In this blog I wanted to detail out steps in enabling role based access control (RBAC) in Jenkins using Azure AD Plugin and that too without having enterprise edition of Jenkins (Cloudbees).
Here are few scenarios where this will be useful
Here are few scenarios where this will be useful
- When you want to control access to your Jenkins only for designated users within your organization. Only users in certain group can create, delete jobs but other can see build console outputs, trigger a new build etc.
- You want to ensure that project team members can access only their own jobs, logs etc.
- Note: You don't need to expose Jenkins endpoint externally unless you want to have webhooks configured from your git repositories (if they are hosted and accessible over internet
- and many more
PRE-REQUISITES:
- Have Jenkins latest version installed. I had Jenkins running on Ubuntu 16.04 Azure VM and the DNS is configured to be myjenkins on VMs public IP. Thus your Jenkins Fully Qualified Domain name would be http://myjenkins.<region>.cloudapp.azure.com:8080
- Install Azure AD plug-in installed from available plugins in your jenkins instance (Manage Jenkins -> Manage Plugins -> Available tab -> Search for Azure AD)
- You have valid Azure Subscription and have privileges to create service accounts in the Azure AD that you are planning to use. If you do not have access, you can request your administrator to create a service account as per the instructions provided below
- In addition, to test Role based access control (RBAC), you will need permissions to create couple of groups and few user accounts to be able to login to Jenkins who are assigned in those different groups.
- Create Service Account in Azure AD- This service account is used by Jenkins to query user profile and group memberships
- Navigate to Azure Active Directory from the left navigation once you login on Azure Portal (https://portal.azure.com)
- Click on App Registrations -> New Application Registration
- Enter Name (e.g. in my case I named it as Jenkins) for your service account
- Select Application Type as Web App / API
- Enter Sign-On URL as your home page URL for your Jenkins instance (as mentioned in pre-requisites i.e. http://myjenkins.<region>.cloudapp.azure.com:8080)
- Click Create, and take a note of Application ID (this is your Client Id) once service account creation is succ
- Also take a note of your Directory ID (this is your Tenant ID). You will find this when you navigate to Azure Active Directory menu on the left hand side and go to properties and copy the Directory ID
- Configure Azure AD Service Account
- Configure ReplyURL - This is the URL where Azure AD posts the ID token once the user is authenticated and is in the format http://<Jenkins-dns>.<region>.cloudapp.azure.com:8080/securityRealm/finishLogin i.e in our case it would be http://myjenkins.eastus.cloudapp.azure.com:8080/securityRealm/finishLogin as shown below
- Configure App ID URI - This is unique App ID URI and can be same as Reply URL as configured above
- Configure Home Page URL - This is the root url of your jenkins (i.e. http://myjenkins.eastus.cloudapp.azure.com:8080). Please note, no securityRealm/finishLogin appended in the URL. Both these settings are shown below
- Edit Manifest to include group memberships as part of your claims when Azure AD posts the ID token to your Jenkins application. You do this by changing gropuMembershipClaims value from null to "All". Without this your group memberships will not be issued as claims and you cannot get role based access control working.
- Next we need to Assign Permissions to this service account to be able to Read Directory Data and and read user profile information. You do this by navigating to settings -> Required Permissions for the service account as shown below. Please note the last step once you have selected the appropriate permissions - you need to Grant Permissions (last image in this step)
- Creating Azure AD Users
- Create couple of Active Directory Users (or use the existing ones) by navigating to Azure Active Directory -> Users -> New User. Also take a note of the user name, this includes the name of your active directory.
- You can also choose to assign AD groups at this point (if you already have some AD Groups that you want to use) but we will do this in the next step (we will create JenkinsAdmins and JenkinsReader groups).
- Also take a note of the temporary password. It is better to change the temporary password when you login first time to azure portal using portal.azure.com instead of getting this prompt during authentication process of Jenkins
- In this exercise let us say we created two users jadmin@<yourdirectory>.com and jreader@<yourdirectory>.com
- Creating Azure AD Groups and Adding Users
- Create JenkinsAdmins Group and add one of the user(s) created earlier (jadmin)
- Create JenkinsReader Group and add a different user(s) (e.g. jreader) than the one added in JenkinsAdmins group.
