Class RoleBasedAuthorizationStrategy
- java.lang.Object
-
- hudson.model.AbstractDescribableImpl<AuthorizationStrategy>
-
- hudson.security.AuthorizationStrategy
-
- com.michelin.cio.hudson.plugins.rolestrategy.RoleBasedAuthorizationStrategy
-
- All Implemented Interfaces:
ExtensionPoint
,Describable<AuthorizationStrategy>
public class RoleBasedAuthorizationStrategy extends AuthorizationStrategy
Role-based authorization strategy.- Author:
- Thomas Maurel
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
RoleBasedAuthorizationStrategy.ConverterImpl
Converter used to persist and retrieve the strategy from disk.static class
RoleBasedAuthorizationStrategy.DescriptorImpl
Descriptor used to bind the strategy to the Web forms.-
Nested classes/interfaces inherited from class hudson.security.AuthorizationStrategy
AuthorizationStrategy.Unsecured
-
Nested classes/interfaces inherited from interface hudson.ExtensionPoint
ExtensionPoint.LegacyInstancesAreScopedToHudson
-
-
Field Summary
Fields Modifier and Type Field Description static RoleBasedAuthorizationStrategy.DescriptorImpl
DESCRIPTOR
static String
GLOBAL
static String
MACRO_ROLE
static String
MACRO_USER
static String
PERMISSION_TEMPLATES
static String
PROJECT
static String
SLAVE
-
Fields inherited from class hudson.security.AuthorizationStrategy
LIST, UNSECURED
-
-
Constructor Summary
Constructors Constructor Description RoleBasedAuthorizationStrategy()
Create new RoleBasedAuthorizationStrategy.RoleBasedAuthorizationStrategy(Map<String,RoleMap> grantedRoles)
Creates a newRoleBasedAuthorizationStrategy
.RoleBasedAuthorizationStrategy(Map<String,RoleMap> grantedRoles, Set<PermissionTemplate> permissionTemplates)
Creates a newRoleBasedAuthorizationStrategy
.
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Deprecated Methods Modifier and Type Method Description void
doAddRole(String type, String roleName, String permissionIds, String overwrite, String pattern, String template)
API method to add a role.void
doAddTemplate(String name, String permissionIds, boolean overwrite)
API method to add a permission template.void
doAssignGroupRole(String type, String roleName, String group)
API method to assign a Group to role.void
doAssignRole(String type, String roleName, String sid)
Deprecated.UsedoAssignUserRole(java.lang.String, java.lang.String, java.lang.String)
ordoAssignGroupRole(java.lang.String, java.lang.String, java.lang.String)
to create unambiguous entriesvoid
doAssignUserRole(String type, String roleName, String user)
API method to assign a User to role.void
doDeleteGroup(String type, String group)
API method to delete a group from all granted roles.void
doDeleteSid(String type, String sid)
API method to delete a SID from all granted roles.void
doDeleteUser(String type, String user)
API method to delete a user from all granted roles.void
doGetAllRoles(String type)
API method to get all roles and the SIDs assigned to the roles for a roletype.void
doGetMatchingAgents(String pattern, int maxAgents)
API method to get a list of agents matching a pattern.void
doGetMatchingJobs(String pattern, int maxJobs)
API method to get a list of items matching a pattern.void
doGetRole(String type, String roleName)
API method to get the granted permissions of a role and the SIDs assigned to it.void
doGetTemplate(String name)
API method to get the granted permissions of a template and if the template is used.void
doRemoveRoles(String type, String roleNames)
API method to remove roles.void
doRemoveTemplates(String names, boolean force)
API method to remove templates.void
doUnassignGroupRole(String type, String roleName, String group)
API method to remove a user from a role.void
doUnassignRole(String type, String roleName, String sid)
API method to remove a SID from a role.void
doUnassignUserRole(String type, String roleName, String user)
API method to remove a user from a role.ACL
getACL(AbstractItem project)
ACL
getACL(Computer computer)
ACL
getACL(Job<?,?> project)
Get the specific ACL for projects.ACL
