JEP-225: Folders-based access control layer for any credentials provider #266
Conversation
|
Just putting this up early, so that it exists somewhere, and we have a reference point to discuss it. At this point in time the only thing I need is a JEP number - I have assumed 401 but that's not necessarily right. |
chriskilding
changed the title
|
@oleg-nenashev who would be an appropriate BDFL for this? |
|
looping in @jvz since he expressed interest on the mailing list |
|
There are a couple of existing components that provide a generic ACL already:
I am thinking that rather than implement the JEP as a self-contained ACL within the folders plugin, we would get a much more powerful result if we made the generic ACLs aware of folders and credentials as concepts (objects?). Any standard ACL rule could then apply restrictions on these objects, and the rules would be composable with any other rules. |
|
@chriskilding sorry for missing the comments here. I would recommend to use the Developer Mailing list for the technical discussion, not the JEP pull request (see the JEP-1 recommendations). Regarding the BDFL delegate, I would rather recommend somebody from the Jenkins Security team. Maybe @daniel-beck could make a better suggestion |
A number is allocated by maintainers if and when the PR is merged. Pointless to guess at it now. |
jep/225/README.adoc
Outdated
| - "Only jobs in folders 'foo' and 'bar' can access credential 'baz'". | ||
| - "All jobs can access [global] credential 'qux'". | ||
|
|
||
| This proposal genericises and supersedes the folder-based credentials ACL in the link:https://plugins.jenkins.io/cloudbees-folder[Cloudbees Folders plugin]. |
There was a problem hiding this comment.
the folder-based credentials ACL
There is no such thing currently. Perhaps you meant
| This proposal genericises and supersedes the folder-based credentials ACL in the link:https://plugins.jenkins.io/cloudbees-folder[Cloudbees Folders plugin]. | |
| This proposal genericises and supersedes the folder-based credentials storage in the link:https://plugins.jenkins.io/cloudbees-folder[Cloudbees Folders plugin]. |
There was a problem hiding this comment.
If a credential is stored in FoldersCredentialProvider, only jobs in the respective folder can use it. I would see this as a very simplistic form of access control over credentials (albeit with only one kind of rule).
We do not have other JEPs in the queue at the moment, so it is not a problem IMHO |
Co-Authored-By: Jesse Glick <[email protected]>
|
@chriskilding Hi, are you still interested in it? Do you have enough information to proceed? |
|
I'm juggling a few other PRs at the moment which are higher priority for our teams, but yes the plan is to keep going with this. Probably the biggest thing I need to proceed is a clear overview of the main ACL systems which would be changed as part of this feature. We started working that out on the mailing list but it's a bit hazy atm. |
|
If someone that knows more about the core would be willing to give us a walkthrough via zoom, that would probably jumpstart this learning.
Any volunteers 😊?
From: Chris Kilding <[email protected]>
Reply-To: jenkinsci/jep <[email protected]>
Date: Wednesday, March 4, 2020 at 7:54 AM
To: jenkinsci/jep <[email protected]>
Cc: Jeff Pearce <[email protected]>, Comment <[email protected]>
Subject: Re: [jenkinsci/jep] JEP-225: Folders-based access control layer for any credentials provider (#266)
Notice: This email is from an external sender.
I'm juggling a few other PRs at the moment which are higher priority for our teams, but yes the plan is to keep going with this.
Probably the biggest thing I need to proceed is a clear overview of the main ACL systems which would be changed as part of this feature. We started working that out on the mailing list but it's a bit hazy atm.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub<#266?email_source=notifications&email_token=AALJD2LIUUSKNCRX2MMNBPDRFZ2UBA5CNFSM4KNUEPSKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOENYTKII#issuecomment-594621729>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AALJD2NP4PL7MXDS6FXQ7EDRFZ2UBANCNFSM4KNUEPSA>.
|
|
@jeffpearce It is better to discuss such topics and organize walkthroughs in the developer mailing list |
|
@chriskilding @jeffpearce Hi, are you still interested in this JEP? |
|
Hi Oleg, I've been taken off to work on other things for the moment but I may come back to this in the future. |
225 is currently pending for jenkinsci#266 so I am skipping over it
|
@chriskilding still interested? 😄 |
No description provided.