Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Segment permissions for jobs by giving them only specific policies #214

Closed
bluesliverx opened this issue Mar 23, 2022 · 0 comments · Fixed by #223
Closed

Segment permissions for jobs by giving them only specific policies #214

bluesliverx opened this issue Mar 23, 2022 · 0 comments · Fixed by #223
Labels
enhancement

Comments

@bluesliverx
Copy link
Contributor

What feature do you want to see added?

We run a somewhat large Jenkins cluster with 1k+ jobs configured on it. We currently use token auth, but would like to move to an AppRole instead. Currently we have a single policy in Vault for all of our jobs so that Jenkins just has access to a ton of "stuff", usually where a single job only needs a secret or two and that's it. We want the ability to segment our policies so that jobs have the principle of least privilege.

Something that we've seen in orchestrator type platforms (i.e. salt) is the ability to auth with an approle and then hand only specific policies to minions. This could be implemented in the Vault Jenkins plugin by allowing us to define policies given to jobs with the ability to template the policy given to the job with things like "folder name", "job name" (full name), etc.

An example of a policy list may be:

  • my-policies/policy-common
  • my-policies/policy-{job_folder}
  • my-policies/policy-{job_name}

I know this is possible with Vault since Salt does it already, so it would just be implementing a simple pattern to replicate it in this plugin. Backwards compatibility would be maintained by assigning all policies to tokens generated by the approle when no policies were specified for jobs. Thus they would "inherit" all policies assigned to the approle.

Upstream changes

None
bluesliverx pushed a commit to bluesliverx/hashicorp-vault-plugin that referenced this issue Jun 20, 2022
Fixes jenkinsci#214, adds support for separating job policies
df1efd1
bluesliverx pushed a commit to bluesliverx/hashicorp-vault-plugin that referenced this issue Jun 20, 2022
Fixes jenkinsci#214, adds support for separating job policies
67a16c5
@bluesliverx bluesliverx mentioned this issue Jun 20, 2022
Merged
6 tasks
bluesliverx pushed a commit to bluesliverx/hashicorp-vault-plugin that referenced this issue Nov 16, 2023
Fixes jenkinsci#214, adds support for separating job policies
ec34c7e
bluesliverx pushed a commit to bluesliverx/hashicorp-vault-plugin that referenced this issue Nov 17, 2023
Fixes jenkinsci#214, adds support for separating job policies
b4b4edd
jetersen pushed a commit that referenced this issue Nov 20, 2023
@bluesliverx
Adds support for using job-specific policies (#223)
f5d54b3 
* Fixes #214, adds support for separating job policies

* Add configuration to credentials to enable using limited policies

* Fix handling of TTL in child tokens

* Add ability to disable folders or jobs from overriding policies

* Use StringSubstitutor for templating policies

* Fix flaky test

---------

Co-authored-by: saville <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Adds support for using job-specific policies bluesliverx/hashicorp-vault-plugin
1 participant
@bluesliverx