getACL(Node node)
SortedMap<Role,Set<String>>
getGrantedRoles(RoleType type)
Deprecated.SortedMap<Role,Set<String>>
getGrantedRoles(String type)
Deprecated.SortedMap<Role,Set<PermissionEntry>>
getGrantedRolesEntries(RoleType type)
SortedMap<Role,Set<PermissionEntry>>
getGrantedRolesEntries(String type)
Collection<String>
getGroups()
Used by the container realm.static RoleBasedAuthorizationStrategy
getInstance()
Retrieves instance of the strategy.PermissionTemplate
getPermissionTemplate(String templateName)
Set<PermissionTemplate>
getPermissionTemplates()
Get the permission templates.RoleMap
getRoleMap(RoleType roleType)
SidACL
getRootACL()
Get the root ACL.Set<PermissionEntry>
getSidEntries(String type)
Get all the SIDs referenced by specifiedRoleMap
type.Set<String>
getSIDs(String type)
Deprecated.boolean
hasPermissionTemplate(String name)
static void
init()
Validate the config after System config was loaded.static boolean
isCreateAllowed()
Deprecated.Always available since 1.566void
validateConfig()
Checks if there are ambiguous entries and adds them to the monitor.-
Methods inherited from class hudson.security.AuthorizationStrategy
all, getACL, getACL, getACL, getACL
-
Methods inherited from class hudson.model.AbstractDescribableImpl
getDescriptor
-
-
-
-
Field Detail
-
GLOBAL
public static final String GLOBAL
- See Also:
- Constant Field Values
-
PROJECT
public static final String PROJECT
- See Also:
- Constant Field Values
-
SLAVE
public static final String SLAVE
- See Also:
- Constant Field Values
-
PERMISSION_TEMPLATES
public static final String PERMISSION_TEMPLATES
- See Also:
- Constant Field Values
-
MACRO_ROLE
public static final String MACRO_ROLE
- See Also:
- Constant Field Values
-
MACRO_USER
public static final String MACRO_USER
- See Also:
- Constant Field Values
-
DESCRIPTOR
@Extension public static final RoleBasedAuthorizationStrategy.DescriptorImpl DESCRIPTOR
-
-
Constructor Detail
-
RoleBasedAuthorizationStrategy
public RoleBasedAuthorizationStrategy()
Create new RoleBasedAuthorizationStrategy.
-
RoleBasedAuthorizationStrategy
public RoleBasedAuthorizationStrategy(Map<String,RoleMap> grantedRoles)
Creates a newRoleBasedAuthorizationStrategy
.- Parameters:
grantedRoles
- the roles in the strategy
-
RoleBasedAuthorizationStrategy
public RoleBasedAuthorizationStrategy(Map<String,RoleMap> grantedRoles, @CheckForNull Set<PermissionTemplate> permissionTemplates)
Creates a newRoleBasedAuthorizationStrategy
.- Parameters:
grantedRoles
- the roles in the strategypermissionTemplates
- the permission templates in the strategy
-
-
Method Detail
-
getRootACL
@NonNull public SidACL getRootACL()
Get the root ACL.- Specified by:
getRootACL
in classAuthorizationStrategy
- Returns:
- The global ACL
-
getRoleMap
@NonNull @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public RoleMap getRoleMap(RoleType roleType)
- Parameters:
roleType
- the type of the role- Returns:
- the
RoleMap
corresponding to theroleType
- Throws:
IllegalArgumentException
- for an invalidroleType
-
getACL
@NonNull public ACL getACL(@NonNull Job<?,?> project)
Get the specific ACL for projects.- Overrides:
getACL
in classAuthorizationStrategy
- Parameters:
project
- The access-controlled project- Returns:
- The project specific ACL
-
getACL
@NonNull public ACL getACL(@NonNull AbstractItem project)
- Overrides:
getACL
in classAuthorizationStrategy
-
getACL
@NonNull public ACL getACL(@NonNull Computer computer)
- Overrides:
getACL
in classAuthorizationStrategy
-
getACL
@NonNull public ACL getACL(@NonNull Node node)
- Overrides:
getACL
in classAuthorizationStrategy
-
getGroups
@NonNull public Collection<String> getGroups()
Used by the container realm.- Specified by:
getGroups
in classAuthorizationStrategy
- Returns:
- All the sids referenced by the strategy
-
getGrantedRoles
@Nullable @Deprecated public SortedMap<Role,Set<String>> getGrantedRoles(String type)
Deprecated.Get the roles from the globalRoleMap
.The returned sorted map is unmodifiable.
