Manage Jenkins Access and Roles with OpenID
Introduce Jenkins doesnāt seem to be necessary for me as this software is one of the usual in the continuous integration domain. When you are an organization with several teams and a shared Jenkins instance, you may need to separate them into dedicated workspaces to avoid configuration or job modifications by other teams.
Thatās what Jenkins role based access control is made for, but thatās not really simple to apprehend. Here is a tutorial to show you how to interface Jenkins with an OpenID Identity Provider that will manage users dans roles access.
The need
Letās assume we are a company with several dev teams using a shared Jenkins instance. This Jenkins is administered by a dedicated team that provides the CI:CD tools for the projects and ops teams.
The projects teams include the devs and integration team thatāll need to create continuous build, integration and deployment jobs for their applications. The projects team have a dedicated space in Jenkins.
The Ops teams are the infrastructure and applications maintainer that can execute deployment jobs, but donāt require to be able to create or modify a deploy job. As they are a shared team, they should have access to all deployment jobs.
Finally, the CICD team that maintains Jenkins will need an Admin access to it.
So, we can imagine the folowwing RBAC matrix :
| Team | Grants |
|---|---|
| Jenkins Admins | Admin |
| Project A | Read, write, and execute access on Project A folder |
| Project B | Read, write, and execute access on Project A folder |
| Ops | Execution access on deployment jobs |
We will see how to setup Jenkins in order to delegate the authentication to an Identity Provider (IDP) and assign roles related to the user.
To facilitate the implementation, Jenkins is organized with folders for each team.
We have three main folders in Jenkins. One for the Admins with their maintenance and specific jobs, one for each project team.
For each project, we have a āBUILDā folder that contains the application build jobs, and a āDEPLOYā folder that contains the deployment jobs. The Ops team may have access to each deployment job.
Setup and Identity Provider with Keycloak
Keycloak is a used to create an Identity Provider and enable Single Sign-On features using OpenID or SAML2 protocols. This article wonāt explain how Keycloak works because itās not the purpose and Iām not an expert on this specific subject. Iāll use it to illustrate how the access matrix is designed inside the identity provider.
For the demo requirement, we will create a new Realm in Keycloak thatāll contains our users and roles.
We add a new Client for Jenkins. In root url, you may paste the Jenkins Web GUI URL.
In the āInstallationā tab, we put on side the settings in Keycloak OICD JSON format in order to give it to Jenkins later.
Then, we create the roles inside the GarbageCollector realm.
- jenkins_adm : for Jenkins admins
- jenkins_access : will grant the ārealā right in Jenkins, weāll see this above
- jenkins_ops_execute : for the Ops team
- jenkins_project_a : for Project A team
- jenkins_project_b : for Project B team
Then, we create the users.
In the role tab, we assign the roles in the following way :
| User | Role |
|---|---|
| jenkins_admin | jenkins_adm |
| ops1 | jenkins_access, jenkins_ops_execute |
| projecta | jenkins_access, jenkins_project_a |
| projectb | jenkins_access, jenkins_project_b |
Why role jenkins_access ? Because Jenkins requires an āOverall/Readā role in order to give access to the GUI objects. The āadminā role is allowed to do it by design, but the other roles neer and Overall Read access to see the resources.
Create the RBAC matrix in Jenkins
First, we install some required plugins.
The first one is required to enable the Role Based Access Control matrix. The second one is to enable a simple keycloak connection with Jenkins. If you use another IDP, you may install the OpenId Connect Authentication plugin.
In Manage => Configure Global Security => Authorization, activate āRole-based strategyā, save it.
A new item appears in the manage screen : Manage and Assign Roles, open it.
Create the matrix
First, weāre going into the Manage Role section to create the access roles. As you can see, the global role āadminā already exists. We wonāt use it because weāll create our own.
Add ājenkins_admā with āOverall/Administerā role, and ājenkins_accessā with āOverall/Readā role.
This is for the global access, now letās create for item roles. If Global Roles grant rights for all the Jenkins instance, the Item Roles are more precise and allow to create a very detail matrix for folders or projects.
When we use folders, it becomes necessary to create a folder access right and a folder content management right to manage the resources inside it. This is required to create the expected access separation between Devs and Ops.
We had an item role to access Project A folder, then an Item Role to read, modify, execute its content, then only a read access for Ops. This means three items :
Useful tip, if you click on the Pattern, Jenkins returns the impacted items.
Good to know : You must always give a āReadā access to an object. If not, the item could not be visible to the user. In my screenshots Iāve forgot it, so the group couldnāt see anything !
We save and get the following result :
Again, the Admin role doesnāt require any specific rights, the Admin grant allows everything.
Assign the matrix
Now, go to the Assign Role screen. First, we assign the global roles ājenkins_admā and ājenkins_accessā.
The group name is important and must match the one present in the IDP !
Below, in the Item Roles, we assign the required rights for the ājenkins_ops_executeā, ājenkins_project_aā, ājenkins_project_bā roles.
Donāt forget to save ! We have the basics, now we can enable the OpenID authentication with Keycloak.
š” Please note that if you go back on the Assign screen you may see the items striped. Thatās because they donāt exist in Jenkins own database. Thatās normal, the IDP will provide them.
Activate the OpenID authentication
Go to Manbage => Global Configuration, then paste in the section āGlobal Keycloak Settingsā the JSON settings we saved earlier. If you lost it, you can find it in Keycloak in Clients => Jenkins => Installation, and selection Keycloak OICD JSON.
Now, go back to Manage, then Global Security and activate Keycloak authentication plugin.
Weāre now redirected to Keycloak in order to authenticate in Jenkins.
Tests
Iām connecting with ājenkins_adminā user, the instance Admin : I have the sames rights as the builtin āadminā user.
Yes, my ādark modeā addon is not enabled in private session.
Iām connecting with āproject_aā user, I see what I need to have.
Please note that the rights cannot allow me to create or modify objects inside the āPROJECT_Aā folder, only inside āBUILDā and āDEPLOYā. Of course, you can adapt what you want, itās just an example. š
Now Iām checking ops1 profile, I can see both projects but I canāt do anything else that using the deploy jobs.
Conclusion
VoilĆ ! I hope this article helped you to understand how the RBAC matrix works with Jenkins. Yes, this management can quickly become very heavy and difficult if you goes too far in details, so I would advice to avoid doing too much. You may use the Jenkins Configuration as Code plugin to manage it with YAML files or using the Helm chart if your Jenkins is hosted on Kubernetes.
If you walked around the RBAC screens, you may have seen the āRole macrosā and āNode itemsā parts. As today, Iāve never used these features.