Security-CloudBees Jenkins Enterprise integration with Pivotal Cloud Foundry

Note: CloudBees Jenkins Platform for PCF is deprecated, and no further development will be made against this tile.

Introduction

This is a guide on how to use CloudBees Jenkins Enterprise security model integrates with Pivotal Cloud Foundry on your Cloud Foundry installation.

This guide will cover:

  1. Authentication: Pivotal Cloud Foundry / UAA as the Identity Provider (IDP) of the SSO Authentication for Jenkins
  2. Authorization: Cloud Foundry Authorization model based on organizations and spaces in Jenkins
  3. Administrator permissions on Jenkins
  4. Resetting the permissions

Authentication: Pivotal Cloud Foundry / UAA as the Identity Provider (IDP) of the SSO Authentication for Jenkins

The UAA is the identity management service for Cloud Foundry and acts a SSO service for Jenkins. This means that all the users can authenticate to Jenkins using the same credentials used to access the CF platform.

Authorization: Cloud Foundry Authorization model based on organizations and spaces in Jenkins

The Jenkins instance will come pre-configured with some Authorization settings that limit the read-write permission of the user to the CF organizations he belongs to. For each logged-in user a folder will be automatically created (if does not exist yet) for each organization the user belongs to and an additional folder specific to the user: the latter will be only visible by the specific user, whereas the organization-folders will be shared across all the members of the same organizations.

For example, an user belonging to the CF organization “cloudbees”

![Authorization] Authorisation 1.2

will belong to the matching external group “cloudbees” in Jenkins

![Authorization] Authorisation 1.1

and will have access to the “cloudbees” folder and to the folder specific for his user.

![Authorization] Authorisation 1

Someone else belonging to the CF organization “pivotal”

![Authorization] Authorisation 2.2

will belong to the matching external group “pivotal” in Jenkins

![Authorization] Authorisation 2.1

and will have access to the “pivotal” folder, plus to the folder specific for his user.

![Authorization] Authorisation 2

Note that he won’t have any visibility on the “cloudbees” folder or access to other users’ specific folders: the two users belong to different organizations and the work environments will be completely isolated.

Differently, a CF administrator (whoever is member of the UAA group cloud_controller.admin) will have access to all the CF organizations.

![Authorization] Authorisation 3.2

As a consequence, the admin user in Jenkins will be member of all the external groups matching these organizations

![Authorization] Authorisation 3.1

and will be allowed to access all the existing Jenkins folders

![Authorization] Authorisation 3

Administrator permissions on Jenkins

Members of the UAA group cloud_controller.adminare granted the admin privileges in Jenkins and will be part of theAdministrator` group

Troubleshooting: resetting the permissions

Disable security as recommended in https://wiki.jenkins-ci.org/display/JENKINS/Disable+security

For this, you need to access to the jenkins master file system /var/vcap/store/jenkins_master.

On restart, CloudBees Jenkins Enterprise for Pivotal Cloud Foundry, it automatically configures Pivotal Cloud Foundry Single Sign On. To disable this automatic configuration, create the following empty files:

  • /var/vcap/store/jenkins_master/.disable-authentication-script
  • /var/vcap/store/jenkins_master/.disable-authorization-script
Create a pull request or raise an issue on the source for this page in GitHub