During my Google Summer of Code Project,
I have created the brand new Folder Auth Plugin for easily
managing permissions to projects organized in folders from the Folders plugin.
This new plugin is designed for fast permission checks with easy-to-manage roles.
The 1.0 version of the plugin has just been released and can be downloaded
from your Jenkins’ Update center.
This plugin was inspired by the Role Strategy Plugin
and brings about performance improvements and makes managing roles much easier.
The plugin was developed to overcome performance limitations of the Role Strategy
plugin on a large number of roles. At the same time, the plugin addresses one
of the most popular ways of organizing projects in Jenkins, through folders.
The plugin also has a new UI with more improvements to come in the future.
The plugin supports three types of roles which are applicable at different places
- Global Roles: applicable everywhere in Jenkins
- Agent Roles: restrict permissions for multiple agents connected to your instance
- Folder Roles: applicable to multiple jobs organized inside folders
This plugin, unlike the Role Strategy plugin, does not use regular expressions
for finding matching projects and agents giving us performance improvements
and makes administrators’ lives easier. To reduce the number of roles required
to be managed, permissions given to a folder through a folder role get inherited
to all of its children. This is useful for giving access to multiple projects
through a single role. Similarly, an agent role can be applied to multiple agents
and assigned to multiple users.
This plugin is designed to outperform Role Strategy Plugin in permission
checks. The improvements were measured using the
I had created during the first phase of my GSoC project.
Benchmarks for identical configurations for both plugin show that the
permissions check are up to 934x faster for 500 global roles when compared to
the global roles from the Role Strategy 2.13, which in itself contains several
performance improvements. Comparing folder roles with Role Strategy’s project
roles, a permission check for access to a job almost 15x faster for 250 projects
organized in two-level deep folders on an instance with 150 users. You can see
the benchmarks and the result comparisons
The plugin supports Jenkins Configuration-as-Code so you can configure permissions
without going through the Web UI. A YAML configuration looks like this:
jenkins: authorizationStrategy: folderBased: globalRoles: - name: "admin" permissions: - id: "hudson.model.Hudson.Administer" # ... sids: - "admin" - name: "read" permissions: - id: "hudson.model.Hudson.Read" sids: - "user1" folderRoles: - folders: - "root" name: "viewRoot" permissions: - id: "hudson.model.Item.Read" sids: - "user1" agentRoles: - agents: - "agent1" name: "agentRole1" permissions: - id: "hudson.model.Computer.Configure" - id: "hudson.model.Computer.Disconnect" sids: - "user1"
The plugin provides REST APIs for managing roles with OpenAPI specifications
through Swagger.json. You can check out the Swagger API on
SwaggerHub provides stubs in multiple languages which can be downloaded and
used to interact with the plugin. You can also see some sample requests from
the command line using curl.
In the (not-too-distant) future, I would like to work on improving the UI and
make the plugin easier to work with. I would also like to work on improving the
APIs, documentation and more optimizations for improving the plugin’s performance.
Originally posted on Jenkins Blog