Delegating Administration with CloudBees CI RBAC
Role-Based Access Control (RBAC) for CloudBees CI provides the ability to restrict access and delegate administration. When combined with CloudBees CI CasC, you have a complete audit history of any changes to access control (and other configuration changes) captured by your source control tool, such as Git.
In addition to using CloudBees CI CasC to configure RBAC for your managed controller, we will be using the Overall/Manage and Overall/SystemRead permissions (as described here) to limit UI based configuration for your user, but still allow you to reload updated CasC bundles.
Using CasC for RBAC requires that you allow Managed Controllers to opt-out of inheriting the Operations Center authorization strategy meaning that the Managed Controller will not inherit roles or groups from Operations Center.
- To opt out of the Operations Center authorization strategy navigate to the folder with the same name as your workshop GitHub Organization, expand the contextual menu for your managed controller and click the Configure link.
- On the Configure screen scroll down to the Security Setting Enforcement, select the Enforce Authentication only value from the Opt-out select list and then click the Save button.
- Navigate to your
cloudbees-ci-config-bundle
repository in GitHub and click on the Pull requests link. - Click on the RBAC lab updates pull request in GitHub and then click on the Files changed tab to review the requested configuration changes.
- Note the new
rbac.yaml
file that we are adding. We are adding two roles and two groups using those roles. - Once you have reviewed the changed files, click on the Conversation tab, scroll down and click the green Merge pull request button and then the Confirm merge button.
- Navigate to the config-bundle-ops job under the template-jobs folder on your CloudBees CI managed controller.
- Shortly after the main branch job completes successfully, navigate to the top-level of your managed controller.
- Click on the Manage Jenkins link in the left navigation menu and then click on the CloudBees Configuration as Code export and update link.
- On the next screen, click on the Bundle Update link and you should see that a new version of the configuration bundle is available. Click the Reload Configuration button and on the next screen click the Yes button to apply the updated configuration bundle.
If you don’t see the new version available then click the Check for Updates button.
- Once the bundle has finished reloading you will see a Manage Jenkins page with fewer items and the left navigation will have fewer items - including no longer having the ability to create a New Item at the root of your controller. Also, many of the configuration items that are still available are view only.
- Click on Manage Plugins, click on the Available tab and search for CloudBees. Note that you can see what plugins are available but you cannot install plugins. In order to install or update plugins (or other configuration) you will need to update and reload the CasC bundle for your managed controller.
For instructor led workshops please return to the workshop slides