Search code examples
jenkinsldapjenkins-job-dsl

Jenkins DSL: LDAP Roles

In our company, all Jenkins jobs are only created via the Jenkins DSL. Our Jenkins permissions are controlled via LDAP. For this we use the Jenkins LDAP Plugin (https://wiki.jenkins.io/display/JENKINS/LDAP+Plugin) version 1.20.

Currently individual LDAP users are authorized:

freeStyleJob ('Jobname') {
[...]
    authorization {
        permission('hudson.model.Item.Build', 'User1')
        permission('hudson.model.Item.Build', 'User2')
        [...]
    }
[...]
}

I would like to use LDAP groups instead of authorizing individual users:

freeStyleJob ('Jobname') {
[...]
    authorization {
        permission('hudson.model.Item.Build', 'LDAPROLE_BUILD')
    }
[...]
}

How do I have to adjust my DSL files to use LDAP roles instead of single users?

Solution

  • That is exactly the way you have to do it:

    freeStyleJob ('Jobname') {
[...]
    authorization {
        permission('hudson.model.Item.Build', 'LDAPROLE_BUILD')
    }
[...]
}

    If you want to give multiple LDAP Roles the rights to build you have to do it with an array:

    freeStyleJob ('Jobname') {
[...]
    authorization {
        permission('hudson.model.Item.Build', ['LDAPROLE_BUILD1', 'LDAPROLE_BUILD2'])
    }
[...]
}

    It is also usefull to give the role that has rights to build also the rights to cancel a build hudson.model.Item.Cancel

    To give a LDAP role only rights to 'read' a job you can use Read and Workspace:

    • hudson.model.Item.Read
    • hudson.model.Item.Workspace