forked from cloudbees/jenkins-scripts
-
Notifications
You must be signed in to change notification settings - Fork 6
/
print-rbac-report.groovy
161 lines (142 loc) · 5.3 KB
/
print-rbac-report.groovy
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
/**
* Author: Jean-Philippe Briend <jbriend@cloudbees.com>
* Requirements
* - core: "2.73.2.1"
* - operations-center-cluster-ops: "2.73.0.2"
*
* This script outputs the RBAC configuration across all the Folders.
* It must be executed on an Operations Center server.
* It reports Folder name, Groups and Roles attached.
* This script also enters in connected Client Masters and reports RBAC infos.
*
* Output looks like:
* Jenkins
Granted groups:
+ Administrators
* Members: [admin]
* Roles: [administer (propagates)]
+ Developers
* Members: []
* Roles: [develop (propagates)]
+ Browsers
* Members: [user1, user2]
* Roles: [browse (propagates)]
Jenkins/Admin jobs
Filters:
- develop
- browse
Jenkins/Admin jobs » Masters Daily backup
Jenkins/Admin jobs » Masters Weekly backup
Jenkins/Admin jobs » test
Jenkins/MyOrg
...
*/
import nectar.plugins.rbac.groups.*
import java.util.*
import com.cloudbees.opscenter.server.model.*
import com.cloudbees.opscenter.server.clusterops.steps.*
// Container used to handle connected Client masters
class ExploredObject {
GroupContainer groupContainer
Boolean isMaster
Item instance
}
Map containers = new TreeMap();
// Add the root container
def root = new ExploredObject()
root.groupContainer = GroupContainerLocator.locate(Jenkins.instance)
root.isMaster = false
containers.put(Jenkins.instance.displayName, root)
// Add all the items that are be containers
for (i in Jenkins.instance.allItems) {
if (GroupContainerLocator.isGroupContainer(i.getClass())) {
GroupContainer g = GroupContainerLocator.locate(i)
if (g != null) {
def exploredObject = new ExploredObject()
exploredObject.groupContainer = g
exploredObject.isMaster = i instanceof ConnectedMaster
exploredObject.instance = i
containers.put("${Jenkins.instance.displayName}/${i.fullDisplayName}", exploredObject)
}
}
}
// Add all the nodes, as they are containers also (but be safe about it)
for (i in Jenkins.instance.nodes) {
if (GroupContainerLocator.isGroupContainer(i.getClass())) {
GroupContainer g = GroupContainerLocator.locate(i);
if (g != null) {
def exploredObject = new ExploredObject()
exploredObject.groupContainer = g
exploredObject.isMaster = i instanceof ConnectedMaster
exploredObject.instance = i
containers.put("${Jenkins.instance.displayName}/${i.fullDisplayName}", exploredObject)
}
}
}
for (cont in containers) {
def c = cont.value.groupContainer
println(cont.key)
if (c.roleFilters.size() > 0) {
println(" Filters:")
for (filter in c.roleFilters) {
println(" - ${filter}")
}
}
if (c.groups.size() > 0) {
println(" Granted groups:")
for (g in c.groups) {
println(" + ${g.name}")
println(" * Members: ${g.members}")
println(" * Roles: ${g.roles.collect {it + (g.doesPropagateToChildren(it) ?' (propagates)':'(pinned)')}}")
}
}
/*
If this container is a connected Client Master, execute a remote Groovy script on this Master
*/
if (cont.value.isMaster && cont.value.instance.channel) {
try {
def retour = '\n'
def stream = new ByteArrayOutputStream();
def listener = new StreamBuildListener(stream);
// Execute remote Groovy script in the Client Master
// Result of the execution must be a String
cont.value.instance.channel.call(new MasterGroovyClusterOpStep.Script("""
import nectar.plugins.rbac.groups.*;
import java.util.*;
result = ''
Map containers = new TreeMap();
containers.put("${cont.key}", GroupContainerLocator.locate(Jenkins.instance));
for (i in Jenkins.instance.allItems) {
if (GroupContainerLocator.isGroupContainer(i.getClass())) {
GroupContainer g = GroupContainerLocator.locate(i);
if (g != null) containers.put("${cont.key} » \${i.fullDisplayName}", g);
}
}
for (c in containers) {
result = result + "\${c.key}\\n"
if (c.value.roleFilters.size() > 0) {
result = result + " Filters:\\n"
for (filter in c.value.roleFilters) {
result = result + " - \${filter}\\n"
}
}
if (c.value.groups.size() > 0) {
result = result + " Granted groups:\\n"
for (g in c.value.groups) {
result = result + " + \${g.name}\\n"
result = result + " * Members: \${g.members}\\n"
result = result + " * Roles: \${g.roles.collect {it + (g.doesPropagateToChildren(it) ?' (propagates)':'(pinned)')}}\\n"
}
}
}
return result
""", listener, "host-script.groovy", [:]))
retour = retour << stream.toString().minus('Result: ').minus('\n\n')
println(retour)
} catch (hudson.remoting.ProxyException exception) {
println " ***** Exception ***** : ${exception.message }"
} catch (org.acegisecurity.userdetails.UsernameNotFoundException noSecurityException) {
println "***** ^ This master has security disable, thus no RBAC configuration is available. *****"
}
}
}