent of each other. If you select another policy, the current policy is lost, including the configuration that has taken effect.

2. Create Glabal Roles and Project Roles

Choose System > Manage and Assign Roles

Manageroles-global Roles – Project roles are controlled for projects only, so you need to add a specific role for each Project. No Jenkins management permission configuration) Configure job pattern: prod. For example, if dev starts with dev, write dev. Be sure to add a “.”; .*test represents the content item ending in test

Note: Global Roles must be configured before Project Roles can be configured. You can assign permissions for roles by Project first, and then by Project.

3. Roles Configuration rules and process

This is where the project ROLE configuration rules and processes are enforced

3.1 Adding a Project Role to a project/team

The demo project is used as an example to add manager and User roles

    - role:demo-manager - pattern: "^demo-[a-zA-Z]*"
    - role:demo-user      - pattern: "^demo-[a-zA-Z]*"
Copy the code
  1. In practice, you can create two or even one roles for a “project/team”
  2. Pattern is a Jenkins job created for a project through “regular expression” matching. All naming needs to be regular and simple. One expression can match jobs owned by multiple projects. Refer to the “Demo” project here

3.2 Assign roles to project/team members

With the following configuration, development team members can only see their “demo” projects

Add user -LDAP

Jenkins can manually add users by default, which is not explained due to its simplicity. The emphasis here is on the unified management of users by using LDAP in the enterprise, which means that users do not need to be created again

You need to use the LDAP plug-in and then Configure it on the Configure Global Security page to enter your company’s internal LDAP service information.

Note:

  1. By default, Jenkins uses “Jenkins’ own user database”, that is, its own database, once switched, the current configuration data may be lost, so do not modify the configuration at will!

  2. Before configuring LDAP, ensure that the admin permission of anonymous users is enabled. Otherwise, you will fail to log in.