Class RoleBasedAuthorizationStrategy
- All Implemented Interfaces:
ExtensionPoint
,Describable<AuthorizationStrategy>
- Author:
- Thomas Maurel
-
Nested Class Summary
Modifier and TypeClassDescriptionstatic class
Converter used to persist and retrieve the strategy from disk.static final class
Descriptor used to bind the strategy to the Web forms.Nested classes/interfaces inherited from class hudson.security.AuthorizationStrategy
AuthorizationStrategy.Unsecured
Nested classes/interfaces inherited from interface hudson.ExtensionPoint
ExtensionPoint.LegacyInstancesAreScopedToHudson
-
Field Summary
Modifier and TypeFieldDescriptionstatic final RoleBasedAuthorizationStrategy.DescriptorImpl
static final String
static final String
static final String
static final String
static final String
static final String
Fields inherited from class hudson.security.AuthorizationStrategy
LIST, UNSECURED
-
Constructor Summary
ConstructorDescriptionCreate new RoleBasedAuthorizationStrategy.RoleBasedAuthorizationStrategy
(Map<String, RoleMap> grantedRoles) Creates a newRoleBasedAuthorizationStrategy
.RoleBasedAuthorizationStrategy
(Map<String, RoleMap> grantedRoles, Set<PermissionTemplate> permissionTemplates) Creates a newRoleBasedAuthorizationStrategy
. -
Method Summary
Modifier and TypeMethodDescriptionvoid
doAddRole
(String type, String roleName, String permissionIds, String overwrite, String pattern, String template) API method to add a role.void
doAddTemplate
(String name, String permissionIds, boolean overwrite) API method to add a permission template.void
doAssignGroupRole
(String type, String roleName, String group) API method to assign a Group to role.void
doAssignRole
(String type, String roleName, String sid) Deprecated.void
doAssignUserRole
(String type, String roleName, String user) API method to assign a User to role.void
doDeleteGroup
(String type, String group) API method to delete a group from all granted roles.void
doDeleteSid
(String type, String sid) API method to delete a SID from all granted roles.void
doDeleteUser
(String type, String user) API method to delete a user from all granted roles.void
doGetAllRoles
(String type) API method to get all roles and the SIDs assigned to the roles for a roletype.void
doGetMatchingAgents
(String pattern, int maxAgents) API method to get a list of agents matching a pattern.void
doGetMatchingJobs
(String pattern, int maxJobs) API method to get a list of items matching a pattern.void
API method to get the granted permissions of a role and the SIDs assigned to it.void
doGetTemplate
(String name) API method to get the granted permissions of a template and if the template is used.void
doRemoveRoles
(String type, String roleNames) API method to remove roles.void
doRemoveTemplates
(String names, boolean force) API method to remove templates.void
doUnassignGroupRole
(String type, String roleName, String group) API method to remove a user from a role.void
doUnassignRole
(String type, String roleName, String sid) API method to remove a SID from a role.void
doUnassignUserRole
(String type, String roleName, String user) API method to remove a user from a role.getACL
(AbstractItem project) Get the specific ACL for projects.getGrantedRoles
(RoleType type) Deprecated.getGrantedRoles
(String type) Deprecated.getGrantedRolesEntries
(String type) Used by the container realm.Retrieves instance of the strategy.getPermissionTemplate
(String templateName) Get the permission templates.getRoleMap
(RoleType roleType) Get the root ACL.getSidEntries
(String type) Get all the SIDs referenced by specifiedRoleMap
type.Deprecated.boolean
hasPermissionTemplate
(String name) static void
init()
Validate the config after System config was loaded.static boolean
Deprecated.Always available since 1.566void
Checks if there are ambiguous entries and adds them to the monitor.Methods inherited from class hudson.security.AuthorizationStrategy
all, getACL, getACL, getACL, getACL
Methods inherited from class hudson.model.AbstractDescribableImpl
getDescriptor
-
Field Details
-
GLOBAL
- See Also:
-
PROJECT
- See Also:
-
SLAVE
- See Also:
-
PERMISSION_TEMPLATES
- See Also:
-
MACRO_ROLE
- See Also:
-
MACRO_USER
- See Also:
-
DESCRIPTOR
-
-
Constructor Details
-
RoleBasedAuthorizationStrategy
public RoleBasedAuthorizationStrategy()Create new RoleBasedAuthorizationStrategy. -
RoleBasedAuthorizationStrategy
Creates a newRoleBasedAuthorizationStrategy
.- Parameters:
grantedRoles
- the roles in the strategy
-
RoleBasedAuthorizationStrategy
public RoleBasedAuthorizationStrategy(Map<String, RoleMap> grantedRoles, @CheckForNull Set<PermissionTemplate> permissionTemplates) Creates a newRoleBasedAuthorizationStrategy
.- Parameters:
grantedRoles
- the roles in the strategypermissionTemplates
- the permission templates in the strategy
-
-
Method Details
-
getRootACL
Get the root ACL.- Specified by:
getRootACL
in classAuthorizationStrategy
- Returns:
- The global ACL
-
getRoleMap
@NonNull @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public RoleMap getRoleMap(RoleType roleType) - Parameters:
roleType
- the type of the role- Returns:
- the
RoleMap
