-
New Feature
-
Resolution: Fixed
-
Major
It would be nice if the administrator could for each configuration file define users and groups that would be able to edit it.
[JENKINS-12114] Flexible file editing permissions
Chris Brookes
added a comment - Being able to add/change config files without having to be an administrator would be useful. Currently, you have to have Overall/Administer permission to edit the files. I don't want to have to give everybody administrator access just so they can create config files when setting up jobs.
Chris Brookes
added a comment - Being able to add/change config files without having to be an administrator would be useful. Currently, you have to have Overall/Administer permission to edit the files. I don't want to have to give everybody administrator access just so they can create config files when setting up jobs. 
Daniel Mueller
added a comment - since we now have config files for folders, I also think this would be the logical next step. any plans?
Daniel Mueller
added a comment - since we now have config files for folders, I also think this would be the logical next step. any plans? Daniel Mueller
added a comment - I have a meeting in a few days to discuss our jenkins setup. This ticket is the last missing piece of the puzzle which would allow us to use just one jenkins master with independant regional or peoject folders (own config files, own credentials). My plan is to get some budget to implement this feature. I'll let you know if and when we can start to work on this.
Daniel Mueller
added a comment - I have a meeting in a few days to discuss our jenkins setup. This ticket is the last missing piece of the puzzle which would allow us to use just one jenkins master with independant regional or peoject folders (own config files, own credentials). My plan is to get some budget to implement this feature. I'll let you know if and when we can start to work on this. Daniel Mueller
added a comment - imod I have implemented a fix for this, seems too simple to be true, I will create a pull request, have a look and let me know if its any good.
basically instead of asking for overall ADMINISTER permissions, I ask for folder.checkPermission(Job.CONFIGURE). Using the role strategy plugin, I was able to grant/deny edit config files within a folder.
Daniel Mueller
added a comment - imod I have implemented a fix for this, seems too simple to be true, I will create a pull request, have a look and let me know if its any good.
basically instead of asking for overall ADMINISTER permissions, I ask for folder.checkPermission(Job.CONFIGURE). Using the role strategy plugin, I was able to grant/deny edit config files within a folder. Code changed in jenkins
User: daniel.mueller
Path:
src/main/java/org/jenkinsci/plugins/configfiles/folder/FolderConfigFileAction.java
src/main/resources/org/jenkinsci/plugins/configfiles/folder/FolderConfigFileAction/configfiles.jelly
http://jenkins-ci.org/commit/config-file-provider-plugin/0b821aa0879c9ed7298cbd7fb5fd81b38ba324a6
Log:
#refs JENKINS-12114: allow manage (CRUD) config files on folders without the requirement of the global ADMINISTER permission. it requires Job.CONFIGURE permission (Folder=Job)
I would rather suggest an integration with the Folders plugin, so that you could define configuration files within a folder that would then be offered only to jobs inside that folder (or a subfolder). Only people with configuration permission on the folder would be allowed to see and edit these files, so there is no need for this plugin to care about users and groups: it can just pick that up from the general authorization strategy. And of course you get proper scoping of config files, important in a big installation.
Compare com.cloudbees.hudson.plugins.folder.properties.FolderCredentialsProvider.