-
New Feature
-
Resolution: Unresolved
-
Critical
-
None
Authorize-project plugin has difficulties for its usage as it requires actual users to run builds as.
It can easily conflicts with policies of administrators:
- Administrators might don't want to use an actual user for managing authorizations of builds.
- E.g. Alice and Bob belongs to a DevOps team. They want to run a project with the authorization of DevOps, but not of Alice or Bob. Because it might cause problems when they quit the job.
- This can be resolved by defining a non-actual user used only to manage authorizations of builds.
- Administrator doesn't want to define or can't define non-actual users.
- It can be the case especialy when they use an external authentication system (such as Active Directory).
This can be resolved by introducing a feature to define non-actual users, just like build-in users such as ANONYMOUS and SYSTEM.
- They cannot be used to login Jenkins. (They don't have passwords)
- They have permissions. That is, AuthorizationStrategy should handle them as they handle actual users.
It might be a feature of authorize-project plugin, Jenkins core, or maybe a brand-new plugin.
- duplicates
-
-
- Open
-
- relates to
-
-
- Open
-
-
-
- Open
-
-
JENKINS-50249 disable "build by token" by default using a system property in Jenkins
-
- Open
-
[JENKINS-38257] Feature to define non-actual user
Kalle Niemitalo
added a comment - Jenkins 2.176.1 LTS now includes JENKINS-24513, which warns about builds running as SYSTEM. But virtual users are difficult to define when Jenkins is using SAML Plugin against Microsoft's AD FS.
I wonder if, instead of the "significant changes" in JENKINS-32596, this could be implemented:
- as a security realm wrapper plugin that lets the admin select an inner security realm for the real users and define some additional virtual users,
- or as a composite security realm plugin that lets the admin select two or more inner security realms, one of which could then be Jenkins’ own user database.
Kalle Niemitalo
added a comment - Jenkins 2.176.1 LTS now includes JENKINS-24513 , which warns about builds running as SYSTEM. But virtual users are difficult to define when Jenkins is using SAML Plugin against Microsoft's AD FS.
I wonder if, instead of the "significant changes" in JENKINS-32596 , this could be implemented:
as a security realm wrapper plugin that lets the admin select an inner security realm for the real users and define some additional virtual users,
or as a composite security realm plugin that lets the admin select two or more inner security realms, one of which could then be Jenkins’ own user database.
a composite security realm
Possibly, but see discussion in JENKINS-15063.
Not really a duplicate. The need for service accounts in Jenkins is widespread, and the notion of implementing this based on SecurityRealm fallback to a local user database is not necessarily the right design.
Not possible without significant changes in core, I think; see discussion in JENKINS-32596.