Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for fine-grained access control #514

Merged
merged 1 commit into from
Dec 18, 2024

Conversation

gaiksaya
Copy link
Member

@gaiksaya gaiksaya commented Dec 6, 2024

Description

This change adds support for fine grained access control. Access can now be controlled at workflow levels per user.
Also fixes the test cases where earlier an already committed Yaml was being parsed. However, we need to actually parse the YAML object.
Deletes the unused test data.

Issues Resolved

#507

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

Signed-off-by: Sayali Gaikawad <gaiksaya@amazon.com>
],
},
},
};

jenkinsYaml.jenkins.authorizationStrategy = rolesAndPermissions;

if (typeof fineGrainedAccessItems !== 'undefined') {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does !== undefined better than === true or similar?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Both have different purpose. One checks if value is undefined and other one checks if value is truly assigned to the variable.

@@ -452,7 +453,8 @@ export class JenkinsMainNode {
agentNodeObject: AgentNodeConfig, props: AgentNodeNetworkProps, agentNode: AgentNodeProps[], macAgent: string): string {
let updatedConfig = agentNodeObject.addAgentConfigToJenkinsYaml(stack, agentNode, props, macAgent);
if (loginAuthProps.authType !== 'default') {
updatedConfig = AuthConfig.addOidcConfigToJenkinsYaml(updatedConfig, loginAuthProps.authType, loginAuthProps.adminUsers);
updatedConfig = AuthConfig.addOidcConfigToJenkinsYaml(updatedConfig, loginAuthProps.authType,
loginAuthProps.adminUsers, loginAuthProps.fineGrainedAccessSpecs);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will admins have all the permissions defined in above?
And what about read only users?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Admin users will have admin permissions. Same applies for readonly users. The roles are divided into 2 types. global and items at jenkins level. Admin and readonly falls under global and fineGrainedAccess falls under items category.

@rishabh6788
Copy link
Collaborator

Can you please explain if I want to add a new user and give them build acess to a particular job, how would I achieve that?

@gaiksaya
Copy link
Member Author

gaiksaya commented Dec 17, 2024

Can you please explain if I want to add a new user and give them build acess to a particular job, how would I achieve that?

Like this https://github.com/opensearch-project/opensearch-ci/pull/514/files#diff-26e449f9955e460d5aabdf24a751a58d9aaace1a73226f143618601a18d0af32R52-R57
The regex pattern defines the access to the workflows. For example:
image

@peterzhuamazon
Copy link
Member

Asking @rishabh6788 to do another pass before merging.

Thanks!

@gaiksaya gaiksaya merged commit 82bf9bc into opensearch-project:main Dec 18, 2024
3 checks passed
@gaiksaya gaiksaya deleted the fine-grained-access branch December 18, 2024 06:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: ✅ Done
Development

Successfully merging this pull request may close these issues.

3 participants