Security in CruiseControl.NET
From CruiseControl.NET 1.5 onwards there is the option to configure security. Unfortunately due to some limitations in the way it was implemented it is only always easy to figure out how to do it. Recently there was a question about why are the projects not visible in the dashboard after security was added. In this post I’ll go over why the problem occurred and some possible ways to fix the problem.
Here is an example configuration that demonstrates the problem:
<cruisecontrol xmlns="http://thoughtworks.org/ccnet/1/6" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<internalSecurity>
<users>
<passwordUser name="Bob">
<display>Bob the Builder</display>
<password>Bob1</password>
</passwordUser>
</users>
<permissions>
<rolePermission name="Builders">
<forceBuild>Allow</forceBuild>
<defaultRight>Deny</defaultRight>
<users>
<userName>
<name>Bob</name>
</userName>
</users>
</rolePermission>
</permissions>
</internalSecurity>
<project name="SecurityTest">
<security xsi:type="defaultProjectSecurity">
<defaultRight>Deny</defaultRight>
<permissions>
<rolePermission name="Builders" ref="Builders" />
</permissions>
</security>
</project>
</cruisecontrol>
Here there is an user called bob the Builder who has forceBuild permission – all other rights are denied. The problem is there is another right called viewProject which controls the visibility of projects in the dashboard. Since all other permissions are denied this permission also is denied, so the project does not appear in the dashboard!
Now if we are happy only allowing Bob the Builder to see project then the solution is easy – add a viewProject right and set it to Allow:
<rolePermission name="Builders">
<forceBuild>Allow</forceBuild>
<viewProject>Allow</viewProject>
<defaultRight>Deny</defaultRight>
<users>
<userName>
<name>Bob</name>
</userName>
</users>
</rolePermission>
Now when Bob the Builder is logged on he can see the project. But what if we want to allow everyone to see projects?
To allow this we need to add a guest account with the view permission as well:
<cruisecontrol xmlns="http://thoughtworks.org/ccnet/1/6" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<internalSecurity>
<users>
<passwordUser name="Bob">
<display>Bob the Builder</display>
<password>Bob1</password>
</passwordUser>
<simpleUser name="Guest" />
</users>
<permissions>
<rolePermission name="Builders">
<forceBuild>Allow</forceBuild>
<viewProject>Allow</viewProject>
<defaultRight>Deny</defaultRight>
<users>
<userName>
<name>Bob</name>
</userName>
</users>
</rolePermission>
</permissions>
</internalSecurity>
<project name="SecurityTest">
<tasks>
<commentTask>
<message>Ran successfully!</message>
</commentTask>
</tasks>
<security xsi:type="defaultProjectSecurity">
<defaultRight>Deny</defaultRight>
<guest>Guest</guest>
<permissions>
<userPermission user="Guest">
<defaultRight>Deny</defaultRight>
<viewProject>Allow</viewProject>
</userPermission>
<rolePermission name="Builders" ref="Builders" />
</permissions>
</security>
</project>
</cruisecontrol>
This example adds a new account called Guest, sets it as the guest account for the project and gives the account view permission. Now everyone can see the project in the dashboard.
Note: the Builders role still needs the viewProject right – otherwise when Bob logs in he will no longer be able to see the project!!
I’ve been trying to setup security today using 1.6.7981.1 and have run into some issues. Perhaps you may have some ideas? I am using LDAP authentication.
- Name wildcards are not matching. I need to type in the user name exactly.
- Project defaultProjectSecurity does not appear to inherit from Server security settings. I have a rolePermission defined in the Server setting and I have to explicitly reference it in the project for it to work.
- When I login using Firefox, it works. When I login using IE, it says I’ve successfully logged in but when I click on a link, I see the login link immediately. It’s as if I didn’t log in.