1. Carthago Operator for Jenkins®
  2. /
  3. Latest (0.17.x)
  4. /
  5. Getting Started
  6. /
  7. Set up Authorization

Set up Authorization

This document explains how to configure authorization mechanisms supported by Carthago Operator for Jenkins.
Authorization mechanisms listed below are unavailable in the free plan.

Create users and groups

In order to assign permissions, first you will need to have a set of users and/or groups available in Jenkins. We highly recommend using one of the provided Authentication strategies. create-user

Matrix-based Authorization

Before creating JenkinsAuthorization CR (Custom Resource), you need to install matrix-plugin. The Carthago Operator will look for its declaration in the Jenkins Custom Resource.

Create Resource in Carthago Operator

Prepare a Custom Resource with Matrix-based authorization. Provide a list of users and groups with permissions.

carthago username is used by the Operator itself. Because of that, Operator will prevent a Custom Resource modifying permissions of carthago user from getting applied.
apiVersion: carthago.cloud/v1beta1
kind: JenkinsAuthorization
metadata:
  name: matrix-example
  namespace: default
  labels:
    carthago.cloud/jenkins: example
spec:
  type: matrix
  matrix:
    users:
      - name: user-example
        permissions:
          - Overall/Administer
      - name: group-example
        permissions:
          - Overall/Read

Create it in the Kubernetes:

$ kubectl apply -f matrx-authz.yaml

Next check if all permissions where successfully granted to all users. You can check it in “Configure Global Security” tab in Jenkins settings. matrx-authz

Role-based Authorization Strategy

Define roles and assign users.

In order to use Role-based Authorization Strategy, you need to install role-strategy plugin. Operator will look for its declaration in the Jenkins CR (Custom Resource).

Create Resource in Carthago Operator

Below you can see an exemplary JenkinsAuthorization CR. You need to specify the type of authorization strategy and define the roles. Each role must have a unique name, corresponding permissions and users or groups, to which it will be assigned.

apiVersion: carthago.cloud/v1beta1
kind: JenkinsAuthorization
metadata:
  name: role-example
  namespace: default
  labels:
    carthago.cloud/jenkins: example
spec:
  type: roleBased
  roleBased:
    roles:
      - name: reader
        permissions:
          - Overall/Read
        usersOrGroups:
          - anonymous
      - name: job-creator
        permissions:
          - Job/Create
          - Job/Read
        usersOrGroups:
          - Martin
          - Diana

Create it in the Kubernetes:

$ kubectl apply -f role-authorization.yaml

Newly created roles can be found in the UI:

role-authz