1. Authentication and Authorization in Jenkins and Nectar July 27th, 2011 ©2011 CloudBees, Inc. All Rights Reserved

2. The slides will be made available as well as a link to the replay of this webinar. Links will be sent in an email after the webinar has finished (2-3 days). Housekeeping ©2011 CloudBees, Inc. All Rights Reserved

3. The Presenters Who exactly is talking? ©2011 CloudBees, Inc. All Rights Reserved

4. Stephen Connolly Responsible for Most of this talk Trying to answer the questions Harpreet Singh Responsible for Ensuring Stephen does not go too fast/slow Keeping track of questions for the Q&A session The Presenters ©2011 CloudBees, Inc. All Rights Reserved

5. Overview What we will be covering today ©2011 CloudBees, Inc. All Rights Reserved

6. Jenkins Security Architecture Authentication Plugins Authorization Plugins CloudBees’ RBAC plugin Common Use Cases & Walk-throughs Questions & Answers Overview ©2011 CloudBees, Inc. All Rights Reserved

7. CloudBees Who are we and what we can do for you? ©2011 CloudBees, Inc. All Rights Reserved

9. DEV@cloud – Cloud Services for Developers

11. CloudBees Jenkins Solutions ©2011 CloudBees, Inc. All Rights Reserved CloudBees’ Pro version of Jenkinsproprietary add-ons, stable release cycle Professional support from the Experts

12. CloudBees Jenkins Solutions ©2011 CloudBees, Inc. All Rights Reserved Self-service “Jenkins as a Service”pay-as-you-go public cloud DEV@cloud CloudBees’ Pro version of Jenkinsproprietary add-ons, stable release cycle Professional support from the Experts

13. CloudBees Jenkins Solutions ©2011 CloudBees, Inc. All Rights Reserved Self-Service“Jenkins as a Service”for Enterprises DEV@cloudPrivate Edition Self-service “Jenkins as a Service”pay-as-you-go public cloud DEV@cloud CloudBees’ Pro version of Jenkinsproprietary add-ons, stable release cycle Professional support from the Experts

14. Jenkins Security Architecture Server security Security Realms Authorization Strategies Master/Slave security Authentication Plugins Authorization Plugins CloudBees’ RBAC plugin Common Use Cases & Walk-throughs Questions & Answers Overview ©2011 CloudBees, Inc. All Rights Reserved

15. Jenkins Security Architecture What goes where and which does what… ©2011 CloudBees, Inc. All Rights Reserved

16. Security Realm provides user identity Authorization Strategy provides user’s permissions for each object. Actions can require a specific permission to be performed. Jenkins Security Architecture ©2011 CloudBees, Inc. All Rights Reserved Security Realm Object Identity Action AuthorizationStrategy Permission Access Plugins extension points

17. Depends on your server: Operating System Windows Linux Servlet container Winstone (java -jar jenkins.war) Tomcat Jetty JBoss etc Server security ©2011 CloudBees, Inc. All Rights Reserved

19. Server firewall configured appropriately

20. Server remote access locked down

21. Remote desktop on Windows

22. SSHD on *nix

23. Servlet container running as restricted user

24. Consider Apache HTTPD or nginx if exposing on a public networkServer security (cont.) ©2011 CloudBees, Inc. All Rights Reserved

25. What are they Core Jenkins extension point for Authentication Responsible for validating user identity Can only select one. Default for clean install: None What is available already Core None Unix PAM Internal DB Legacy Container Open Source Plugins Active Directory CAS v1 CollabNet Crowd MySQL DB OpenID SSO Script & Extended Script SourceForge Enterprise Edition … Security Realms ©2011 CloudBees, Inc. All Rights Reserved

26. What are they Core Jenkins extension point for Authorization Responsible for deciding the permissions available to users. Can only select one. Default for clean install: Unsecured What is available already Core Global Matrix Project Matrix Logged in user can do anything Legacy Authorization Open Source Plugins CollabNet Role strategy SourceForge Enterprise Edition … CloudBees’ Plugins RBAC Authorization Strategies ©2011 CloudBees, Inc. All Rights Reserved

27. What are they The fine-grained activities that can be secured within Jenkins Some permissions aggregate others, e.g. Global Admin implies all other standard permissions Plugins can define their own permissions for their own actions What is available Overall Administer Read Slave Configure Delete Job Create Delete Configure Read Build Workspace View Create Delete Configure … Permissions ©2011 CloudBees, Inc. All Rights Reserved

