Open afeld opened 7 years ago
@jerodweaver Would checking the user is on a particular GitHub team (in an org that enforces MFA) be acceptable for login here?
@afeld Are you asking if that would meet the MFA requirement? Are you asking if you can use users/team membership within Github for authentication to Jenkins? Does Jenkins not have it's own users/roles within the application itself? Please clarify the question, and exactly what it applies to. Thanks Aidan!
Are you asking if that would meet the MFA requirement?
Yep!
Are you asking if you can use users/team membership within Github for authentication to Jenkins?
Authorization, yes. Presumably we would map that team membership to a certain set of permissions / role in Jenkins.
Does Jenkins not have it's own users/roles within the application itself?
It does - I just figured it would be easier to manage membership in a single place. Also, I figured piggybacking off their MFA is easier than setting up our own.
@afeld Would you be creating a new team in Github and restricting access to Jenkins based on membership to that team? or would you be essentially giving the whole team (current members) the same rights to login and operate within Jenkins? Can you give me a run down on how the process would look from your side? (for example: user navigates to url for jenkins, user is prompted for username and password, user enters Github credentials and is then prompted for MFA token, etc, etc).
Would you be creating a new team in Github and restricting access to Jenkins based on membership to that team? or would you be essentially giving the whole team (current members) the same rights to login and operate within Jenkins?
The latter. I was thinking we'd give admin (or at least write) access to the d2d team, and maybe read-only access to the d2d-read-only team.
Can you give me a run down on how the process would look from your side?
I'll get a demo together 😁 Should be fairly easy to set up.
From @jerodweaver:
@eyard talked with @boberlas about using Github for Jenkins and @boberlas said that is was going to need to go up to Kurt for evaluation. So once you have a writeup on how it works, if you would send it to @eyard and myself, we will review and send it on to @boberlas for review and forwarding to Kurt.
So, here we go:
We want/need to ensure our forthcoming Jenkins "master" is secure by ensuring that users can only log in with multi-factor auth. While we could probably implement this in Jenkins directly, my idea was to use single sign-on. This would provide a couple of benefits:
Since Jenkins will primarily be used by technical folks, the first thing that came to mind was GitHub. Jenkins has a plugin for doing OAuth with GitHub, which would act like any other "sign in with X" you've seen across the web:
read:org
user:email
code
for an access token.Note that this flow is giving Jenkins access to GitHub, not the other way around.
Also, reminder that we're trying to figure out a solution that's a sensible default, which will work for more projects than just D2D.
@jerodweaver If GitHub auth isn't (easily) acceptable, what would be a lower-friction choice? GSA SecureAuth? If so, how do we go about getting that set up on the GSA IT side? [Edit: nevermind, found an InSite page about it! and there's a Jenkins SAML plugin.]
@maverickquant ^
- [ ] Disable the login page from anywhere but the jumpbox
How can this be done?
Likely makes sense to address authorization as a separate issue.