2

I'm using the Authorize User plugin in Jenkins, and I'm trying to setup a multi-tenant jenkins with genuine access control. I want to have a folder with a set of jobs which group A can see, and another folder with another set of jobs which group B can see.

At the master/controller, the $JENKINS_HOME/jobs/ folder creates a new job folder when a build is triggered. However this folder is created as the SYSTEM user, not the build user. The issue is although I could just put the build user into the SYSTEM user's group, this would ALSO give them access to any job on the filesystem, not just the folder they should have.

Is there a way to configure what user:group is set when a job folder is created?

Spence
  • 28,526
  • 15
  • 68
  • 103

1 Answers1

0

Perhaps this helps: https://support.cloudbees.com/hc/en-us/articles/204173600-How-do-I-limit-users-access-to-the-folders-to-which-they-belong-to-?page=94

It should also work with vanilla Jenkins.

Warning: untried ;-)

Stefan Sonnenberg-Carstens
  • 465
  • 5
  • 11
  • Thanks for that. This is the configuration I have, however this is only in the UI. At the file system, any user in Folder 1 can execute a script on the master and then go to ../../otherfolder/ and read the jobs, secrets and code+binaries out. Hence my issue of trying to secure the file system job folder. – Spence Oct 20 '21 at 00:34
  • Understood. I think there is no way to make this happen except you wrap every step with sudo. Or you set up different Jenkins instances with different ownership. – Stefan Sonnenberg-Carstens Oct 20 '21 at 07:03