3

I need to add some permissions (Read, Build, Workspace, cancel etc) to a spesific user to a lot of jobs. I'm wondering it there is a way to do that using groovy script instead of doing it manually.

Alex Brodov
  • 3,365
  • 18
  • 43
  • 66

6 Answers6

4

I tried the above solutions, and they nearly worked. All my attempts resulted in the current, in-memory permissions reflecting the new settings, but those permissions were not saved in config.xml, so when Jenkins was restarted the permissions were lost. Building on Andrew Hura's solution, I came up with this code, which works across a restart:

AbstractProject proj = Hudson.instance.getItem("my_job")
AuthorizationMatrixProperty authProperty = proj.getProperty(hudson.security.AuthorizationMatrixProperty)
authProperty.add("hudson.model.Item.Build:DEV")
Map<Permission, Set<String>> permissionMap = authProperty.getGrantedPermissions()

proj.removeProperty(hudson.security.AuthorizationMatrixProperty)
proj.addProperty(new AuthorizationMatrixProperty(permissionMap))
Bob Lavey
  • 41
  • 1
3

As far as I know what you are trying to do is not possible.

Link: https://wiki.jenkins-ci.org/display/JENKINS/Matrix-based+security

I would recommend using 'configuration slicing' if there is a change that you want to apply to multiple jobs at the same time.

https://wiki.jenkins-ci.org/display/JENKINS/Configuration+Slicing+Plugin

but i don't think permissions are part of configuration slicing anyway.

AltF4_
  • 2,312
  • 5
  • 36
  • 56
2

We don't need to create new permission object, just create new hudson.security.AuthorizationMatrixProperty:

Jenkins.instance.getItem("JobName")
    .removeProperty(hudson.security.AuthorizationMatrixProperty)
Jenkins.instance.getItem("JobName")
    .addProperty(new hudson.security.AuthorizationMatrixProperty())
Jenkins.instance.getItem("JobName")
    .getProperty(hudson.security.AuthorizationMatrixProperty)
    .add("hudson.model.Item.Build:DEV")

where "hudson.model.Item.Build:DEV" is a permission string you can take from xml file with configured permissions you need

Andrew Hura
  • 31
  • 3
1

You can use the execute system groovy step to run a script like:

import hudson.security.AuthorizationMatrixProperty

def jobWithPermissionsYouWant = "template-job-name"
def jobToAddPermissions = "job-to-update-name"
def jen = Jenkins.getInstance();
def templateJob = jen.getItem(jobWithPermissionsYouWant);


//get permissions from another job (use it as permissions template)
def autTemplate = templateJob.getProperty(AuthorizationMatrixProperty.class)
def permissionSetToAdd = autTemplate.getGrantedPermissions()

//get the authorization matrix property of the job you want to update
def jobToUpdate = jen.getItem(jobToAddPermissions);
def autToUpdate = jobToUpdate.getProperty(AuthorizationMatrixProperty.class)
def currPermissionSet = autToUpdate.getGrantedPermissions()

//for each permission in the template job, add permission to the job you want to update
permissionSetToAdd.each{

    autToUpdate.add(it.key, "your.email@here.com")

}

println("the permissions after update: ${autToUpdate.getGrantedPermissions()}" )

(if you figure out how to get a permission object without reading it from a different job, please update)

Tidhar Klein Orbach
  • 2,896
  • 2
  • 30
  • 47
1

Have a look a the script here: https://github.com/MovingBlocks/GroovyJenkins/blob/master/src/main/groovy/ChangeSecurityPerJob.groovy

You should be able to pull parts of it out to do what you want, kinda like this.

AbstractProject proj = Hudson.instance.getItem("YourJob")
AuthorizationMatrixProperty authProperty = proj.getProperty(AuthorizationMatrixProperty.class)

Map<Permission,Set<String>> newPermissions = new HashMap<Permission, Set<String>>()
newPermissions.put(Item.BUILD, users)

proj.addProperty(new AuthorizationMatrixProperty(newPermissions))
proj.save()

The more interesting part is if you need to merge the permissions.
You can find example for that in the above link as well.

mmphantom
  • 21
  • 2
  • works on the job. Is it possible to do it on a folder? It gives an error when assigning it to a folder. – bilcy Jul 21 '22 at 12:04
0

My solution is the following groovy script:

import hudson.model.*    
import jenkins.security.*
import hudson.security.*

def jobNames = []
hudson.model.Hudson.instance.getView('VIEW_NAME').items.each() { 
  jobNames.add(it.fullDisplayName) 
}

def userIDs = ['user1_ID','user2_ID', 'user3_ID']

// For each project
for(item in Hudson.instance.items) {
  for(jobName in jobNames){
    if(item.name.equalsIgnoreCase(jobName))
    {
      println(item.name)
      for(userID in userIDs){
        User user = User.getOrCreateByIdOrFullName(userID)
        String sID = user.getId() ;   

        def authorizationMatrixProperty = item.getProperty(AuthorizationMatrixProperty.class)

        authorizationMatrixProperty?.add(hudson.model.Item.CANCEL, sID)
        authorizationMatrixProperty?.add(Item.WORKSPACE, sID);
        authorizationMatrixProperty?.add(Item.BUILD, sID);
        authorizationMatrixProperty?.add(Run.DELETE, sID);
        authorizationMatrixProperty?.add(Run.UPDATE, sID);
        authorizationMatrixProperty?.add(Item.CONFIGURE, sID);
        authorizationMatrixProperty?.add(Item.DELETE, sID);
        authorizationMatrixProperty?.add(Item.READ, sID);
        authorizationMatrixProperty?.add(com.cloudbees.plugins.credentials.CredentialsProvider.VIEW, sID);

       item.addProperty(authorizationMatrixProperty)
       item.save()
      }
    }
  }
}

It works if you have the jobs that permissions you want to change under a view. Otherwise you can just create a list with the jobs' name.

matebende
  • 543
  • 1
  • 7
  • 21