-
getGrantedRoles
@Deprecated public SortedMap<Role,Set<String>> getGrantedRoles(@NonNull RoleType type)
Deprecated.- Parameters:
type
- the type of the role- Returns:
- roles mapped to the set of user sids assigned to that role
- Since:
- 2.12
-
getPermissionTemplates
public Set<PermissionTemplate> getPermissionTemplates()
Get the permission templates.- Returns:
- set of permission templates.
-
getPermissionTemplate
@CheckForNull public PermissionTemplate getPermissionTemplate(String templateName)
-
hasPermissionTemplate
public boolean hasPermissionTemplate(String name)
-
getGrantedRolesEntries
public SortedMap<Role,Set<PermissionEntry>> getGrantedRolesEntries(@NonNull String type)
- Parameters:
type
- the type of the role- Returns:
- roles mapped to the set of user sids assigned to that role
-
getGrantedRolesEntries
public SortedMap<Role,Set<PermissionEntry>> getGrantedRolesEntries(@NonNull RoleType type)
- Parameters:
type
- the type of the role- Returns:
- roles mapped to the set of user sids assigned to that role
-
getSidEntries
public Set<PermissionEntry> getSidEntries(String type)
Get all the SIDs referenced by specifiedRoleMap
type.
-
getSIDs
@Deprecated @CheckForNull public Set<String> getSIDs(String type)
Deprecated.Get all the SIDs referenced by specifiedRoleMap
type.
-
doAddTemplate
@POST @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doAddTemplate(@QueryParameter(required=true) String name, @QueryParameter(required=true) String permissionIds, @QueryParameter(required=false) boolean overwrite) throws IOException
API method to add a permission template. An existing template with the same will only be replaced when overwrite is set. Otherwise, the request will fail with status400
- Parameters:
name
- The template naepermissionIds
- Comma separated list of permission IDsoverwrite
- If an existing template should be overwritten- Throws:
IOException
-
doRemoveTemplates
@POST @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doRemoveTemplates(@QueryParameter(required=true) String names, @QueryParameter(required=false) boolean force) throws IOException
API method to remove templates.Example:
curl -X POST localhost:8080/role-strategy/strategy/removeTemplates --data "templates=developer,qualits"
- Parameters:
names
- comma separated list of templates to removeforce
- If templates that are in use should be removed- Throws:
IOException
- in case saving changes fails
-
doAddRole
@Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doAddRole(@QueryParameter(required=true) String type, @QueryParameter(required=true) String roleName, @QueryParameter(required=true) String permissionIds, @QueryParameter(required=true) String overwrite, @QueryParameter(required=false) String pattern, @QueryParameter(required=false) String template) throws IOException
API method to add a role.Unknown and dangerous permissions are ignored. When specifying a
template
for an item role, the given permissions are ignored. The named template must exist, otherwise the request fails with status400
. Thetemplate
is ignored when adding global or agent roles.Example:
curl -X POST localhost:8080/role-strategy/strategy/addRole --data "type=globalRoles&roleName=ADM& permissionIds=hudson.model.Item.Discover,hudson.model.Item.ExtendedRead&overwrite=true"
- Parameters:
type
- (globalRoles, projectRoles, slaveRoles)roleName
- Name of rolepermissionIds
- Comma separated list of IDs for given roleNameoverwrite
- Overwrite existing rolepattern
- Role patterntemplate
- Name of template- Throws:
IOException
- In case saving changes fails- Since:
- 2.5.0
-
doRemoveRoles
@Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doRemoveRoles(@QueryParameter(required=true) String type, @QueryParameter(required=true) String roleNames) throws IOException
API method to remove roles.Example:
curl -X POST localhost:8080/role-strategy/strategy/removeRoles --data "type=globalRoles& roleNames=ADM,DEV"
- Parameters:
type
- (globalRoles, projectRoles, slaveRoles)roleNames
- comma separated list of roles to remove from type- Throws:
IOException
- in case saving changes fails- Since:
- 2.5.0
-
doAssignRole
@Deprecated @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doAssignRole(@QueryParameter(required=true) String type, @QueryParameter(required=true) String roleName, @QueryParameter(required=true) String sid) throws IOException
Deprecated.UsedoAssignUserRole(java.lang.String, java.lang.String, java.lang.String)
ordoAssignGroupRole(java.lang.String, java.lang.String, java.lang.String)
to create unambiguous entriesAPI method to assign a SID of type EITHER to role. This method should no longer be used.Example:
curl -X POST localhost:8080/role-strategy/strategy/assignRole --data "type=globalRoles&roleName=ADM &sid=username"
- Parameters:
type
- (globalRoles, projectRoles, slaveRoles)roleName
- name of role (single, no list)sid
- user ID (single, no list)- Throws:
IOException
- in case saving changes fails- Since:
- 2.5.0
-
doAssignUserRole
@Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doAssignUserRole(@QueryParameter(required=true) String type, @QueryParameter(required=true) String roleName, @QueryParameter(required=true) String user) throws IOException
API method to assign a User to role.Example:
curl -X POST localhost:8080/role-strategy/strategy/assignUserRole --data "type=globalRoles&roleName=ADM &user=username"
- Parameters:
type
- (globalRoles, projectRoles, slaveRoles)roleName
- name of role (single, no list)user
- user ID (single, no list)- Throws:
IOException
- in case saving changes fails- Since:
- TODO
-
doAssignGroupRole
@Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doAssignGroupRole(@QueryParameter(required=true) String type, @QueryParameter(required=true) String roleName, @QueryParameter(required=true) String group) throws IOException
API method to assign a Group to role.Example:
curl -X POST localhost:8080/role-strategy/strategy/assignGroupRole --data "type=globalRoles&roleName=ADM &group=groupname"
- Parameters:
type
- (globalRoles, projectRoles, slaveRoles)roleName
- name of role (single, no list)group
- group ID (single, no list)- Throws:
IOException
- in case saving changes fails- Since:
- TODO
-
doDeleteSid
@Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doDeleteSid(@QueryParameter(required=true) String type, @QueryParameter(required=true) String sid) throws IOException
API method to delete a SID from all granted roles. Only SIDS of type EITHER with the given name will be deleted.Example:
curl -X POST localhost:8080/role-strategy/strategy/deleteSid --data "type=globalRoles&sid=username"
- Parameters:
type
- (globalRoles, projectRoles, slaveRoles)sid
- user/group ID to remove- Throws:
IOException
- in case saving changes fails- Since:
- 2.4.1
-
doDeleteUser
@Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doDeleteUser(@QueryParameter(required=true) String type, @QueryParameter(required=true) String user) throws IOException
API method to delete a user from all granted roles.Example:
curl -X POST localhost:8080/role-strategy/strategy/deleteUser --data "type=globalRoles&user=username"
- Parameters:
type
- (globalRoles, projectRoles, slaveRoles)user
- user ID to remove- Throws:
IOException
- in case saving changes fails- Since:
- 2.4.1
-
doDeleteGroup
@Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doDeleteGroup(@QueryParameter(required=true) String type, @QueryParameter(required=true) String group) throws IOException
API method to delete a group from all granted roles.Example:
curl -X POST localhost:8080/role-strategy/strategy/deleteGroup --data "type=globalRoles&group=groupname"
- Parameters:
type
- (globalRoles, projectRoles, slaveRoles)group
- group ID to remove- Throws:
IOException
- in case saving changes fails- Since:
- 2.4.1
-
doUnassignRole
@Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doUnassignRole(@QueryParameter(required=true) String type, @QueryParameter(required=true) String roleName, @QueryParameter(required=true) String sid) throws IOException
API method to remove a SID from a role. Only entries of type EITHER will be removed. usedoUnassignUserRole(String, String, String)
ordoUnassignGroupRole(String, String, String)
to unassign a User or a Group.Example:
curl -X POST localhost:8080/role-strategy/strategy/unassignRole --data "type=globalRoles&roleName=AMD&sid=username"
- Parameters:
type
- (globalRoles, projectRoles, slaveRoles)roleName
- unassign role with sidsid
- user ID to remove- Throws:
IOException
- in case saving changes fails- Since:
- 2.6.0
-
doUnassignUserRole
@Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doUnassignUserRole(@QueryParameter(required=true) String type, @QueryParameter(required=true) String roleName, @QueryParameter(required=true) String user) throws IOException
API method to remove a user from a role.Example:
curl -X POST localhost:8080/role-strategy/strategy/unassignUserRole --data "type=globalRoles&roleName=AMD&user=username"
- Parameters:
type
- (globalRoles, projectRoles, slaveRoles)roleName
- unassign role with siduser
- user ID to remove- Throws:
IOException
- in case saving changes fails- Since:
- TODO
-
doUnassignGroupRole
@Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doUnassignGroupRole(@QueryParameter(required=true) String type, @QueryParameter(required=true) String roleName, @QueryParameter(required=true) String group) throws IOException
API method to remove a user from a role.Example:
curl -X POST localhost:8080/role-strategy/strategy/unassignGroupRole --data "type=globalRoles&roleName=AMD&user=username"
- Parameters:
type
- (globalRoles, projectRoles, slaveRoles)roleName
- unassign role with sidgroup
- user ID to remove- Throws:
IOException
- in case saving changes fails- Since:
- TODO
-
doGetTemplate
@GET @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doGetTemplate(@QueryParameter(required=true) String name) throws IOException
API method to get the granted permissions of a template and if the template is used.Example:
curl -XGET 'http://localhost:8080/jenkins/role-strategy/strategy/getTemplate?name=developer'
Returns json with granted permissions and assigned sids.
