adamjkeller · April 12, 2017 21:29
diff --git a/jenkins_auth.groovy b/jenkins_auth.groovy
 import jenkins.model.*
 import hudson.security.*
 import hudson.scm.*
 import com.cloudbees.plugins.credentials.*
 import hudson.plugins.active_directory.*

 class JenkinsAuth {
    def instance = Jenkins.getInstance()
    def sec_realm, auth, ad_realm
    def user, email, password, domain, site, bind_name, bind_password, ad_server

    JenkinsAuth(domain, site, bind_name, bind_password, ad_server) {
        this.domain = domain
        this.site = site
        this.bind_name = bind_name
        this.bind_password = bind_password
        this.ad_server = ad_server
    }

    def auth_options = [
        'OVERALL': [
                        'ADMINISTER': Jenkins.ADMINISTER,
                        'CONFIGUREUPDATECENTER': PluginManager.CONFIGURE_UPDATECENTER,
                        'READ': Jenkins.READ,
                        'RUNSCRIPTS': Jenkins.RUN_SCRIPTS,
                        'UPLOADPLUGINS': PluginManager.UPLOAD_PLUGINS
        ],
        'CREDENTIALS': [
                        'CREATE': CredentialsProvider.CREATE,
                        'DELETE': CredentialsProvider.DELETE,
                        'MANAGEDOMAINS': CredentialsProvider.MANAGE_DOMAINS,
                        'UPDATE': CredentialsProvider.UPDATE,
                        'VIEW': CredentialsProvider.VIEW
        ],
        'SLAVE': [
                        'BUILD': Jenkins.MasterComputer.BUILD,
                        'CONFIGURE': Jenkins.MasterComputer.CONFIGURE,
                        'CONNECT': Jenkins.MasterComputer.CONNECT,
                        'CREATE': Jenkins.MasterComputer.CREATE,
                        'DELETE': Jenkins.MasterComputer.DELETE,
                        'DISCONNECT': Jenkins.MasterComputer.DISCONNECT
        ],
        'JOB': [
                        'CREATE': Item.CREATE,
                        'DELETE': Item.DELETE,
                        'CONFIGURE': Item.CONFIGURE,
                        'READ': Item.READ,
                        'DISCOVER': Item.DISCOVER,
                        'BUILD': Item.BUILD,
                        'WORKSPACE': Item.WORKSPACE,
                        'CANCEL': Item.CANCEL
        ],
        'RUN': [
                        'DELETE': Run.DELETE,
                        'UPDATE': Run.UPDATE
                ],
        'VIEW': [
                        'CREATE': View.CREATE,
                        'DELETE': View.DELETE,
                        'CONFIGURE': View.CONFIGURE,
                        'READ': View.READ
        ],
        'SCM': [
                        'TAG': SCM.TAG
        ]
    ]

    def user_map =   [
        ["CTS": ["OVERALL": ["READ", "RUNSCRIPTS"],
                             "SLAVE": ["DELETE", "DISCONNECT"],
                             "VIEW": ["READ"],
                             "SCM": ["TAG"]]
        ],
        ["DevAustin": ["OVERALL": ["READ", "RUNSCRIPTS"],
                "SLAVE": ["CONNECT", "DELETE", "DISCONNECT"],
                "VIEW": ["READ"],
                "SCM": ["TAG"]]
        ],
        ["Developers": ["OVERALL": ["READ", "RUNSCRIPTS"],
                "SLAVE": ["CONNECT", "DELETE", "DISCONNECT"],
                "VIEW": ["READ"],
                "SCM": ["TAG"]]
        ],
        ["JenkinsAdmin": ["OVERALL": ["ADMINISTER", "CONFIGUREUPDATECENTER", "READ", "RUNSCRIPTS", "UPLOADPLUGINS"],
                "SLAVE": ["CONFIGURE", "CONNECT", "CREATE", "DELETE", "DISCONNECT"],
                "JOB": ["BUILD", "CANCEL", "CONFIGURE", "CREATE", "DELETE", "DISCOVER", "READ", "WORKSPACE"],
                "RUN": ["DELETE", "UPDATE"],
                "VIEW": ["CONFIGURE", "CREATE", "DELETE", "READ"],
                "SCM": ["TAG"]]
        ],
        ["JenkinsCron": ["OVERALL": ["READ"],
                "SLAVE": ["CONNECT"],
                "JOB": ["BUILD", "CANCEL", "CONFIGURE", "CREATE", "DELETE", "DISCOVER", "READ", "WORKSPACE"],
                "RUN": ["DELETE", "UPDATE"]]
        ],
        ["SysAdmin": ["OVERALL": ["ADMINISTER", "CONFIGUREUPDATECENTER", "READ", "RUNSCRIPTS", "UPLOADPLUGINS"],
                "SLAVE": ["CONFIGURE", "CONNECT", "CREATE", "DELETE", "DISCONNECT"],
                "JOB": ["BUILD", "CANCEL", "CONFIGURE", "CREATE", "DELETE", "DISCOVER", "READ", "WORKSPACE"],
                "RUN": ["DELETE", "UPDATE"],
                "VIEW": ["CONFIGURE", "CREATE", "DELETE", "READ"],
                "SCM": ["TAG"]]
        ],
        ["TulaCo": ["OVERALL": ["READ", "RUNSCRIPTS"],
                "VIEW": ["READ"],
                "SCM": ["TAG"]]
        ],
        ["authenticated": ["OVERALL": ["READ"],
                "JOB": ["DISCOVER", "READ"],
                "VIEW": ["READ"]]
        ],
        ["jenkinsdisplay": ["OVERALL": ["ADMINISTER", "READ", "RUNSCRIPTS"],
                "SLAVE": ["CONFIGURE", "CONNECT", "CREATE", "DELETE", "DISCONNECT"],
                "JOB": ["BUILD", "DISCOVER", "READ"],
                "RUN": ["UPDATE"]]
        ],
        ["QA_Eng": ["OVERALL": ["READ"]],
        ]
    ]

    def setRealm() {
        sec_realm = new HudsonPrivateSecurityRealm(false)
        ad_realm = new ActiveDirectorySecurityRealm(domain, site, bind_name, bind_password, ad_server, GroupLookupStrategy.AUTO)
    }

    def setAuth() {
        auth = new ProjectMatrixAuthorizationStrategy()
    }

    def addUsers() {
        // Iterate through each user/group in the map and add authorization
        user_map.each { groupMap ->
            groupMap.each { groupName, accessMap ->
                accessMap.each { segment, access ->
                    access.each { rslt ->
                        auth.add(auth_options."${segment}"."${rslt}", groupName)
                    }
                }
            }
        }
    }

    def prepare() {
        setRealm()
        setAuth()
        addUsers()
    }

    def applyRealm() {
        instance.setSecurityRealm(sec_realm)
        instance.setSecurityRealm(ad_realm)
    }

    def applyAuth() {
        instance.setAuthorizationStrategy(auth)
        instance.save()
    }

    def apply() {
        applyRealm()
        applyAuth()
    }

 }

 setupAuth = new JenkinsAuth("{{ pillar['jenkins']['ad_domain_name'] }}", "{{ pillar['jenkins']['ad_site'] }}", "{{ pillar['jenkins']['ad_bind_dn'] }}", "{{ pillar['keys']['jenkins_ad']['jenkins2'] }}", "{{ pillar['jenkins']['ad_domain_controller'] }}")
 setupAuth.prepare()
 setupAuth.apply()
	import jenkins.model.*
	import hudson.security.*
	import hudson.scm.*
	import com.cloudbees.plugins.credentials.*
	import hudson.plugins.active_directory.*

	class JenkinsAuth {
	def instance = Jenkins.getInstance()
	def sec_realm, auth, ad_realm
	def user, email, password, domain, site, bind_name, bind_password, ad_server

	JenkinsAuth(domain, site, bind_name, bind_password, ad_server) {
	this.domain = domain
	this.site = site
	this.bind_name = bind_name
	this.bind_password = bind_password
	this.ad_server = ad_server
	}

	def auth_options = [
	'OVERALL': [
	'ADMINISTER': Jenkins.ADMINISTER,
	'CONFIGUREUPDATECENTER': PluginManager.CONFIGURE_UPDATECENTER,
	'READ': Jenkins.READ,
	'RUNSCRIPTS': Jenkins.RUN_SCRIPTS,
	'UPLOADPLUGINS': PluginManager.UPLOAD_PLUGINS
	],
	'CREDENTIALS': [
	'CREATE': CredentialsProvider.CREATE,
	'DELETE': CredentialsProvider.DELETE,
	'MANAGEDOMAINS': CredentialsProvider.MANAGE_DOMAINS,
	'UPDATE': CredentialsProvider.UPDATE,
	'VIEW': CredentialsProvider.VIEW
	],
	'SLAVE': [
	'BUILD': Jenkins.MasterComputer.BUILD,
	'CONFIGURE': Jenkins.MasterComputer.CONFIGURE,
	'CONNECT': Jenkins.MasterComputer.CONNECT,
	'CREATE': Jenkins.MasterComputer.CREATE,
	'DELETE': Jenkins.MasterComputer.DELETE,
	'DISCONNECT': Jenkins.MasterComputer.DISCONNECT
	],
	'JOB': [
	'CREATE': Item.CREATE,
	'DELETE': Item.DELETE,
	'CONFIGURE': Item.CONFIGURE,
	'READ': Item.READ,
	'DISCOVER': Item.DISCOVER,
	'BUILD': Item.BUILD,
	'WORKSPACE': Item.WORKSPACE,
	'CANCEL': Item.CANCEL
	],
	'RUN': [
	'DELETE': Run.DELETE,
	'UPDATE': Run.UPDATE
	],
	'VIEW': [
	'CREATE': View.CREATE,
	'DELETE': View.DELETE,
	'CONFIGURE': View.CONFIGURE,
	'READ': View.READ
	],
	'SCM': [
	'TAG': SCM.TAG
	]
	]

	def user_map = [
	["CTS": ["OVERALL": ["READ", "RUNSCRIPTS"],
	"SLAVE": ["DELETE", "DISCONNECT"],
	"VIEW": ["READ"],
	"SCM": ["TAG"]]
	],
	["DevAustin": ["OVERALL": ["READ", "RUNSCRIPTS"],
	"SLAVE": ["CONNECT", "DELETE", "DISCONNECT"],
	"VIEW": ["READ"],
	"SCM": ["TAG"]]
	],
	["Developers": ["OVERALL": ["READ", "RUNSCRIPTS"],
	"SLAVE": ["CONNECT", "DELETE", "DISCONNECT"],
	"VIEW": ["READ"],
	"SCM": ["TAG"]]
	],
	["JenkinsAdmin": ["OVERALL": ["ADMINISTER", "CONFIGUREUPDATECENTER", "READ", "RUNSCRIPTS", "UPLOADPLUGINS"],
	"SLAVE": ["CONFIGURE", "CONNECT", "CREATE", "DELETE", "DISCONNECT"],
	"JOB": ["BUILD", "CANCEL", "CONFIGURE", "CREATE", "DELETE", "DISCOVER", "READ", "WORKSPACE"],
	"RUN": ["DELETE", "UPDATE"],
	"VIEW": ["CONFIGURE", "CREATE", "DELETE", "READ"],
	"SCM": ["TAG"]]
	],
	["JenkinsCron": ["OVERALL": ["READ"],
	"SLAVE": ["CONNECT"],
	"JOB": ["BUILD", "CANCEL", "CONFIGURE", "CREATE", "DELETE", "DISCOVER", "READ", "WORKSPACE"],
	"RUN": ["DELETE", "UPDATE"]]
	],
	["SysAdmin": ["OVERALL": ["ADMINISTER", "CONFIGUREUPDATECENTER", "READ", "RUNSCRIPTS", "UPLOADPLUGINS"],
	"SLAVE": ["CONFIGURE", "CONNECT", "CREATE", "DELETE", "DISCONNECT"],
	"JOB": ["BUILD", "CANCEL", "CONFIGURE", "CREATE", "DELETE", "DISCOVER", "READ", "WORKSPACE"],
	"RUN": ["DELETE", "UPDATE"],
	"VIEW": ["CONFIGURE", "CREATE", "DELETE", "READ"],
	"SCM": ["TAG"]]
	],
	["TulaCo": ["OVERALL": ["READ", "RUNSCRIPTS"],
	"VIEW": ["READ"],
	"SCM": ["TAG"]]
	],
	["authenticated": ["OVERALL": ["READ"],
	"JOB": ["DISCOVER", "READ"],
	"VIEW": ["READ"]]
	],
	["jenkinsdisplay": ["OVERALL": ["ADMINISTER", "READ", "RUNSCRIPTS"],
	"SLAVE": ["CONFIGURE", "CONNECT", "CREATE", "DELETE", "DISCONNECT"],
	"JOB": ["BUILD", "DISCOVER", "READ"],
	"RUN": ["UPDATE"]]
	],
	["QA_Eng": ["OVERALL": ["READ"]],
	]
	]

	def setRealm() {
	sec_realm = new HudsonPrivateSecurityRealm(false)
	ad_realm = new ActiveDirectorySecurityRealm(domain, site, bind_name, bind_password, ad_server, GroupLookupStrategy.AUTO)
	}

	def setAuth() {
	auth = new ProjectMatrixAuthorizationStrategy()
	}

	def addUsers() {
	// Iterate through each user/group in the map and add authorization
	user_map.each { groupMap ->
	groupMap.each { groupName, accessMap ->
	accessMap.each { segment, access ->
	access.each { rslt ->
	auth.add(auth_options."${segment}"."${rslt}", groupName)
	}
	}
	}
	}
	}

	def prepare() {
	setRealm()
	setAuth()
	addUsers()
	}

	def applyRealm() {
	instance.setSecurityRealm(sec_realm)
	instance.setSecurityRealm(ad_realm)
	}

	def applyAuth() {
	instance.setAuthorizationStrategy(auth)
	instance.save()
	}

	def apply() {
	applyRealm()
	applyAuth()
	}

	}

	setupAuth = new JenkinsAuth("{{ pillar['jenkins']['ad_domain_name'] }}", "{{ pillar['jenkins']['ad_site'] }}", "{{ pillar['jenkins']['ad_bind_dn'] }}", "{{ pillar['keys']['jenkins_ad']['jenkins2'] }}", "{{ pillar['jenkins']['ad_domain_controller'] }}")
	setupAuth.prepare()
	setupAuth.apply()
No results found