29. Use VM for slaves & reset VM image after every build

30. Launch slave process with a read-only JVM

31. Access to slaves should be as restricted as the Master

32. Install build tools read-onlyMaster / Slave security ©2011 CloudBees, Inc. All Rights Reserved Take Away SCM security sets the upper bound

34. Authentication Plugins Who are you and how can you prove it to me… ©2011 CloudBees, Inc. All Rights Reserved

35. Not all plugins implement every feature Key features to check for are: Supports signup Provides group details Supports group lookup Can logout You may not need all/any of the above but it may restrict your choice of Authorization Strategy Authentication Plugins ©2011 CloudBees, Inc. All Rights Reserved

36. Authenticates the username and the password through Active Directory Actually multiple implementations under the hood and one is chosen based on your environment Active Directory (plugin) ©2011 CloudBees, Inc. All Rights Reserved Notes: Jenkins does not have to run on Windows to use this. Can require a correctly configured DNS for Active Directory

41. Authenticates the username and password through Unix Pluggable Authentication Modules Requires that Jenkins be running on Linux / Mac OSX / Unix Unix PAM (core) ©2011 CloudBees, Inc. All Rights Reserved Notes: Very quick to set-up Handy if you already have a federated PAM configuration If on a public network serve Jenkins over https://

42. Feature Matrix ©2011 CloudBees, Inc. All Rights Reserved

44. Authentication PluginsAuthorization Plugins Matrix Strategy Project-based Matrix Strategy Role strategy CloudBees’ RBAC plugin CloudBees’ RBAC plugin Common Use Cases & Walk-throughs Questions & Answers Overview ©2011 CloudBees, Inc. All Rights Reserved

45. Authorization Plugins So tell me… who can do what? ©2011 CloudBees, Inc. All Rights Reserved

46. A simple matrix of click-boxes. Each row is a user/group* Each column is a Permission * If the Authentication plugin does not support group details then one row is required for each user Matrix Strategy (core) ©2011 CloudBees, Inc. All Rights Reserved

47. A simple matrix of click-boxes. Each row is a user/group* Each column is a Permission Each project can add its own matrix Project-based Matrix Strategy (core) ©2011 CloudBees, Inc. All Rights Reserved

48. Allows grouping permissions into roles Roles assigned to users/groups ‡ Project roles are defined using a regex for the project name to which the role is restricted. * If the Authentication plugin does not support group details then one row is required for each user § Requires global Admin role Role Strategy (plugin) ©2011 CloudBees, Inc. All Rights Reserved

49. A simple matrix of click-boxesRow: roleColumn: permission Define groups at any level Assign roles to groups Filter roles at any level CloudBees’ RBAC Plugin (plugin) ©2011 CloudBees, Inc. All Rights Reserved

50. Feature Matrix ©2011 CloudBees, Inc. All Rights Reserved

52. Authentication Plugins

53. Authorization PluginsCloudBees’ RBAC plugin Overview Inheritance model Filtering Common Use Cases & Walk-throughs Questions & Answers Overview ©2011 CloudBees, Inc. All Rights Reserved

54. CloudBees’ RBAC plugin Our take on an Authorization Strategy ©2011 CloudBees, Inc. All Rights Reserved

55. Roles defined in Nectar External Groups from LDAP / AD / Atlassian Crowd / etc Local Groups defined in Nectar Configure Roles in Local Groups Manage membership in Local Groups Users / other Local Groups / External Groups Role filtering to restrict inheritance A layered approach What Who Tweak ©2011 CloudBees, Inc. All Rights Reserved

56. Adds new elements to the GUI ©2011 CloudBees, Inc. All Rights Reserved

57. Groups are defined on objects Per-slave permissions Per-folder permissions (Folders Plugin) Per-module permissions (Maven Projects) Role definitions are global Role assignments can be scoped Object based permissions ©2011 CloudBees, Inc. All Rights Reserved

58. Plan out your roles Enable security Add the roles Save Define Groups Remove Admin permissions from Authenticated Role Save How to deploy ©2011 CloudBees, Inc. All Rights Reserved

59. Inheritance model: Groups and roles Have Dev role if in Devs group or Folder A Devs group Dev Folder A Devs Have Dev role if in Devs group Devs Dev ©2011 CloudBees, Inc. All Rights Reserved

60. Inheritance model: Pinned roles Have Dev role if in Folder A Devs group Dev Folder A Devs Devs Dev Nobody has Dev role ©2011 CloudBees, Inc. All Rights Reserved

