Mastering RBAC: Configure Jenkins Pipeline Permissions Step‑by‑Step
This guide explains role‑based access control (RBAC), shows how to map users to roles and permissions, and provides a complete Jenkins pipeline example—including role configuration, permission assignment, and validation—for admin, development, and operations teams.
What is RBAC
Role‑based access control (RBAC) authorizes users based on their assigned roles, making permission management more flexible, simple, efficient, and scalable compared with granting permissions directly to individual users.
When using RBAC, users are analyzed, grouped by common responsibilities, and assigned one or more roles; each role contains one or more permissions. Users inherit permissions from their roles, eliminating the need to manage each user individually.
Example: roles include Administrator, Development, and Operations, each with distinct permissions; a user may hold multiple roles.
Requirement Description
This section uses an enterprise case to illustrate the requirements.
Based on the organizational chart, we will create users and groups.
Jenkins permission allocation:
Development group: read‑only permission
Operations group: administrator permission
Test group: execution permission
Configure Permissions
Configure roles
Assign permissions
Permission verification
Administrator (Zhang San) – all permissions:
Read‑only user (Li Si) – only read permission:
Execute user (Zhang San) – execution permission:
Configure Pipeline Permissions
Requirement
We manage pipelines with Jenkins and need to control pipeline permissions as shown below.
Permission configuration:
Operations group: administrator permission
Development group: read‑only permission in non‑production environments
Test group: execution permission in non‑production environments
Example using Ruoyi‑Gateway in the pipeline:
DeployDev stage (modify submitter):
stage('DeployDev'){
steps {
echo "部署开发环境"
script {
def userInput = input (
message: '确定要发布到DEV环境吗?',
parameters:[choice(name: '操作', choices: ['发布','跳过'])],
ok: '确定',
submitter: 'ops,qa',
submitterParameter: 'APPROVER'
)
if (userInput['操作'] == '发布'){
echo "部署Dev环境开始"
// ...
}
}
}
}DeployUat stage (modify submitter):
stage('DeployUat'){
steps {
echo "部署测试环境"
script {
def userInput = input (
message: '确定要发布到UAT环境吗?',
parameters:[choice(name: '操作', choices: ['发布','跳过'])],
ok: '确定',
submitter: 'ops,qa',
submitterParameter: 'APPROVER'
)
if (userInput['操作'] == '发布'){
echo "发布"
// ...
}
}
}
}DeployGray stage (modify submitter):
stage('DeployGray'){
steps {
echo "部署灰度环境"
script {
def GraysMode = input (
message: '确定要灰度验证吗?',
parameters:[choice(name: 'operation', choices: ['基于权重灰度','基于请求头灰度','跳过'])],
ok: '确定',
submitter: 'ops',
submitterParameter: 'APPROVER'
)
if (GraysMode['operation'] == '基于权重灰度'){
def WeightMode = input (
message: '请输入权重比例!',
parameters:[string(name: 'workload_weight'), string(name: 'grayload_weight')],
ok: '确定',
submitter: 'ops',
submitterParameter: 'APPROVER'
)
// apply weight configuration
}
if (GraysMode['operation'] == '基于请求头灰度'){
def GrayHeaderMode = input (
message: '请输入请求头!',
parameters:[string(name: 'header_key'), string(name: 'header_value')],
ok: '确定',
submitter: 'ops',
submitterParameter: 'APPROVER'
)
// apply header configuration
}
if (GraysMode['operation'] == '跳过'){
GrayEnable='no'
}
}
}
}DeployProd stage (modify submitter):
stage('DeployProd'){
steps {
echo "部署生产环境"
script {
def userInput = input (
message: '确定要发布到生产环境吗?',
parameters:[choice(name: '操作', choices: ['发布','跳过'])],
ok: '确定',
submitter: 'ops',
submitterParameter: 'APPROVER'
)
if (userInput['操作'] == '发布'){
// retrieve deployment info, apply manifests, optionally delete gray resources
if (GrayEnable == 'yes'){
sh "kubectl delete deployment ${GrayDeploymentName} -n ${Namespace_Prod}"
sh "kubectl delete service ${GrayServiceName} -n ${Namespace_Prod}"
sh "kubectl delete ingress ${GrayIngressName} -n ${Namespace_Prod}"
}
} else {
echo "不发布"
}
}
}
post { success { /* notification logic omitted */ } }
}Verification
Trigger the pipeline with different users:
Development user Li Si logs in:
Test user Wang Wu logs in:
Operations user Zhang San logs in:
Ops Development Stories
Maintained by a like‑minded team, covering both operations and development. Topics span Linux ops, DevOps toolchain, Kubernetes containerization, monitoring, log collection, network security, and Python or Go development. Team members: Qiao Ke, wanger, Dong Ge, Su Xin, Hua Zai, Zheng Ge, Teacher Xia.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.