Introduce Jenkins doesn’t seem to be necessary for me as this software is one of the usual in the continuous integration domain. When you are an organization with several teams and a shared Jenkins instance, you may need to separate them into dedicated workspaces to avoid configuration or job modifications by other teams.

That’s what Jenkins role based access control is made for, but that’s not really simple to apprehend. Here is a tutorial to show you how to interface Jenkins with an OpenID Identity Provider that will manage users dans roles access.

The need

Let’s assume we are a company with several dev teams using a shared Jenkins instance. This Jenkins is administered by a dedicated team that provides the CI:CD tools for the projects and ops teams.

The projects teams include the devs and integration team that’ll need to create continuous build, integration and deployment jobs for their applications. The projects team have a dedicated space in Jenkins.

The Ops teams are the infrastructure and applications maintainer that can execute deployment jobs, but don’t require to be able to create or modify a deploy job. As they are a shared team, they should have access to all deployment jobs.

Finally, the CICD team that maintains Jenkins will need an Admin access to it.

So, we can imagine the folowwing RBAC matrix :

Team Grants
Jenkins Admins Admin
Project A Read, write, and execute access on Project A folder
Project B Read, write, and execute access on Project A folder
Ops Execution access on deployment jobs

We will see how to setup Jenkins in order to delegate the authentication to an Identity Provider (IDP) and assign roles related to the user.

To facilitate the implementation, Jenkins is organized with folders for each team.

jenkins

We have three main folders in Jenkins. One for the Admins with their maintenance and specific jobs, one for each project team.

jenkins

For each project, we have a “BUILD” folder that contains the application build jobs, and a “DEPLOY” folder that contains the deployment jobs. The Ops team may have access to each deployment job.

jenkins

jenkins

Setup and Identity Provider with Keycloak

Keycloak is a used to create an Identity Provider and enable Single Sign-On features using OpenID or SAML2 protocols. This article won’t explain how Keycloak works because it’s not the purpose and I’m not an expert on this specific subject. I’ll use it to illustrate how the access matrix is designed inside the identity provider.

For the demo requirement, we will create a new Realm in Keycloak that’ll contains our users and roles.

jenkins

jenkins

We add a new Client for Jenkins. In root url, you may paste the Jenkins Web GUI URL.

jenkins

In the “Installation” tab, we put on side the settings in Keycloak OICD JSON format in order to give it to Jenkins later.

Then, we create the roles inside the GarbageCollector realm.

jenkins jenkins

  • jenkins_adm : for Jenkins admins
  • jenkins_access : will grant the “real” right in Jenkins, we’ll see this above
  • jenkins_ops_execute : for the Ops team
  • jenkins_project_a : for Project A team
  • jenkins_project_b : for Project B team

Then, we create the users.

jenkins jenkins

In the role tab, we assign the roles in the following way :

User Role
jenkins_admin jenkins_adm
ops1 jenkins_access, jenkins_ops_execute
projecta jenkins_access, jenkins_project_a
projectb jenkins_access, jenkins_project_b

jenkins

Why role jenkins_access ? Because Jenkins requires an “Overall/Read” role in order to give access to the GUI objects. The “admin” role is allowed to do it by design, but the other roles neer and Overall Read access to see the resources.

Create the RBAC matrix in Jenkins

First, we install some required plugins.

The first one is required to enable the Role Based Access Control matrix. The second one is to enable a simple keycloak connection with Jenkins. If you use another IDP, you may install the OpenId Connect Authentication plugin.

In Manage => Configure Global Security => Authorization, activate “Role-based strategy”, save it.

jenkins

A new item appears in the manage screen : Manage and Assign Roles, open it.

jenkins

Create the matrix

First, we’re going into the Manage Role section to create the access roles. As you can see, the global role “admin” already exists. We won’t use it because we’ll create our own.

Add “jenkins_adm” with “Overall/Administer” role, and “jenkins_access” with “Overall/Read” role.

jenkins

This is for the global access, now let’s create for item roles. If Global Roles grant rights for all the Jenkins instance, the Item Roles are more precise and allow to create a very detail matrix for folders or projects.

When we use folders, it becomes necessary to create a folder access right and a folder content management right to manage the resources inside it. This is required to create the expected access separation between Devs and Ops.

We had an item role to access Project A folder, then an Item Role to read, modify, execute its content, then only a read access for Ops. This means three items :

jenkins

Useful tip, if you click on the Pattern, Jenkins returns the impacted items.

Good to know : You must always give a “Read” access to an object. If not, the item could not be visible to the user. In my screenshots I’ve forgot it, so the group couldn’t see anything !

jenkins

We save and get the following result :

jenkins

Again, the Admin role doesn’t require any specific rights, the Admin grant allows everything.

Assign the matrix

Now, go to the Assign Role screen. First, we assign the global roles “jenkins_adm” and “jenkins_access”.

jenkins

The group name is important and must match the one present in the IDP !

Below, in the Item Roles, we assign the required rights for the “jenkins_ops_execute”, “jenkins_project_a”, “jenkins_project_b” roles.

jenkins

Don’t forget to save ! We have the basics, now we can enable the OpenID authentication with Keycloak.

💡 Please note that if you go back on the Assign screen you may see the items striped. That’s because they don’t exist in Jenkins own database. That’s normal, the IDP will provide them.

Activate the OpenID authentication

Go to Manbage => Global Configuration, then paste in the section “Global Keycloak Settings” the JSON settings we saved earlier. If you lost it, you can find it in Keycloak in Clients => Jenkins => Installation, and selection Keycloak OICD JSON.

jenkins

Now, go back to Manage, then Global Security and activate Keycloak authentication plugin.

jenkins

We’re now redirected to Keycloak in order to authenticate in Jenkins.

jenkins

Tests

I’m connecting with “jenkins_admin” user, the instance Admin : I have the sames rights as the builtin “admin” user.

Yes, my “dark mode” addon is not enabled in private session.

jenkins

I’m connecting with “project_a” user, I see what I need to have.

jenkins jenkins jenkins

Please note that the rights cannot allow me to create or modify objects inside the “PROJECT_A” folder, only inside “BUILD” and “DEPLOY”. Of course, you can adapt what you want, it’s just an example. 😉

Now I’m checking ops1 profile, I can see both projects but I can’t do anything else that using the deploy jobs.

jenkins jenkins jenkins

Conclusion

Voilà ! I hope this article helped you to understand how the RBAC matrix works with Jenkins. Yes, this management can quickly become very heavy and difficult if you goes too far in details, so I would advice to avoid doing too much. You may use the Jenkins Configuration as Code plugin to manage it with YAML files or using the Helm chart if your Jenkins is hosted on Kubernetes.

If you walked around the RBAC screens, you may have seen the “Role macros” and “Node items” parts. As today, I’ve never used these features.