How to Inherit permissions of a Job Template in Template instances?

Issue

  • I want that jobs created from a Job template inherit the RBAC groups and role filters assigned to that Template.

Environment

Resolution

In the groovy transformer, you can access the template model (the Job Template) of the template instance (The Job created from the Job Template) via the variable instance.

From that object you can retrieve the property that encapsulates RBAC groups and role filters - that is com.cloudbees.hudson.plugins.modeling.integrations.rbac.ModelProxyGroupContainer. You then need to serialize the groups and role filters inside a nectar.plugins.rbac.groups.JobProxyGroupContainer.

Following is a minimal example:

<?xml version='1.0' encoding='UTF-8'?>
<%
def modelGroups = []
def modelRoleFilters = []
if (instance != null && instance.model != null && instance.model.getProperties() != null) {
    def groupContainers = instance.model.getProperties().get(com.cloudbees.hudson.plugins.modeling.integrations.rbac.ModelProxyGroupContainer.class)
    if(groupContainers != null) {
        modelGroups = groupContainers.groups
        modelRoleFilters = groupContainers.roleFilters
    }
}
%>
<project>
<actions/>
<keepDependencies>false</keepDependencies>
<properties>
    <% if (modelGroups != "") { %>
    <nectar.plugins.rbac.groups.JobProxyGroupContainer>
        <groups>
            <% modelGroups.each { group -> %>
            ${serialize(group)}
            <% } %>
        </groups>
        <roleFilters>
            <% modelRoleFilters.each { roleFilter -> %>
            ${serialize(roleFilter)}
            <% } %>
        </roleFilters>
    </nectar.plugins.rbac.groups.JobProxyGroupContainer>
    <% } %>
</properties>
<scm class="hudson.scm.NullSCM"/>
<canRoam>true</canRoam>
<disabled>false</disabled>
<blockBuildWhenDownstreamBuilding>false</blockBuildWhenDownstreamBuilding>
<blockBuildWhenUpstreamBuilding>false</blockBuildWhenUpstreamBuilding>
<triggers/>
<concurrentBuild>false</concurrentBuild>
<builders/>
<publishers/>
<buildWrappers/>
</project>

Note: Be aware that this considered unsafe and required an administrator to allow several methods in the Manage Jenkins > In-Process Script Approval screen. See Script Security Plugin for more details.

Note: Be aware that any changes to the permissions of your Job Template will not be automatically reflected to the template instances. For that you need to force the re-evaluation of the instance(s) transformer by re-saving the Job Template.

References

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.