Security-CloudBees Jenkins Enterprise integration with Pivotal Cloud Foundry
Note: CloudBees Jenkins Platform for PCF is deprecated, and no further development will be made against this tile.
This is a guide on how to use CloudBees Jenkins Enterprise security model integrates with Pivotal Cloud Foundry on your Cloud Foundry installation.
This guide will cover:
- Authentication: Pivotal Cloud Foundry / UAA as the Identity Provider (IDP) of the SSO Authentication for Jenkins
- Authorization: Cloud Foundry Authorization model based on organizations and spaces in Jenkins
- Administrator permissions on Jenkins
- Resetting the permissions
Authentication: Pivotal Cloud Foundry / UAA as the Identity Provider (IDP) of the SSO Authentication for Jenkins
The UAA is the identity management service for Cloud Foundry and acts a SSO service for Jenkins. This means that all the users can authenticate to Jenkins using the same credentials used to access the CF platform.
Authorization: Cloud Foundry Authorization model based on organizations and spaces in Jenkins
The Jenkins instance will come pre-configured with some Authorization settings that limit the read-write permission of the user to the CF organizations he belongs to. For each logged-in user a folder will be automatically created (if does not exist yet) for each organization the user belongs to and an additional folder specific to the user: the latter will be only visible by the specific user, whereas the organization-folders will be shared across all the members of the same organizations.
For example, an user belonging to the CF organization “cloudbees”
will belong to the matching external group “cloudbees” in Jenkins
and will have access to the “cloudbees” folder and to the folder specific for his user.
Someone else belonging to the CF organization “pivotal”
will belong to the matching external group “pivotal” in Jenkins
and will have access to the “pivotal” folder, plus to the folder specific for his user.
Note that he won’t have any visibility on the “cloudbees” folder or access to other users’ specific folders: the two users belong to different organizations and the work environments will be completely isolated.
Differently, a CF administrator (whoever is member of the UAA group
cloud_controller.admin) will have access to all the CF organizations.
As a consequence, the admin user in Jenkins will be member of all the external groups matching these organizations
and will be allowed to access all the existing Jenkins folders
Administrator permissions on Jenkins
Members of the UAA group cloud_controller.admin
are granted the admin privileges in Jenkins and will be part of theAdministrator` group
Troubleshooting: resetting the permissions
Disable security as recommended in https://wiki.jenkins-ci.org/display/JENKINS/Disable+security
For this, you need to access to the jenkins master file system
On restart, CloudBees Jenkins Enterprise for Pivotal Cloud Foundry, it automatically configures Pivotal Cloud Foundry Single Sign On. To disable this automatic configuration, create the following empty files: