New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Introducing AccessControlled.hasPermission(Authentication, Permission) #3149

Merged
merged 1 commit into from Nov 26, 2017

Conversation

6 participants
@jglick
Member

jglick commented Nov 17, 2017

Extends #2999 with another overload used in some cases (jenkinsci/active-choices-plugin#17 for example).

Proposed changelog entries

  • API: added AccessControlled.hasPermission(Authentication, Permission).

Desired reviewers

@reviewbybees @jenkinsci/code-reviewers

@jglick jglick requested a review from ndeloof Nov 17, 2017

@reviewbybees

This comment has been minimized.

reviewbybees commented Nov 17, 2017

This pull request originates from a CloudBees employee. At CloudBees, we require that all pull requests be reviewed by other CloudBees employees before we seek to have the change accepted. If you want to learn more about our process please see this explanation.

@jglick

This comment has been minimized.

Member

jglick commented Nov 20, 2017

@jglick jglick added the needs-review label Nov 20, 2017

@oleg-nenashev

🐝

@@ -0,0 +1 @@
$ac.getACL().hasPermission($a, $p) :: $ac instanceof hudson.security.AccessControlled && $a instanceof org.acegisecurity.Authentication && $p instanceof hudson.security.Permission => $ac.hasPermission($a, $p);;

This comment has been minimized.

@oleg-nenashev

oleg-nenashev Nov 22, 2017

Member

Do these file get autogenerated?
We have no guidelines about adding them, but it may be useful.

@daniel-beck daniel-beck changed the title from Introducing AccessController.hasPermission(Authentication, Permission) to Introducing AccessControlled.hasPermission(Authentication, Permission) Nov 23, 2017

@oleg-nenashev oleg-nenashev merged commit b3cd925 into jenkinsci:master Nov 26, 2017

1 check passed

continuous-integration/jenkins/pr-head This commit looks good
Details

@jglick jglick deleted the jglick:AccessControlled branch Nov 27, 2017

@veotax

This comment has been minimized.

veotax commented Apr 19, 2018

Hi, there's no issues for this project, so I don't know how to make a proposal. I will put it here for the moment :)

jCasbin is an authorization library that supports models like ACL, RBAC, ABAC.

Related to RBAC, casbin has several advantages:

  1. roles can be cascaded, aka roles can have roles.
  2. support resource roles, so users have their roles and resource have their roles too. role = group here.
  3. the permission assignments (or policy in casbin's language) can be persisted in files or database.
  4. multiple models like ACL, BLP, RBAC, ABAC, RESTful are supported.

And you can even customize your own access control model, for example, mix RBAC and ABAC together by using roles and attributes at the same time. It's very flexible.

I saw we have a basic ACL mechanism here, but I think it can be extended to more powerful and flexible models like RBAC and ABAC through the integration of jCasbin. What do you think? Thanks.

@jglick

This comment has been minimized.

Member

jglick commented Apr 19, 2018

@veotax Jenkins has a developer mailing list and a JIRA tracker.

Regarding jCasbin, that sounds nice in the abstract, but retrofitting existing public APIs designed around an ACL model to use it is likely impractical.

@oleg-nenashev

This comment has been minimized.

Member

oleg-nenashev commented Apr 19, 2018

Maybe jCasbin still can added to Jenkins as a plugin. We have an AuthorizationStrategy extension point, so plugins can add custom strategies if needed (actually now we have only very basic strategies inside the core, the rest is in plugins)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment