- Home
- Download as PDF
- Contribute
- Introduction
- 1. Concepts In Go
- 2. Go Tour
- 3. Installing Go
-
4.
Configuration
- 4.1. Setup a New Pipeline
- 4.2. Managing Pipelines
- 4.3. Managing Dependencies
- 4.4. Managing Agents
- 4.5. Managing Environments
- 4.6. Pipeline Labelling
- 4.7. Pipeline Scheduling
- 4.8. Parameterize a Pipeline
- 4.9. Customize a Pipeline Label
- 4.10. Clone a Pipeline
- 4.11. Lock a Pipeline
- 4.12. Add Material to Existing Pipeline
- 4.13. Add Stage to Existing Pipeline
- 4.14. Add job to Existing Stage
- 4.15. Add task to Existing Job
- 4.16. Pipeline Templates
- 4.17. Choose When a Stage Runs
- 4.18. Timer Trigger
- 4.19. Job Timeout
- 4.20. Managing Users
- 4.21. Authentication
- 4.22. Authorizing Users
- 4.23. Delegating Group Administration
- 4.24. Pipeline Group Administration
- 4.25. Publish Reports and Artifacts
- 4.26. Managing Artifacts and Reports
- 4.27. Auto Delete Artifacts
- 4.28. UI Testing
- 4.29. Mailhost Information
- 4.30. Notifications
- 4.31. TFS Material configuration
- 4.32. Reference
- 4.33. Schema
-
5.
Advanced Usage
- 5.1. Auto Register a Remote Agent
- 5.2. Spawn multiple instances of a Job
- 5.3. Multiple Agents on One Machine
- 5.4. Clean on Task Cancel
- 5.5. Conditional Task Execution
- 5.6. Trigger With Options
- 5.7. Fan In
- 5.8. Properties
- 5.9. Compare Builds
- 5.10. Graphs
- 5.11. Command Repository
- 5.12. Backup Go Server
- 5.13. Other Config Options
- 6. Integrating Go With Other Tools
- 7. Go Api
- 8. Extension Points Of Go
-
9.
FAQ/Troubleshooting
- 9.1. Ordering of Pipelines
- 9.2. Historical Configuration
- 9.3. Concurrent Modifications to Config
- 9.4. Why the Build is Broken?
- 9.5. See artifacts as sub-tabs
- 9.6. Save Properties for a Build
- 9.7. Using Environment variables
- 9.8. Deploy to an environment
- 9.9. See changes in new binary
- 9.10. Run Tests against new Builds
- 9.11. Check What's Deployed
- 9.12. Deploy a Specific Build
- 9.13. Clone/Copy an Existing Agents
- 9.14. OAuth Overview
- 9.15. What is OAuth?
- 9.16. What is OpenSocial?
- 9.17. How do I re-run jobs?
- 9.18. Go unable to poll for changes
- 9.19. Artifact integrity verification
- 9.20. Email Notifications
- 9.21. Running out of Disk Space
- 10. Beta features
- 11. Release History
- Published using GitBook
Authorization
With no security switched on, there is of course no authorization either. Once you have configured security, the default is that any user can perform any operation. However you can get Go to limit certain operations to particular Users or Roles, and manage membership of those Roles.
Administrators
Go allows you to restrict the users who can perform certain functions. Administrators is a special role that allows its members to perform any action in Go. Specifying administrators is optional -- without it, all users are automatically made administrators.
If administrators are specified, only they can perform the following actions:
- Access the "administration" tab
- Add/Edit Pipeline Templates
- Enable agents
- Add / remove agent resources
Users can be made administrators from the "User Summary" tab in the "Admin" section.
To give admin privileges to users and/or roles via "Config xml", please refer to the example in the section below, where members of the "go_admin" role (jhumble and qiao), along with the user chris, can administer Go.
Role-based security
You can define roles that can be used anywhere that authorization is required. A role is just a group of users. Administrators can add users to a new or existing role from the "User Summary" tab in the "Admin" section. Here, you can select any number of users and assign a new or existing role to them. In this example, user "aantony" is being added to the role "analyst"
For power users, here's how you would configure roles via "Config XML":
<cruise>
<server>
<license ... />
<security>
<passwordFile path="/etc/go-server/passwords.properties" />
<roles>
<role name="qa">
<user>dyang</user>
<user>pavan</user>
</role>
<role name="go_admin">
<user>jhumble</user>
<user>qiao</user>
</role>
</roles>
<admins>
<role>go_admin</role>
<user>chris</user>
</admins>
</security>
</server>
</cruise>
In this example, the "qa" role has two users: dyang and pavan. The "go_admin" role also has two users: jhumble and qiao.
Specifying permissions for pipeline groups
Go allows you to group pipelines together. If you define pipeline groups, you can specify who is able to view or operate those groups. To do this, you configure permissions to the pipeline group. System administrators will continue to have full access to the pipeline group even if they have not been explicitly granted permissions.
The "view" permission allows users to view the pipeline. It does not give permission to trigger pipelines, approve stages, or re-run stages. In the below example, the users "akrishna" and "aantony" can view the pipelines in this group, but they cannot perform any operations on it.
The "operate" permission allows users to trigger pipelines and its stages. In the below example, the role "developer" is being granted the operate permission and will be able to trigger pipelines and its stages within this group.
The "admin" permission makes the user a Pipeline Group Administrator allowing him to view, operate and administer the pipeline group. In the below example, role "admins" has been granted this permission.
Note that is is possible to give a user or role only the operate permission. In the example below, the user "bot" only has operate permission. That means they can not view the pipeline, they can only operate it. This can be used to enable a script to operate on pipelines via the APIs without letting that user access any other features of Go.
To edit the permissions for a pipeline group, navigate to the "Pipelines" tab on the "Admin" section:
Then, click the "Edit" link for the pipeline group you want to manage permissions for:
If no authorization is defined for a pipeline group, all Go users will have view and operate permissions to that group.
For power users, here's how you would configure permissions via "Config XML":
<pipelines group="Shine">
<authorization>
<view>
<user>aantony</user>
<user>akrishna</user>
<role>developer</role>
</view>
<operate>
<user>bot</user>
<role>developer</role>
</operate>
<admins>
<role>admins</role>
</admins>
</authorization>
...
</pipelines>
Adding authorization to approvals
In Go, it is possible to specify manual approvals between stages. You can also specify which user is allowed to trigger manual approvals.
The authorization can be inherited from the pipeline group this pipeline belongs to. But defining specific permissions overrides this. In the example below, only members of the role "admin", and the user "goleys", can trigger the approval.
For power users, here's how you would configure authorization for approvals for a stage via "Config XML":
<stage name="defaultStage">
<approval type="manual">
<authorization>
<role>admin</role>
<user>goleys</user>
</authorization>
</approval>
<jobs>
<job name="deploy">
<resources>
<resource>uat</resource>
</resources>
<tasks>
<ant target="deploy" />
</tasks>
</job>
</jobs>
</stage>
Specifying permissions for templates
A Go Administrator can make any user a template administrator for a specific template. As a template administrator, a user can now view and edit the template to which he has permissions.
To edit the permissions for a template, navigate to the "Templates" tab on the "Admin" section:
Then, click the "Permissions" link for the template you want to manage permissions for:
For power users, here's how you would configure permissions via "Config XML":
<templates>
<pipeline name="app-1-template">
<authorization>
<admins>
<user>operate</user>
</admins>
</authorization>
...
</pipeline>
</templates>