One of the first enterprise plugins I wrote for CloudBees was our Role-based Access control plugin. Now I might be biased, it being my creation and all that, but I think it is one of the most powerful authorization strategies available for Jenkins. If you want to find out more about the plugin I would recommend looking at our documentation and the excellent webinar by Jesse Glick.
Anyway, one of the issues we hear customers mention is that they already have quite a complex configuration set up using one of the other authorization strategies and they don’t have the time to migrate… so while they want to get some of the features we have, they just don’t have the time to make the big switch.
Fear not: version 3.13 of the Role-based Access Control (RBAC) plugin now has your back (at least for the global matrix and project matrix authorization strategies).
You can start with your existing configuration (ok, for the screenshot below I just set up a very simple one):
Then if you select our role-based matrix authorization strategy and Jenkins is currently using a strategy that we know how to import, you will be given a list of options, for example:
In the above case you have three options:
- Leave the RBAC configuration as is (note that, unlike the other authorization strategies, our role-based matrix authorization strategy retains its configuration outside of the main security configuration. This means that you can try out other strategies and switch back to ours without loosing your hard work configuring it)
- When I took this screenshot I had the Project-based Matrix Authorization strategy active, that strategy is an extended version of the matrix-based security, so we can use the matrix-based security importer to just pull in the global security settings and ignore all the project based tweaks.
- Our final option lets us pull in the global and project security configuration from the Project-based Matrix Authorization strategy.
When you save or apply the new strategy, then the configuration will be imported.
NOTE: as the other strategies do not remember their configuration, you only get one shot at importing the configuration (unless you backup your $JENKINS_HOME/config.xml first)
I’m not even going to pretend that the resulting imported configuration is going to be anywhere close to pretty:
- The role names will be auto-generated (but we do try to find the consolidated set across everything)
- The local group names are even uglier
But the resulting effective configuration will be the exact same as your current configuration. You can then start to add the roles that you want, create the groups that you want and slowly tweak the configuration towards the configuration you desire.
Stephen Connolly has over 20 years experience in software development. He is involved in a number of open source projects, including Jenkins. Stephen was one of the first non-Sun committers to the Jenkins project and developed the weather icons. Stephen lives in Dublin, Ireland - where the weather icons are particularly useful. Follow Stephen on Twitter and on his blog.