3

We have two types of projects, a free-style and a multibranch pipeline. I want to have a developer role to get only read access to the jobs, to analyse pipeline log and archived artifacts. For the free-style project works great, but for multibranch, a user within developer role can't see anything, appears the message 'This folder is empty` and triggered builds doesn't appears. Can someone give a light please?

Some screen shots with the configuration: Global roles Project roles

Gois
  • 88
  • 1
  • 8

2 Answers2

2

I had the same issue, found not perfect solution, but it is works.

One requirement: branch naming in GIT should be persistent, with additional prefix. For example: feat/branchName. Then you can filter it out by this prefix value. see more for branch naming in git flow

As input parameters you have projects and multibranch pipelines inside it. For example:

  • Product1 -> Multibranch_pipeline_Product1 -> different branches with prefixes feat, bug, infra, etc.. (for example: infra/PRJ-135-reciepts-issues, feat/PRJ-337-new-customer, etc)

  • Product2 -> Multibranch_pipeline_Product2 -> different branches with prefixes feat, bug, infra, etc.. (for example: infra/PRJ-876-new-env, feat/PRJ-999-entity-creation, etc)

and you would like to separate it for different users:

  • Developer1 - access only Project1 and branches inside multibranch pipeline
  • Developer2 - access only Project2 and branches inside multibranch pipeline
  • Developer3 - access to Project1 and Project2 multibranch pipelines

So you need the following configuration in you role-based plugin:

Project Roles:

  • Product1 pattern - ^Product1*|.*_Product1*|(.*)feat(.*)|(.*)bug(.*)|(.*)hotfix(.*)|(.*)infra(.*)|(.*)develop(.*)

  • Product2 pattern - ^Product2*|.*_Product2*|(.*)feat(.*)|(.*)bug(.*)|(.*)hotfix(.*)|(.*)infra(.*)|(.*)develop(.*)

where:

  • ^Product1* - will give access to the folder Product1
  • .*_Product1* - will give access to the folder (multibranch project) - Multibranch_pipeline_Product2
  • (.*)feat(.*)|(.*)bug(.*)|(.*)hotfix(.*)|(.*)infra(.*)|(.*)develop(.*) - will give access to the all branches with prefixes feat OR bug OR hotfix OR infra OR develop inside this multibranch project.

And the same you should do for the Product2.

In sum you should have: - Developer1 has role Product1 - Developer2 has role Product2 - Developer3 has both roles, Product1 and Product2

I tested this solution and with such configuration permissions do not intersect (Developer1 will not have access to branches in Product2 and Developer2 will not have access to branches in Product1)

Sysanin
  • 1,501
  • 20
  • 27
  • 2
    This solution fixed it for me. I didn't want to restrict it by branches, so I just used the expression `^my-job-name(.*)` to match all branches under the job. – zoidberg Sep 16 '19 at 15:31
-1

What you can do create 2 distinct jobs, with a single Jenkinsfile, where the branch 'develop' perform specific tasks (sonarqube, unit tests, etc). The 'release' branch performs integration tasks.

Example:

stage 'Init'
node {
   checkout scm
   sh 'echo $ BRANCH_NAME'
}
if (env.BRANCH_NAME == 'develop') {
   stage 'Only on develop'
   println 'This happens only on develop'
} else {
   stage 'Other branches'
   println "Current branch $ {env.BRANCH_NAME}"
}

Look at this link as a reference

dalmo.santos
  • 79
  • 9
  • 1
    I don't understand how this help me solve the problem. The problem is that developers can't see nothing inside a multibranch pipeline job, branches, pull requests and tags... not even the build log or the generated artifacts, that is the real problem! (BTW, I will consider your suggestion to pull out the E2E stage, that today we run on PR only) – Gois Oct 29 '18 at 14:29