Set up Authorization

This document explains how to configure authorization mechanisms supported by Carthago Operator for Jenkins.
Authorization mechanisms listed below are unavailable in the free plan.

Create a user

In order to assign permissions, first you will need to have a set of users available in Jenkins. We highly recommend using one of the provided Authentication strategies. create-user

Matrix-based Authorization

Before creating an authorization custom resource, you need to install matrix-plugin. The Carthago Operator will look for its declaration in the Jenkins Custom Resource.

Create Resource in Carthago Operator

Prepare a Custom Resource with Matrix-based authorization. Provide a list of users with permissions.

carthago username is used by the Operator itself. Because of that, Operator will prevent a Custom Resource modifying permissions of carthago user from getting applied.
apiVersion: carthago.cloud/v1beta1
kind: JenkinsAuthorization
metadata:
  name: matrix-example
  namespace: default
  labels:
    carthago.cloud/jenkins: example
spec:
  type: matrix
  matrix:
    users:
      - name: user-example
        permissions:
          - Overall/Read

Create it in the Kubernetes:

$ kubectl apply -f matrx-authz.yaml 

Next check if all permissions where successfully granted to all users. You can check it in “Configure Global Security” tab in Jenkins settings. matrx-authz

Role-based Authorization Strategy

Define roles and assign users.

In order to use Role-based Authorization Strategy, you need to install role-strategy plugin. The Carthago Operator will look for its declaration in the Jenkins Custom Resource.

Create Resource in Carthago Operator

Below you can see an exemplary JenkinsAuthorization Custom Resource. You need to specify the type of authorization strategy and define the roles. Each role must have a unique name, corresponding permissions and users or groups, to which it will be assigned.

apiVersion: carthago.cloud/v1beta1
kind: JenkinsAuthorization
metadata:
  name: role-example
  namespace: default
  labels:
    carthago.cloud/jenkins: example
spec:
  type: roleBased
  roleBased:
    roles:
      - name: reader
        permissions:
          - Overall/Read
        usersOrGroups:
          - anonymous
      - name: job-creator
        permissions:
          - Job/Create
          - Job/Read
        usersOrGroups:
          - Martin
          - Diana

Create it in the Kubernetes:

$ kubectl apply -f role-authorization.yaml 

The newly created roles can be found in the UI:

role-authz