corresponding to theroleType
- Throws:
IllegalArgumentException
- for an invalidroleType
-
getACL
Get the specific ACL for projects.- Overrides:
getACL
in classAuthorizationStrategy
- Parameters:
project
- The access-controlled project- Returns:
- The project specific ACL
-
getACL
- Overrides:
getACL
in classAuthorizationStrategy
-
getACL
- Overrides:
getACL
in classAuthorizationStrategy
-
getACL
- Overrides:
getACL
in classAuthorizationStrategy
-
getGroups
Used by the container realm.- Specified by:
getGroups
in classAuthorizationStrategy
- Returns:
- All the sids referenced by the strategy
-
getGrantedRoles
Deprecated.Get the roles from the globalRoleMap
.The returned sorted map is unmodifiable.
-
getGrantedRoles
Deprecated.- Parameters:
type
- the type of the role- Returns:
- roles mapped to the set of user sids assigned to that role
- Since:
- 2.12
-
getPermissionTemplates
Get the permission templates.- Returns:
- set of permission templates.
-
getPermissionTemplate
-
hasPermissionTemplate
-
getGrantedRolesEntries
- Parameters:
type
- the type of the role- Returns:
- roles mapped to the set of user sids assigned to that role
-
getGrantedRolesEntries
- Parameters:
type
- the type of the role- Returns:
- roles mapped to the set of user sids assigned to that role
-
getSidEntries
Get all the SIDs referenced by specifiedRoleMap
type. -
getSIDs
Deprecated.Get all the SIDs referenced by specifiedRoleMap
type. -
doAddTemplate
@POST @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doAddTemplate(@QueryParameter(required=true) String name, @QueryParameter(required=true) String permissionIds, @QueryParameter(required=false) boolean overwrite) throws IOException API method to add a permission template. An existing template with the same will only be replaced when overwrite is set. Otherwise, the request will fail with status400
- Parameters:
name
- The template naepermissionIds
- Comma separated list of permission IDsoverwrite
- If an existing template should be overwritten- Throws:
IOException
-
doRemoveTemplates
@POST @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doRemoveTemplates(@QueryParameter(required=true) String names, @QueryParameter(required=false) boolean force) throws IOException API method to remove templates.Example:
curl -X POST localhost:8080/role-strategy/strategy/removeTemplates --data "templates=developer,qualits"
- Parameters:
names
- comma separated list of templates to removeforce
- If templates that are in use should be removed- Throws:
IOException
- in case saving changes fails
-
doAddRole
@Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doAddRole(@QueryParameter(required=true) String type, @QueryParameter(required=true) String roleName, @QueryParameter(required=true) String permissionIds, @QueryParameter(required=true) String overwrite, @QueryParameter(required=false) String pattern, @QueryParameter(required=false) String template) throws IOException API method to add a role.Unknown and dangerous permissions are ignored. When specifying a
template
for an item role, the given permissions are ignored. The named template must exist, otherwise the request fails with status400
. Thetemplate
is ignored when adding global or agent roles.Example:
curl -X POST localhost:8080/role-strategy/strategy/addRole --data "type=globalRoles&roleName=ADM& permissionIds=hudson.model.Item.Discover,hudson.model.Item.ExtendedRead&overwrite=true"
- Parameters:
type
- (globalRoles, projectRoles, slaveRoles)roleName
- Name of rolepermissionIds
- Comma separated list of IDs for given roleNameoverwrite
- Overwrite existing rolepattern
- Role patterntemplate
- Name of template- Throws:
IOException
- In case saving changes fails- Since:
- 2.5.0
-
doRemoveRoles
@Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doRemoveRoles(@QueryParameter(required=true) String type, @QueryParameter(required=true) String roleNames) throws IOException API method to remove roles.Example:
curl -X POST localhost:8080/role-strategy/strategy/removeRoles --data "type=globalRoles& roleNames=ADM,DEV"
- Parameters:
type
- (globalRoles, projectRoles, slaveRoles)roleNames
- comma separated list of roles to remove from type- Throws:
IOException
- in case saving changes fails- Since:
- 2.5.0
-
doAssignRole
@Deprecated @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doAssignRole(@QueryParameter(required=true) String type, @QueryParameter(required=true) String roleName, @QueryParameter(required=true) String sid) throws IOException Deprecated.UsedoAssignUserRole(java.lang.String, java.lang.String, java.lang.String)
ordoAssignGroupRole(java.lang.String, java.lang.String, java.lang.String)
to create unambiguous entriesAPI method to assign a SID of type EITHER to role. This method should no longer be used.Example:
curl -X POST localhost:8080/role-strategy/strategy/assignRole --data "type=globalRoles&roleName=ADM &sid=username"
- Parameters:
type
- (globalRoles, projectRoles, slaveRoles)roleName
- name of role (single, no list)sid
- user ID (single, no list)- Throws:
IOException
- in case saving changes fails- Since:
- 2.5.0
-
doAssignUserRole
@Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doAssignUserRole(@QueryParameter(required=true) String type, @QueryParameter(required=true) String roleName, @QueryParameter(required=true) String user) throws IOException API method to assign a User to role.Example:
curl -X POST localhost:8080/role-strategy/strategy/assignUserRole --data "type=globalRoles&roleName=ADM &user=username"
- Parameters:
type
- (globalRoles, projectRoles, slaveRoles)roleName
- name of role (single, no list)user
- user ID (single, no list)- Throws:
IOException
- in case saving changes fails- Since:
- TODO
-
doAssignGroupRole
@Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doAssignGroupRole(@QueryParameter(required=true) String type, @QueryParameter(required=true) String roleName, @QueryParameter(required=true) String group) throws IOException API method to assign a Group to role.Example:
curl -X POST localhost:8080/role-strategy/strategy/assignGroupRole --data "type=globalRoles&roleName=ADM &group=groupname"
- Parameters:
type
- (globalRoles, projectRoles, slaveRoles)roleName
- name of role (single, no list)group
- group ID (single, no list)- Throws:
IOException
- in case saving changes fails- Since:
- TODO
-
doDeleteSid
@Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doDeleteSid(@QueryParameter(required=true) String type, @QueryParameter(required=true) String sid) throws IOException API method to delete a SID from all granted roles. Only SIDS of type EITHER with the given name will be deleted.Example:
curl -X POST localhost:8080/role-strategy/strategy/deleteSid --data "type=globalRoles&sid=username"
- Parameters:
type
- (globalRoles, projectRoles, slaveRoles)sid
- user/group ID to remove- Throws:
IOException
- in case saving changes fails- Since:
- 2.4.1
-
doDeleteUser
@Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doDeleteUser(@QueryParameter(required=true) String type, @QueryParameter(required=true) String user) throws IOException API method to delete a user from all granted roles.Example:
curl -X POST localhost:8080/role-strategy/strategy/deleteUser --data "type=globalRoles&user=username"
- Parameters:
type
- (globalRoles, projectRoles, slaveRoles)user
- user ID to remove- Throws:
IOException
- in case saving changes fails- Since:
- 2.4.1
-
doDeleteGroup
@Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doDeleteGroup(@QueryParameter(required=true) String type, @QueryParameter(required=true) String group) throws IOException API method to delete a group from all granted roles.Example:
curl -X POST localhost:8080/role-strategy/strategy/deleteGroup --data "type=globalRoles&group=groupname"
- Parameters:
type
- (globalRoles, projectRoles, slaveRoles)group
- group ID to remove- Throws:
IOException
- in case saving changes fails- Since:
- 2.4.1
-
doUnassignRole
@Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doUnassignRole(@QueryParameter(required=true) String type, @QueryParameter(required=true) String roleName, @QueryParameter(required=true) String sid) throws IOException API method to remove a SID from a role. Only entries of type EITHER will be removed. usedoUnassignUserRole(String, String, String)
ordoUnassignGroupRole(String, String, String)
to unassign a User or a Group.Example:
curl -X POST localhost:8080/role-strategy/strategy/unassignRole --data "type=globalRoles&roleName=AMD&sid=username"
- Parameters:
type
- (globalRoles, projectRoles, slaveRoles)roleName
- unassign role with sidsid
- user ID to remove- Throws:
IOException
- in case saving changes fails- Since:
- 2.6.0
-
doUnassignUserRole
@Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doUnassignUserRole(@QueryParameter(required=true) String type, @QueryParameter(required=true) String roleName, @QueryParameter(required=true) String user) throws IOException API method to remove a user from a role.Example:
curl -X POST localhost:8080/role-strategy/strategy/unassignUserRole --data "type=globalRoles&roleName=AMD&user=username"
- Parameters:
type
- (globalRoles, projectRoles, slaveRoles)roleName
- unassign role with siduser
- user ID to remove- Throws:
IOException
- in case saving changes fails- Since:
- TODO
-
doUnassignGroupRole
@Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doUnassignGroupRole(@QueryParameter(required=true) String type, @QueryParameter(required=true) String roleName, @QueryParameter(required=true) String group) throws IOException API method to remove a user from a role.Example:
curl -X POST localhost:8080/role-strategy/strategy/unassignGroupRole --data "type=globalRoles&roleName=AMD&user=username"
- Parameters:
type
- (globalRoles, projectRoles, slaveRoles)roleName
- unassign role with sidgroup
- user ID to remove- Throws:
IOException
- in case saving changes fails- Since:
- TODO
-
doGetTemplate
@GET @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doGetTemplate(@QueryParameter(required=true) String name) throws IOException API method to get the granted permissions of a template and if the template is used.Example:
curl -XGET 'http://localhost:8080/jenkins/role-strategy/strategy/getTemplate?name=developer'
Returns json with granted permissions and assigned sids.