Example:{ "permissionIds": { "hudson.model.Item.Read":true, "hudson.model.Item.Build":true, "hudson.model.Item.Cancel":true, }, "isUsed": true }
- Throws:
IOException
-
doGetRole
@GET @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doGetRole(@QueryParameter(required=true) String type, @QueryParameter(required=true) String roleName) throws IOException
API method to get the granted permissions of a role and the SIDs assigned to it.Example:
curl -XGET 'http://localhost:8080/jenkins/role-strategy/strategy/getRole ?type=projectRoles&roleName=admin'
Returns json with granted permissions and assigned sids.
Example:{ "permissionIds": { "hudson.model.Item.Read":true, "hudson.model.Item.Build":true, "hudson.model.Item.Cancel":true, }, "sids": [{"type":"USER","sid":"user1"}, {"type":"USER","sid":"user2"}] "pattern": ".*", "template": "developers", }
- Parameters:
type
- (globalRoles, projectRoles, slaveRoles)roleName
- name of role (single, no list)- Throws:
IOException
- In case write response failed- Since:
- 2.8.3
-
doGetAllRoles
@GET @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doGetAllRoles(@QueryParameter(fixEmpty=true) String type) throws IOException
API method to get all roles and the SIDs assigned to the roles for a roletype.Example:
curl -X GET localhost:8080/role-strategy/strategy/getAllRoles?type=projectRoles
Returns a json with roles and sids
Example:{ "role2": [{"type":"USER","sid":"user1"}, {"type":"USER","sid":"user2"}], "role2": [{"type":"GROUP","sid":"group1"}, {"type":"USER","sid":"user2"}] }
- Parameters:
type
- (globalRoles by default, projectRoles, slaveRoles)- Throws:
IOException
- Since:
- 2.6.0
-
doGetMatchingJobs
@GET @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doGetMatchingJobs(@QueryParameter(required=true) String pattern, @QueryParameter int maxJobs) throws IOException
API method to get a list of items matching a pattern.Example:
curl -X GET localhost:8080/role-strategy/strategy/getMatchingJobs?pattern=^staging.*
- Parameters:
pattern
- Pattern to match againstmaxJobs
- Maximum matching items to search for- Throws:
IOException
- when unable to write response
-
doGetMatchingAgents
@GET @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doGetMatchingAgents(@QueryParameter(required=true) String pattern, @QueryParameter int maxAgents) throws IOException
API method to get a list of agents matching a pattern.Example:
curl -X GET localhost:8080/role-strategy/strategy/getMatchingAgents?pattern=^linux.*
- Parameters:
pattern
- Pattern to match againstmaxAgents
- Maximum matching agents to search for- Throws:
IOException
- when unable to write response
-
validateConfig
@Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void validateConfig()
Checks if there are ambiguous entries and adds them to the monitor.
-
init
@Initializer(after=SYSTEM_CONFIG_LOADED) public static void init()
Validate the config after System config was loaded.
-
getInstance
@CheckForNull public static RoleBasedAuthorizationStrategy getInstance()
Retrieves instance of the strategy.- Returns:
- Strategy instance or
null
if it is disabled.
-
isCreateAllowed
@Deprecated public static boolean isCreateAllowed()
Deprecated.Always available since 1.566Control job create usingRoleBasedProjectNamingStrategy
.- Since:
- 2.2.0
-
-