Try a 30 day evaluation license first... I am worried that you might be confused about how the RBAC's local groups work... you are still going to be limited by what the Security Realm you choose can provide... but one of the reasons for RBAC was to allow Jenkins to manage its own internal group details...
e.g. before I started at cloudbees, the problem I had when running Jenkins is we needed to authenticate against corporate AD but we didn't want to deal with the heavyweight corp IT process to create and maintain groups in AD, so being able to have local groups was a critical requirement in any RBAC authorization strategy, hence I baked it in as an *Additional* layer On 21 November 2013 14:34, Steffen Breitbach <steffen.breitb...@1und1.de>wrote: > I think I might have to convince middle management to buy a license ;-) > > -----Ursprüngliche Nachricht----- > Von: jenkinsci-users@googlegroups.com [mailto: > jenkinsci-users@googlegroups.com] Im Auftrag von Stephen Connolly > Gesendet: Donnerstag, 21. November 2013 11:56 > An: jenkinsci-users@googlegroups.com > Betreff: Re: Use different backend (plug in) for authentication and > authorization? > > you could certainly write such a Security Realm implementation... but be > warned that Security Realm implementations are probably among the more > complex to write (i.e. it can be easy to fuck them up) > > The user and group information is all provided by the single Security Ream > component, so they both have to come from a single plugin. > > An alternative is the commercial CloudBees Enterprise RBAC plugin which > lets you define and manage groups *within* jenkins... that gives you an > additional layer for group information (i.e. your CAS Security realm would > not be providing RBAC with "external" group information and it will not - > in and of itself - go and ask your LDAP server about groups... if you > configured the LDAP security realm, however, then the RBAC plugin would get > the LDAP group info... but you wouldn't have the CAS authentication then > ;-) ) > > > On 21 November 2013 10:18, Steffen Breitbach <steffen.breitb...@1und1.de> > wrote: > > > Hi everyone! > > In our company one can use CAS as an authentication service for > single sign on purposes. Unfortunately, however, that is all it does. The > response contains information about the user (like email address) but not > about the roles he is in. This has to be done e.g. trough LDAP. > > Is there a way to use two different plug ins for authentication > and authorization in Jenkins? > > Regards > Steffen > > -- > You received this message because you are subscribed to the Google > Groups "Jenkins Users" group. > To unsubscribe from this group and stop receiving emails from it, > send an email to jenkinsci-users+unsubscr...@googlegroups.com <mailto: > jenkinsci-users%2bunsubscr...@googlegroups.com> . > For more options, visit https://groups.google.com/groups/opt_out. > > > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to jenkinsci-users+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to jenkinsci-users+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