- We will be using these 2 different users in 2 different groups to see if authorizations are really working in Jenkins
- Configure Jenkins
- One other important thing to change in Jenkins installation is to change the jenkins.model.JenkinsLocationConfiguration.xml configuration to include your FQDN so that when user is trying to access Jenkins, and it is being redirected by Jenkins to Azure AD for authentication, it correctly sends the redirect_uri that matches with the reply URL we configured in the Azure AD Service account.
- If we don't do this, by default jenkinsURL in the above configuration will use the public IP address of your VM and this will not match with your service account reply URL and you will face issue mentioned in this Jira ticket. i.e.
java.lang.IllegalStateException: Invalid nonce in the response at com.microsoft.jenkins.azuread.AzureSecurityRealm.validateAndParseIdToken(AzureSecurityRealm.java:239) at com.microsoft.jenkins.azuread.AzureSecurityRealm.doFinishLogin(AzureSecurityRealm.java:202) at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627) at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:343) at
Enabling RBAC, Adding Roles and Assigning Permissions in Jenkins
- Configuring Global Security
- Navigate to Manage Jenkins -> Configure Global Security
- Check "Enable Security"
- Select Access Control -> Security Realm -> Azure Active Directory
- Configure the Client ID, Client Secret and Tenant ID which we noted down during the Service account creation steps above. This is shown below
- Save above changes. Without Saving above changes, you will not be able to add roles based on Azure AD Group and assign permissions
- Configuring Jenkins Roles and Permissions
- Under Configure Global Security, navigate to Authorization section
- Select Azure Active Directory Matrix-based Security
- Now when you start typing in Azure user / group to add, you will Azure AD roles being populated in the list.
- Add desired roles (in our case JenkinsAdmins and JenkinsReader) and assign necessary permissions.
- In my case, for JenkinsAdmin, I just granted the Overall Admin permissions and for JenkinsReader, I granted only overall read, Build permissions under Agent, Build Cancel Discover and Read permissions for Jobs, Replay permissions in Run, Read permissions in View. This is shown in below pictures
- If you want to configure project level roles and permissions, you can navigate to a particular job (assuming you are logged in as administrator) and enable project-based security. You will get the same interface as in Global Security, where you can configure required permissions for your project specific roles.
Testing RBAC in Jenkins
Let me know what you think of this blog and you were able to configure Jenkins for RBAC with Azure AD plugin without any issues
Happy Deployments !!
- To test the authorizations, I suggest using in-cognito mode of your preferred browser.
- First login with the user who has administrative permissions in Jenkins. To do this, hit the Jenkins url, this will automatically redirect you to azure ad authentication page, login with your administrative account (i.e. in our case jadmin@<yourad>.com) and once authenticated successfully, you will be taken to Jenkins home page.
- Logout and close the incognito window
- Now open new in-cognito instance of your browser and in similar way, login with your other account who has only read permissions (i.e. in our case jreader@<yourad>.com). You should see you do not have permissions to manage Jenkins and neither you have permissions to create new jobs. You can build existing jobs, look at the console logs etc.
Let me know what you think of this blog and you were able to configure Jenkins for RBAC with Azure AD plugin without any issues
Happy Deployments !!
I keep getting the following error after the config above. Does this work with http or does it have to be https?
ReplyDeletejava.lang.IllegalStateException: Can't extract id_token
It works on http. At what stage are you getting this error? Are you sure you did the configuration as mentioned in the blog?
DeleteI believe I did do the config as per the blog. I get this at the end when I try to login to Jenkins.
DeleteAlthough maybe I have not set something up properly cause in Step 2 where we are meant to type in the Azure Group in never auto populated. Could this indicate something else?
DeleteDid you grant appropriate permissions to the service account i.e. to read directory data and in delegated permissions you need to allow sign-in and read profile data. Usually people miss clicking on "Grant Permissions". In addition ensure that you enable groupclaims in the manifest as mentioned in the steps above
DeleteYes.
ReplyDeleteManifest has been changed to use ' "groupMembershipClaims": "All", '
and the following permissions have been granted.
- APPLICATION PERMISSIONS
-- Read directory data
- DELEGATED PERMISSIONS
-- Sign in and read user profile
I am facing this issue:
ReplyDeleteSorry, but we’re having trouble signing you in.
AADSTS700016: Application with identifier 'abab' was not found in the directory 'xxxx'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.
Can you advice on how to proceed further?
This comment has been removed by the author.
