Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

working groovy to enable and configure rbac according to rbac_config.… #118

Open
wants to merge 2 commits into
base: master
Choose a base branch
from

Conversation

philbert
Copy link
Contributor

@philbert philbert commented Dec 5, 2019

This groovy script enables RBAC in Cloudbees Core, and creates roles with permissions as described in the file rbac_config.yaml.

The groovy will also remove and permissions and attempt to remove roles that are not in the yaml, so it should be used with caution!

It's been verified to work on Cloudbees Core 2.190.2.2 and nectar-rbac 5.25.

enable-and-configure-rbac.groovy Outdated Show resolved Hide resolved
enable-and-configure-rbac.groovy Outdated Show resolved Hide resolved
@carlosrodlop
Copy link
Contributor

carlosrodlop commented Dec 5, 2019

This groovy script enables RBAC in Cloudbees Core and creates roles with permissions as described in the file rbac_config.yaml.

Clarification request: It only creates Roles. Does it not create RBAC groups?

Ideally, I will merge once the full workflow is done and you are able to create the Groups too. WDYT?

@philbert
Copy link
Contributor Author

philbert commented Dec 5, 2019

This groovy script enables RBAC in Cloudbees Core and creates roles with permissions as described in the file rbac_config.yaml.

Clarification request: It only creates Roles. Does it not create RBAC groups?

Yes I should have mentioned that it creates groups at the root location as well. You can see in the rbac_conifg.yaml here:

https://github.com/cloudbees/jenkins-scripts/pull/118/files#diff-9cb32757be40113a7a678af47b25d6f4

The included config is only intended to manage the group for "administrators" because we will need a separate config for managing all other groups and memberships in the node hierarchy.

@philbert philbert closed this Dec 5, 2019
@philbert philbert reopened this Dec 5, 2019
@philbert philbert requested a review from carlosrodlop December 5, 2019 15:08
Description: Enable and configure RBAC roles, permissions and root groups in Cloudbees Core
Requirements:
file /tmp/rbac_config.yaml (see included example)
Scope: Cloudbees Jenkins Operations Center
Copy link
Contributor

@carlosrodlop carlosrodlop Dec 10, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Scope: Cloudbees Jenkins Operations Center
Scope: CloudBees Jenkins Operations Center. Prior to Jenkins Configuration as Code (JCaC) support for CloudBees Jenkins Operation Center (JOC).

@carlosrodlop
Copy link
Contributor

carlosrodlop commented Dec 10, 2019

The script is using certain pre-requisites that are not specified, running the Script in the mentioned product and version (CloudBees Jenkins Operations Center 2.190.2.2-rolling)and configured as:

  • Security Realm - Jenkins’ own user database
  • Authorization - Anyone can do anything

I am hitting the following error, running the script in the Script Console ($JOC_URL/script):

Existing non-admin group found: Group{name='admins', parent=nectar.plugins.rbac.groups.RootProxyGroupContainer@41dca8cc, roles=[administrator], members=[admin]}
Existing non-admin group found: Group{name='devs', parent=nectar.plugins.rbac.groups.RootProxyGroupContainer@41dca8cc, roles=[developer], members=[developer]}
hudson.security.AccessDeniedException2: anonymous is missing the Group/Manage permission
	at hudson.security.ACL.checkPermission(ACL.java:73)
	at nectar.plugins.rbac.groups.Group.checkPermission(Group.java:1755)
	at nectar.plugins.rbac.groups.Group.doGrantRole(Group.java:1601)
	at nectar.plugins.rbac.groups.Group$doGrantRole$1.call(Unknown Source)

I assume that you cannot run it as anonymous and you need some sort of RBAC configuration initially.

Since: December 2019
Description: Enable and configure RBAC roles, permissions and root groups in Cloudbees Core
Requirements:
file /tmp/rbac_config.yaml (see included example)
Copy link
Contributor

@carlosrodlop carlosrodlop Dec 11, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add here in requirements: admin user or whatever else is needed.

@carlosrodlop
Copy link
Contributor

carlosrodlop commented Dec 11, 2019

After digging into the issue, it seems that it needed an admin user. I have added that comment here.

The following configuration has been using to test the script. admin user is logged.

