Merge pull request #11 from oleg-nenashev/system-read-manage

JEP-224, JEP-223 - Add users with System Read and Manage permissions
oleg-nenashev · May 27, 2020 · 46352c9 · 46352c9
2 parents d249f6c + ce452e3
commit 46352c9
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -18,8 +18,14 @@ Prototyping is in progress, compatibility of the scripts and Dockerfiles is **NO
 
 Jenkins container starts with the following contents:
 
-* Authentication: Internal database with two users: `admin` and `user`
-  * Passwords are same as user names
+* Authentication: Internal database with four users. Passwords are same as user names
+  * `admin` - Admin with full access
+  * `manager` - User with `Jenkins/Manage` permissions
+    ([JEP-223](https://github.com/jenkinsci/jep/tree/master/jep/223))
+  * `readonly` - User with `Jenkins/SystemRead` and read-only permissions
+    ([JEP-224](https://github.com/jenkinsci/jep/tree/master/jep/224)) -
+    [announcement](https://www.jenkins.io/blog/2020/05/25/read-only-jenkins-announcement/)
+  * `user` - User with ability to run jobs
 * Authorization: 
   * [Ownership-Based Security](https://github.com/jenkinsci/ownership-plugin/blob/master/doc/OwnershipBasedSecurity.md), 
   powered by [Role Strategy](https://plugins.jenkins.io/role-strategy) 

diff --git a/init_scripts/src/main/groovy/scripts/Auth.groovy b/init_scripts/src/main/groovy/scripts/Auth.groovy
@@ -9,11 +9,13 @@ boolean createAdmin = Boolean.getBoolean("io.jenkins.dev.security.createAdmin")
 
 println("=== Configuring users")
 def securityRealm = Jenkins.instance.getSecurityRealm()
-User user = securityRealm.createAccount("user", "user")
-user.setFullName("User")
+securityRealm.createAccount("user", "user").setFullName("User")
+securityRealm.createAccount("readonly", "readonly").setFullName("Read-only Admin")
+securityRealm.createAccount("manager", "manager").setFullName("Admin (Manage)")
+
 if (createAdmin) {
     User admin = securityRealm.createAccount("admin", "admin")
-    admin.setFullName("Admin")
+    admin.setFullName("Admin (Full Permissions)")
 }
 
 println("=== Configure Authorize Project")

diff --git a/jenkins.yaml b/jenkins.yaml
@@ -42,12 +42,26 @@ jenkins:
       roles:
         global:
           - name: "admin"
-            description: "Jenkins administrators"
+            description: "Jenkins administrators with full permissions"
             permissions:
               - "Overall/Administer"
             assignments:
               - "admin"
-          - name: "readonly"
+          - name: "manager"
+            description: "Jenkins managers with limited admin permissions"
+            permissions:
+              - "Overall/Manage"
+            assignments:
+              - "manager"
+          - name: "readonly-admin"
+            description: "Jenkins read-only administrators"
+            permissions:
+              - "Overall/SystemRead"
+              - "Job/Read"
+              - "Agent/Read"
+            assignments:
+              - "readonly"
+          - name: "readonly-user"
             description: "Read-only users"
             permissions:
               - "Overall/Read"

diff --git a/plugins.txt b/plugins.txt
@@ -9,6 +9,7 @@ configuration-as-code:1.41
 docker-commons:1.16
 docker-workflow:1.23
 email-ext:2.69
+extended-read-permission:3.2
 favorite:2.3.2
 filesystem_scm:2.1
 git-client:3.2.1
@@ -26,6 +27,7 @@ junit:1.27
 locale:1.4
 lockable-resources:2.8
 mailer:1.32
+manage-permission:1.0
 matrix-auth:2.6.1
 maven-plugin:3.6
 momentjs:1.1.1