How do I restrict artifact download for a plan?

Kevin Walker October 23, 2023

I am creating a bamboo plan that will create an artifact. I want any logged in user to be able to manually start the plan, but I only want specific named users to be allowed to download the artifacts. How can I do this?

 

I am using config as code written in Java for bamboo v9.2.4.

Current Plan creation:

return new Plan(
ProjectFactory.Get(),
"test",
new BambooKey("TEST"))
.pluginConfigurations(new ConcurrentBuilds())
.stages(new Stage("Default Stage")
.jobs(new Job("Default Job",
new BambooKey("JOB1"))
.artifacts(new Artifact()
.name("artifact.txt")
.copyPatterns("artifact.txt")
.required(true))
.tasks(new ScriptTask()
.description("create file")
.inlineBody("echo hello >> artifact.txt"))))
.planBranchManagement(new PlanBranchManagement()
.delete(new BranchCleanup())
.notificationForCommitters());

 

1 answer

0 votes
alok m April 11, 2024

To set up permissions in Bamboo for manual plan execution by any logged user, but restrict artifact downloads to specific users, you will need to work with both plan permissions and global permissions settings. Bamboo, unfortunately, does not provide a straightforward way to restrict artifact downloads at the user level through its UI or API directly within a plan configuration. However, you can manage this by setting up permissions carefully around your plan and artifacts.

Given your scenario and the use of Bamboo Java specs (configuration as code), here's an approach you might consider, with an emphasis on the conceptual steps since direct artifact download permissions require manual intervention:

  1. Plan Permissions: Allow Manual Execution

For allowing any logged-in user to manually start the plan, ensure that your Bamboo global permissions are set to allow logged-in users to execute plans. This can usually be achieved through the Bamboo UI under Bamboo Administration > Security > Global permissions. There isn't a direct method in Bamboo Specs to modify global permissions, as these settings are outside the scope of what Bamboo Specs are designed to manage. They are more focused on project and plan configuration rather than global security settings.

  1. Restricting Artifact Downloads

Bamboo does not offer fine-grained control over artifact downloads via its permissions model directly. However, here are some strategies to control access:

  • Restrict Plan Permissions: Ensure that only specific users or groups have "View" permissions for the plan itself. Users who cannot view the plan should also not be able to access its artifacts through the UI. This method is broad and might not be suitable if you want users to view build results but not download artifacts.
  • External Artifact Management: Instead of relying on Bamboo's artifact management, consider uploading your artifacts to an external system or repository where you can control access more granitely. For example, you could modify your plan to upload artifacts to an Amazon S3 bucket, a Nexus Repository, or an Artifactory instance, where you can configure permissions at a very detailed level.
    • You can use a Script Task in your Bamboo plan to perform the upload operation to the external system after the artifact is created.
    • In these systems, set up permissions such that only your named users have download access.
  • Manual Permissions Configuration: For the artifacts stored directly in Bamboo, you might have to resort to manual configurations, instructing specific users on how to access the artifacts (or not), as the system does not support download restrictions out of the box.

 

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events