每个分支基于作业的安全性-Jenkins Multibranch管道 [英] Job based security per branch - Jenkins Multibranch pipeline

问题描述

我有一个用于构建工件的Jenkins多分支管道，并且有master，*-dev等分支.

I have a Jenkins multi-branch pipeline for building artifacts and there are branches for master, *-dev etc.

我想基于每个分支启用基于项目的安全性，即仅允许开发人员运行构建的*-dev分支作业，而不能运行其他任何作业，因为这样做会产生不良影响.

I want to enable project based security on a per branch basis, ie only allow devs to run the *-dev branch jobs of the build not any other ones because doing so would have undesirable effects.

我知道有基于项目的安全性，但是每个分支都没有.是否存在?我们在更新Jenkins方面落后，目前正在运行Jenkins 2.46.1.

I know there is project based security, but I didn't see any per branch. Does this exist? We are behind in updating Jenkins and are currently running Jenkins 2.46.1.

否则，我想我可能必须有一个单独的上游作业才能调用下游作业的正确分支，并使具有特权的下游工件作业无法由开发人员运行. (这听起来像是过分杀伤力).

Otherwise I am thinking I might have to have a separate upstream job to call the correct branch of the downstream one and make the downstream artifact job unable to be run by devs with the privilege to do so. (This sounds like overkill).

或者在分支的Jenkinsfile中有什么方法可以做到这一点?

Or is there any way to accomplish this in the branch's Jenkinsfile?

推荐答案

以下是一些Jenkinsfile常规方法，可以使您接近所需的内容:

Here's some Jenkinsfile groovy that will get you close to what you want:

// return the user id that caused this build; else empty string
@NonCPS
def user_id_cause() {
    def CAUSE = currentBuild.rawBuild.getCause(
        hudson.model.Cause.UserIdCause.class
    );
    return CAUSE ? CAUSE.getUserId() : "";
}

// return all groups to which the given user id belongs
@NonCPS
def groups(USER_ID) {
    return Jenkins.instance.securityRealm.loadUserByUsername(USER_ID).authorities.collect{ it.toString() };
}

...

env.USER_ID_CAUSE = user_id_cause();
if (!env.BRANCH_NAME.endsWith('-dev')) {
    if (env.USER_ID_CAUSE) {
        if ('jenkins_admins' in groups(env.USER_ID_CAUSE)) {
            echo("INFO: user id `${env.USER_ID_CAUSE}` is in the group `jenkins_admins`.");
        } else {
            currentBuild.result = 'ABORTED';
            error("user id `${env.USER_ID_CAUSE}` is not in the group `jenkins_admins`.");
        }
    }
}

注意事项:

• 这些技巧在很大程度上依赖于需要詹金斯管理员进行进程内脚本批准"的API函数.
• 上面的示例假定特权用户所属的jenkins_admins组的存在---您的用户/组的情况可能大不相同.
• 通常，应使用在@NonCPS-带注释的函数中播放从Jenkins API函数返回的对象-否则，您将承担java.io.NotSerializableException的风险.

• These tricks rely heavily on API functions that require "In-process Script Approval" by a Jenkins administrator.
• The above example assumes the existence of the jenkins_admins group to which privileged users belong --- your user/groups situation may be very different.
• In general, playing with objects returned from Jenkins API functions should be done within @NonCPS-annotated functions --- you risk java.io.NotSerializableException otherwise.

参考文献:

• https://github.com/jenkinsci/workflow -cps-plugin/blob/master/README.md
• http://javadoc.jenkins-ci.org/hudson /model/Cause.UserCause.html
• http://javadoc. jenkins-ci.org/hudson/model/Run.html#getCause-java.lang.Class-
• http://javadoc.jenkins. io/hudson/security/SecurityRealm.html#loadUserByUsername-java.lang.String-

• https://github.com/jenkinsci/workflow-cps-plugin/blob/master/README.md
• http://javadoc.jenkins-ci.org/hudson/model/Cause.UserCause.html
• http://javadoc.jenkins-ci.org/hudson/model/Run.html#getCause-java.lang.Class-
• http://javadoc.jenkins.io/hudson/security/SecurityRealm.html#loadUserByUsername-java.lang.String-

这篇关于每个分支基于作业的安全性-Jenkins Multibranch管道的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！