  • Manage Jenkins > Security Configuration

SecurityConfiguration

See Mock Security Realm - Jenkins plugin

  • Roles

roles

  • RBAC groups

RBAC-groups

The error looks like follows

Result
Existing non-admin group found: Group{name='admins', parent=nectar.plugins.rbac.groups.RootProxyGroupContainer@5c5ae379, roles=[administrator], members=[admin]}
Existing non-admin group found: Group{name='devs', parent=nectar.plugins.rbac.groups.RootProxyGroupContainer@5c5ae379, roles=[developer], members=[developer]}
ignoring hudson.security.Permission.FullControl
ignoring hudson.security.Permission.GenericRead
ignoring hudson.security.Permission.GenericWrite
ignoring hudson.security.Permission.GenericCreate
ignoring hudson.security.Permission.GenericUpdate
ignoring hudson.security.Permission.GenericDelete
ignoring hudson.security.Permission.GenericConfigure
allPermissions: 
hudson.model.Hudson.Administer
hudson.model.Hudson.Read
hudson.model.Hudson.RunScripts
hudson.model.Hudson.UploadPlugins
hudson.model.Hudson.ConfigureUpdateCenter
hudson.model.Computer.Configure
hudson.model.Computer.ExtendedRead
hudson.model.Computer.Delete
hudson.model.Computer.Create
hudson.model.Computer.Disconnect
hudson.model.Computer.Connect
hudson.model.Computer.Build
hudson.model.Computer.Provision
nectar.plugins.rbac.groups.Group.Configure
nectar.plugins.rbac.groups.Group.View
nectar.plugins.rbac.groups.Group.Create
nectar.plugins.rbac.groups.Group.Manage
nectar.plugins.rbac.groups.Group.Delete
nectar.plugins.rbac.roles.Role.View
nectar.plugins.rbac.roles.Role.Filter
jenkins.metrics.api.Metrics.View
jenkins.metrics.api.Metrics.ThreadDump
jenkins.metrics.api.Metrics.HealthCheck
com.cloudbees.jenkins.support.SupportPlugin.DownloadBundle
hudson.model.Item.Create
hudson.model.Item.Delete
hudson.model.Item.Configure
hudson.model.Item.Read
hudson.model.Item.Discover
hudson.model.Item.ExtendedRead
hudson.model.Item.Build
hudson.model.Item.Workspace
hudson.model.Item.WipeOut
hudson.model.Item.Cancel
com.cloudbees.plugins.credentials.CredentialsProvider.UseOwn
com.cloudbees.plugins.credentials.CredentialsProvider.UseItem
com.cloudbees.plugins.credentials.CredentialsProvider.Create
com.cloudbees.plugins.credentials.CredentialsProvider.Update
com.cloudbees.plugins.credentials.CredentialsProvider.View
com.cloudbees.plugins.credentials.CredentialsProvider.Delete
com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains
hudson.model.Item.Move
hudson.scm.SCM.Tag
hudson.model.Run.Delete
hudson.model.Run.Update
hudson.model.Run.Artifacts
hudson.model.View.Create
hudson.model.View.Delete
hudson.model.View.Configure
hudson.model.View.Read
hudson.model.Item.Request
hudson.model.Computer.Secure
com.cloudbees.jenkins.plugin.metrics.views.Alerter.View
com.cloudbees.jenkins.plugin.metrics.views.Alerter.Mute
hudson.model.Item.Promote
com.cloudbees.plugins.updatecenter.UpdateCenter.Configure
com.cloudbees.plugins.updatecenter.UpdateCenter.Upload
com.cloudbees.plugins.updatecenter.UpdateCenter.Promote
com.cloudbees.plugins.updatecenter.UpdateCenter.Store
com.cloudbees.opscenter.server.model.ClientMaster.Configure
com.cloudbees.opscenter.server.model.ClientMaster.Lifecycle
rolesToAdd = [cjoc_admin, mm_admin, power_user, regular_user]
rolesToRemove = [administrator, developer]
hudson.security.AccessDeniedException2: admin is missing the Overall/Administer permission
	at hudson.security.ACL.checkPermission(ACL.java:73)
	at hudson.security.AccessControlled.checkPermission(AccessControlled.java:47)
	at nectar.plugins.rbac.roles.Role.doRevokePermissions(Role.java:228)
	at nectar.plugins.rbac.roles.Role$doRevokePermissions$1.call(Unknown Source)
	at Script1$_deleteRole_closure2.doCall(Script1.groovy:58)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants