I’m currently struggling with something (I guess) about authorize project plugin.
First, here is our environment setup :
Jenkins : v2.387.1
Controller is deployed on Kubernetes and handled by ArgoCD.
Config set through JCasC
All our jobs are defined in pipelines in a github repo and created on Jenkins by a seed job.
Permissions are set using RBAC.
Access Control for Builds is activated with default to “Run as user who triggered build”
My issue :
We have a developer population that are allowed to modify jobs to be created (so in the specific github repository) and we’d like them to be able to also run the seed job so it will properly update jobs whenever needed.
At first tries, our developpers hit the following issue :
“Missing Job/Create” permission.
Here are the permissions this group currently have :
authorizationStrategy: roleBased: roles: global: - name: "developers" assignments: - "team-developers" permissions: - "Overall/Read" - "Agent/Build" items: - name: "developers" pattern: "Job_DSL_Seed|<other_patterns>" assignments: - "team-developers" permissions: - "Job/Build" - "Job/Create" - "Job/Cancel" - "Job/Configure" - "Job/Discover" - "Job/Read" - "Job/Workspace"
I first thought that since the seed job creates all jobs, our developpers would require to have “Job/Create” permission on all patterns.
So we changed the previous (removed the “Job/Create” from the above list) and added
- name: "developers-seed" pattern: ".*" assignments: - "team-developers" permissions: - "Job/Create"
This didn’t change anything, still the same issue.
I then looked for another way to do this, and it seems advised to run the seed job as System, to avoid such issues.
I then changed our configuration to now have :
queueItemAuthenticator: authenticators: - project: disabledStrategies: - "org.jenkinsci.plugins.authorizeproject.strategy.SpecificUsersAuthorizationStrategy" - "org.jenkinsci.plugins.authorizeproject.strategy.TriggeringUsersAuthorizationStrategy" - "org.jenkinsci.plugins.authorizeproject.strategy.AnonymousAuthorizationStrategy" enabledStrategies: - "org.jenkinsci.plugins.authorizeproject.strategy.SystemAuthorizationStrategy" - global: strategy: "triggeringUsersAuthorizationStrategy"
Now, I’m able (through the UI) to change the default authorization of the seed job to be run as SYSTEM.
And it works.
My main issue here is how could I set this up through JCasC/DSL directive so that anytime the jenkins controller is rolled out for some reasons I won’t have to set it back again manually ?
I wasn’t able to find anything neither in the config files about this property nor on internet (in plugin code or anywhere.). I’m probably not using the appropriated search terms.
Or is there any other way to achieve the same behaviour and let my developpers be autonomous ?
I’m surely missing something obvious but can’t figure out what
NB : I know we could also trigger the seed job to more often but I’m not a fan of permanent running stuffs as a workaround
Any help would be appreciated