61. Filtering Have Dev role if in Folder A Devs group Dev Folder A Devs Have Dev role if in Devs group Devs Dev ©2011 CloudBees, Inc. All Rights Reserved

63. Authentication Plugins

64. Authorization Plugins

65. CloudBees’ RBAC pluginCommon Use Cases & Walk-throughs Authenticated only Public read-only Devvs SQA Multi-department Secret skunk-works projects Questions & Answers Overview ©2011 CloudBees, Inc. All Rights Reserved

66. Common use-cases & Walk-throughs You’re not so different… here’s how you might do it… ©2011 CloudBees, Inc. All Rights Reserved

67. Use case System is set up so that only authenticated users can access. Authenticated users can do anything. Authenticated Only ©2011 CloudBees, Inc. All Rights Reserved

68. Authenticated Only ©2011 CloudBees, Inc. All Rights Reserved

69. Walk-through Authenticated Only use case ©2011 CloudBees, Inc. All Rights Reserved

70. Use case System is set up so that anonymous users can browse all projects Anonymous users cannot access the Job Workspaces, or change/trigger anything Authenticated users can do anything. Public read-only ©2011 CloudBees, Inc. All Rights Reserved

71. Public read-only ©2011 CloudBees, Inc. All Rights Reserved

72. Walk-through Public read-only use case ©2011 CloudBees, Inc. All Rights Reserved

73. Use case System is set up so that anonymous users can browse all projects. Anonymous users cannot access the Job Workspaces, or change/trigger anything. Authenticated Developers can trigger builds. Authenticate SQA can delete/tag builds. Devvs SQA ©2011 CloudBees, Inc. All Rights Reserved

74. Devvs SQA ©2011 CloudBees, Inc. All Rights Reserved

75. Walk-through Devvs SQA use case ©2011 CloudBees, Inc. All Rights Reserved

76. Use case System is set up so that anonymous users can browse all projects Anonymous users cannot access the Job Workspaces, or change/trigger anything Authenticated users can do anything to the projects in their department only. For projects outside their department they are like anonymous users. Multi-department ©2011 CloudBees, Inc. All Rights Reserved

77. Multi-department ©2011 CloudBees, Inc. All Rights Reserved

78. Walk-through Multi-department use case ©2011 CloudBees, Inc. All Rights Reserved

79. Use case A secret project is set up for a skunk-works team. Only the skunk-works team‡ can see the secret project. The skunk-works team are not otherwise restricted. ‡Someone with direct disk access to the master may be able to find the skunk-works project. The aim is to hide the project from the GUI. Secret skunk-works projects ©2011 CloudBees, Inc. All Rights Reserved

80. Impl matrix with each plugin Secret skunk-works projects ©2011 CloudBees, Inc. All Rights Reserved

81. Walk-through Secret skunk-works projects use case ©2011 CloudBees, Inc. All Rights Reserved

83. Authentication Plugins

84. Authorization Plugins

85. CloudBees’ RBAC plugin

86. Common Use Cases & Walk-throughsQuestions & Answers Overview ©2011 CloudBees, Inc. All Rights Reserved

87. Support Nectar ©2011 CloudBees, Inc. All Rights Reserved

88. Releases every 6 months. Supported for 18 months. Patches every 6 weeks. Plugins supported for life of underlying release Support all plugins Nectar 10.10 and Nectar 11.04 released Nectar ©2011 CloudBees, Inc. All Rights Reserved

89. CloudBees Resources Page http://www.cloudbees.com/support.cb Try DEV@cloud& RUN@cloud https://grandcentral.cloudbees.com/account/signup CloudBees Eclipse Plugin http://cloudbees.com/eclipse-plugin.cb DEV@cloud Private Edition Beta Program (DEV@cloud for private clouds) http://www.cloudbees.com/dev-pe.cb CloudBees Resources ©2011 CloudBees, Inc. All Rights Reserved

90. Questions & Answers And if the questions are too tough, we’ll answer offline… ©2011 CloudBees, Inc. All Rights Reserved

91. Raise your hand if you have a question and type your question into the question box… Harpreet is keeping track of who is next… We will unmute you while it is your Q&A… If an answer is going too long, or we need to check some specifics we will distribute the answer off-line. Questions & Answers ©2011 CloudBees, Inc. All Rights Reserved

92. ©2011 CloudBees, Inc. All Rights Reserved