How to set role-based login for jenkins in keycloak How to set role-based login for jenkins in keycloak jenkins jenkins

How to set role-based login for jenkins in keycloak


I managed it the following way (Using Keycloak 8.0.1, Jenkins 2.208):

Keycloak:

  1. create realmenter image description here
  2. create client "jenkins" - set root url to Jenkins-url (e.g. http://127.0.0.1:8080)enter image description here
  3. In client "jenkins" select tab "installation" - format "keycloak OIDC JSON" - copy to clipboard for Jenkins Setup belowenter image description here
  4. create role "jenkins_admin"
  5. create role "jenkins_readonly"enter image description here
  6. create user "admin" and assign role "jenkins_admin"
  7. create named user and assign role "jenkins_readonly"enter image description here

Jenkins

  1. verify that you have the necessary plugins installed (if not, install them):
  1. Switch authorization mode to Role-Based Strategy by going in "Configure Global Security" - Select "Authorization": "Role-Based Strategy" and then click on saveenter image description here

  2. Add Keycloak authentication JSON by going to "Manage Jenkins" - "Configure System" - "Global Keycloak Settings" and paste the previously copied JSON (Keycloak step 3) to "Keycloak JSON" Areaenter image description here

  3. Verify that an admin role is present by going to "Manage Jenkins" - "Manage and Assign Roles" - "Manage Roles" - "Global Roles". If not present, add the role "admin" with all checkboxes selected; then click on SAVE

  4. Add a "read_only" role by going to "Manage Jenkins" - "Manage and Assign Roles" - "Manage Roles" - "Global Roles" and add role "read_only" with "Overall Read" selected; then click on SAVE
    enter image description here

  5. Create group "jenkins_admin" and assign to "admin" role by going to "Manage Jenkins" - "Manage and Assign Roles" - "Assign Roles" and add group "jenkins_admin" to global roles; then select "admin" and click on SAVE

  6. Create group "jenkins_readonly" and assign to "read_only" role by going to "Manage Jenkins" - "Manage and Assign Roles" - "Assign Roles" and add group "jenkins_readonly" to global roles; then select "read_only" and click on SAVE
    enter image description here

  7. Change the "Security Realm" to Keycloak Authentication Plugin by going to "Configure Global Security" and selecting "Security Realm": "Keycloak Authentication Plugin", then click on save.
    enter image description here

  8. Logout

Now, when you try to perform a login, you should be redirected to the Keycloak login page.Try to log in as admin with admin rights, and as named user with read only rights.


Besides answer of Christop :

  • you need to configure a Mapper for Group Membership under the keycloak client.
  • validate that by making sure that "groups" comes in the scope of access token.

Another point, you can use one of two plugins :


Last point :