Example:{ "permissionIds": { "hudson.model.Item.Read":true, "hudson.model.Item.Build":true, "hudson.model.Item.Cancel":true, }, "isUsed": true }
- Throws:
IOException
-
doGetRole
@GET @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doGetRole(@QueryParameter(required=true) String type, @QueryParameter(required=true) String roleName) throws IOException API method to get the granted permissions of a role and the SIDs assigned to it.Example:
curl -XGET 'http://localhost:8080/jenkins/role-strategy/strategy/getRole ?type=projectRoles&roleName=admin'
Returns json with granted permissions and assigned sids.
Example:{ "permissionIds": { "hudson.model.Item.Read":true, "hudson.model.Item.Build":true, "hudson.model.Item.Cancel":true, }, "sids": [{"type":"USER","sid":"user1"}, {"type":"USER","sid":"user2"}] "pattern": ".*", "template": "developers", }
- Parameters:
type
- (globalRoles, projectRoles, slaveRoles)roleName
- name of role (single, no list)- Throws:
IOException
- In case write response failed- Since:
- 2.8.3
-
doGetAllRoles
@GET @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doGetAllRoles(@QueryParameter(fixEmpty=true) String type) throws IOException API method to get all roles and the SIDs assigned to the roles for a roletype.Example:
curl -X GET localhost:8080/role-strategy/strategy/getAllRoles?type=projectRoles
Returns a json with roles and sids
Example:{ "role2": [{"type":"USER","sid":"user1"}, {"type":"USER","sid":"user2"}], "role2": [{"type":"GROUP","sid":"group1"}, {"type":"USER","sid":"user2"}] }
- Parameters:
type
- (globalRoles by default, projectRoles, slaveRoles)- Throws:
IOException
- Since:
- 2.6.0
-
doGetMatchingJobs
@GET @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doGetMatchingJobs(@QueryParameter(required=true) String pattern, @QueryParameter int maxJobs) throws IOException API method to get a list of items matching a pattern.Example:
curl -X GET localhost:8080/role-strategy/strategy/getMatchingJobs?pattern=^staging.*
- Parameters:
pattern
- Pattern to match againstmaxJobs
- Maximum matching items to search for- Throws:
IOException
- when unable to write response
-
doGetMatchingAgents
@GET @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doGetMatchingAgents(@QueryParameter(required=true) String pattern, @QueryParameter int maxAgents) throws IOException API method to get a list of agents matching a pattern.Example:
curl -X GET localhost:8080/role-strategy/strategy/getMatchingAgents?pattern=^linux.*
- Parameters:
pattern
- Pattern to match againstmaxAgents
- Maximum matching agents to search for- Throws:
IOException
- when unable to write response
-
validateConfig
@Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void validateConfig()Checks if there are ambiguous entries and adds them to the monitor. -
init
Validate the config after System config was loaded. -
getInstance
Retrieves instance of the strategy.- Returns:
- Strategy instance or
null
if it is disabled.
-
isCreateAllowed
Deprecated.Always available since 1.566Control job create usingRoleBasedProjectNamingStrategy
.- Since:
- 2.2.0
-
doAssignUserRole(java.lang.String, java.lang.String, java.lang.String)
ordoAssignGroupRole(java.lang.String, java.lang.String, java.lang.String)
to create unambiguous entries