ReplyDeleteHi,
ReplyDeleteMy jenkins is runing behind apache web server, whenever i try to access https://myjenkins/jenkins/securityRealm/finishLogin
i get 404 error, can you help me in this/
Remarkable post. I simply came across your blog and desired to say that I have really enjoyed searching your blog posts. Thank you for sharing such blogs. oracle cloud training in hyderabad
ReplyDeleteAlternatively the value of the service based business can be calculated on the value of the service being provided in a consultancy capacity which is evaluated against the insights the said service will bring to the company with the intention of creating a system thereby the said company is able to save or be more cost effective. tranxit review
ReplyDeleteThanks for the blog loaded with so many information. Stopping by your blog helped me to get what I was looking for. https://site-3854923-709-293.mystrikingly.com/blog/what-is-access-card-system
ReplyDeletePositive site, where did u come up with the information on this posting? I'm pleased I discovered it though, ill be checking back soon to find out what additional posts you include. access control singapore
ReplyDeleteI have read a few of the articles on your website now, and I really like your style of blogging. I added it to my favorites blog site list and will be checking back soon. Please check out my site as well and let me know what you think. technology company name
ReplyDeleteUtilizing technology as a competitive weapon allows you to differentiate from your competitors in the marketplace. Technology helps profits to increase, by reducing expenses and errors, while customers are delighted with product and 'wowed' by service, sharing its benefit with others. https://www.smore.com/fcn9u-access-card-system
ReplyDeleteAccording to the 2012 report, Global Trends 2030: Alternative Worlds, published the US National Intelligence Council, four technology arenas will shape global economic, social and military developments by 2030. They are information technologies, automation and manufacturing technologies, resource technologies, and health technologies. Information technologies Three technological developments with an IT focus have the power to change the way we will live, do business and protect ourselves before 2030. check more info about ccess card system
ReplyDeleteGreat job for publishing such a beneficial web site. Your web log isn’t only useful but it is additionally really creative too. https://accesscontrolsingapore.weebly.com
ReplyDeleteI found that site very usefull and this survey is very cirious, I ' ve never seen a blog that demand a survey for this actions, very curious... access card system singapre
ReplyDeleteI am happy to find your distinguished way of writing the post. Now you make it easy for me to understand and implement the concept. Thank you for the post. visit this site
ReplyDeleteWow! This could be one of the most useful blogs we have ever come across on thesubject. Actually excellent info! I’m also an expert in this topic so I can understand your effort. check this
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteYour website is really cool and this is a great inspiring article. https://accesscontrolsystems11.tumblr.com/
ReplyDeleteI was reading some of your content on this website and I conceive this internet site is really informative ! Keep on putting up. shops names
ReplyDeleteIts a great pleasure reading your post.Its full of information I am looking for and I love to post a comment that "The content of your post is awesome" Great work. access control system singapore
ReplyDeleteI think this is an informative post and it is very useful and knowledgeable. therefore, I would like to thank you for the efforts you have made in writing this article. get more info about card access system
ReplyDeleteI found so many interesting stuff in your blog especially its discussion. From the tons of comments on your articles, I guess I am not the only one having all the enjoyment here! keep up the good work... https://dooraccesscontrolsystem.shutterfly.com/
ReplyDeletePositive site, where did u come up with the information on this posting?I have read a few of the articles on your website now, and I really like your style. Thanks a million and please keep up the effective work. https://medium.com/@philipcharlotte/the-benefits-of-installing-an-access-control-system-in-singapore-37c34e128bfc
ReplyDeleteI’m going to read this. I’ll be sure to come back. thanks for sharing. and also This article gives the light in which we can observe the reality. this is very nice one and gives indepth information. thanks for this nice article... https://singaporeaccesscontrol.mystrikingly.com/
ReplyDeleteI think this is an informative post and it is very useful and knowledgeable. therefore, I would like to thank you for the efforts you have made in writing this article. singapore access card system to buy
ReplyDeleteI recently came across your blog and have been reading along. I thought I would leave my first comment. I don't know what to say except that I have enjoyed reading. Nice blog. I will keep visiting this blog very often. unique business names
ReplyDeleteI would like to thank you for the efforts you have made in writing this article. I am hoping the same best work from you in the future as well. In fact your creative writing abilities has inspired me to start my own Blog Engine blog now. Really the blogging is spreading its wings rapidly. Your write up is a fine example of it. company name suggestions
ReplyDeleteCool stuff you have got and you keep update all of us. unique company name
ReplyDeleteAdmiring the time and effort you put into your blog and detailed information you offer!.. creative brand names
ReplyDeletei really like this article please keep it up. unique business names
ReplyDelete