Enable fine grain access per user per workflow or set of workflows

[gaiksaya]

Is your feature request related to a problem? Please describe

Coming from opensearch-project/opensearch-build#5171
The current jenkins infrastructure has permissions set up which allows only admin or readonly access. See https://github.com/opensearch-project/opensearch-ci/blob/main/lib/compute/oidc-config.ts#L82-L85

Describe the solution you'd like

Have more fine grain access such that:

• User A can access:

  • Workflow A
  • Workflow B
  • Workflow C

• User B can access:

  • Workflow A
  • Everything under folder called foo

• Default read-only and admin access should be retained as is.

• Everything including user handle, workflow names or pattern or folder and exact permission should be infrastructure as code.

Describe alternatives you've considered

No response

Additional context

Role-based Authorization Strategy plugin and config is already being used. Enhance on top of it to give fine grain access.

[dblock]

[Catch All Triage - 1, 2, 3]

[gaiksaya]

Starting with the builder role that would have permissions to build, rebuild, cancel and read jobs. This role would not have access to create or delete or update jobs.

  authorizationStrategy:
    roleBased:
      permissionTemplates:
      - name: "builder-template"
        permissions:
        - "Job/Build"
        - "Job/Cancel"
        - "Job/Discover"
        - "Job/Read"
        - "Lockable Resources/View"
        - "Run/Replay"
        - "Metrics/View"
        - "View/Read"
      roles:
        items:
        - entries:
          - user: "gaiksaya"
          name: "builder-role"
          pattern: "(?i)distribution-.*"
          permissions:
          - "Job/Cancel"
          - "Lockable Resources/View"
          - "Job/Build"
          - "Run/Update"
          - "Job/Discover"
          - "Job/Read"
          - "Metrics/View"
          - "View/Read"
          - "Run/Replay"
          templateName: "builder"

A pattern is defined as regex to match the jobs/folders. See https://plugins.jenkins.io/role-strategy/#plugin-content-configuring-roles
Looking at https://build.ci.opensearch.org/ we have multiple jobs apart from distribution builds and releases. We can use the same permission template to create multiple roles and assign it to per user as per the workflow.
In above example, user gaiksaya has access to all jobs with naming pattern of distribution-.*

[gaiksaya]

Adding @rishabh6788 @prudhvigodithi @peterzhuamazon to confirm the permissions. Not sure if putting jobs into folders would make sense here since we have too many different jobs related to distribution build, test and release but very few for standalone component release jobs. We can apply the same role to multiple jobs using the right regex pattern. https://groups.google.com/g/jenkinsci-users/c/K9CxrZEvwjg

[peterzhuamazon]

I am ok we follow the folder structure of jenkins folder on build repo so it is a match to match.

[gaiksaya]

Fine grained access has been enabled via code see #514. @Divyaasm is in process of making the deploy-able code public.
Thanks!