we are team of devops admin and would like get alerts when critical fields are changed . exp ,if authentication is change from auth matrix to something else.
what would be a good way implement it .
few ideas is
i have is to set alerts on the jenkins config file for those paramters.
have a IAC tool monitor for a desired state which includes these fields and give an alert when it changes.
Related
I'm looking for something like the Job Config history plugin but to log the changes in the Jenkins server itself (any change under the /manage section or credentials).
I tested the Audit Trail plugin, but it only logs who and when, but nothing about the content of the change.
I'm using the roles based strategy, so there is a reduced group of people able to do changes, but I still need more precise information.
Job Config History Plugin also tracks system configuration. Just click on Job Config History (on the left-side menu) on the main dashboard (outside of any job). When there, you can see all server configuration changes with all features like diffs and raw XML access.
I've set up a new Jenkins server earlier today.
When I open localhost:8080/jenkins, it prompts me for a username and password.
I enter mine in, and from there I can view my dashboard, including the projects I've set up, and their artifacts.
However, I would like people to be able to download the artifacts of my projects, without an account.
But that's the only thing I would like to allow them to do. View my artifacts, and nothing else, unless they have an account.
So, how do I set this up?
The answer is actually pretty simple.
Go to Manage Jenkins, then Configure Global Security.
Then check:
Enable security
Jenkins' own user database (in Access Control -> Security Realm)
Logged-in users can do anything (as well as Allow anonymous read access) [both are in Access Control -> Authorization]
Once that's done, other people should be able to view your artifacts.
I am using Folder plugin and AD groups to control access to folder. This morning a team can't access their project anymore and later I found the AD group assignment in Assign Roles has been changed to wrong groups. Is there a way to find out which id did it? We only have a few admin ids.
Jenkins does not appear to keep an audit trail by default, as stated in this post on cloudbees.com, the folks that develop Jenkins.
The relevant lines:
Many Jenkins users look for a recommend a strategy for keeping an audit trail. This article is supposed to be a gap filler until more comprehensive compliance capabilities in JE/JOC are developed.
There are two open source plugins that enable you to track “WHO did WHAT?” in Jenkins:
...
The first plugin listed is Audit Trail Plugin which looks to provide exactly what you are seeking.
The description from the plugins page:
Keep a log of who performed particular Jenkins operations, such as configuring jobs.
This plugin adds an Audit Trail section in the main Jenkins configuration page. Here you can configure log location and settings (file size and number of rotating log files), and a URI pattern for requests to be logged. The default options select most actions with significant effect such as creating/configuring/deleting jobs and views or delete/save-forever/start a build. The log is written to disk as configured and recent entries can also be viewed in the Manage / System Log section.
I spent a few minutes looking through Jenkins various xml and log files, but could not find a log that contained something useful (username and/or timestamp). In this case it seems user auditing isn't built into Jenkins as of yet. Unfortunately it appears that you might not be able to determine who made those changes after the fact.
On my Jenkins build server, I want to set an Authentication Token so that only users that know the token can fire off builds. (As described here.)
This doc page says that it should be configurable under my job's "Build Triggers" configuration.
However, my server has no such fields, and I'm running the latest version (1.546). Mine looks like this:
.
As you can see, this doesn't really look like the docs say it should.
How can I set this token?
You're missing the Trigger builds remotely (e.g., from scripts) Build Trigger:
This is only visible with Security enabled. To get this option from a freshly downloaded 1.546 WAR, I changed Configure Global Security from Anyone can do anything to at least Logged-in users can do anything. For ease/speed of testing, under Security Realm I selected Jenkins’ own user database and Allow users to sign up:
You can go to http://Jenkins-IP/jobs/me/configure to check and change your API access token. Also check whether the user you intend to use has necessary permissions to execute the builds in Manage Jenkins>Configure Global Security
Each jenkins user gets an authentication token - applicable since version 1.426 (more).
You can see yours, provided you are logged in your jenkins server, at http://your.jenkins.server/me/configure
(press 'show API token' button)
Then you can copy and paste it in your scripts (e.g. see here for an example usage).
I don't know why "logged in users can do anything" means Jenkins will happily allow non-authenticated users to view project details and access artifacts... Regardless, I need to know how to get Jenkins to allow logged in users to to anything AND hide EVERYTHING for users who AREN'T logged in. Help please?
This can be done with the Role-Strategy plugin.
Install the plugin, add a new group called "Anonymous" and uncheck everything. Then you want to add another group called "authenticated" and check everything. Add your existing users to this group. Jenkins will immediately prompt you for a login this way.
You can use https://wiki.jenkins-ci.org/display/JENKINS/Role+Strategy+Plugin
it allows to specify to define roles and assign roles to users, users with no roles won't even see the jenkins ui.
Answer to an old question but I came searching here as I am trying to auto spin up a Jenkins instance on Docker and found the same issue.
Good chance this option wasn't available when the question was asked. As of this moment (v2.222.3 but not sure how far back), it turns out you can do this without installing any additional plugins.
Manually
Navigate to Global Security (Jenkins > Manage Jenkins > Global Security)
Update the Authorization section to "Logged-in users can do anything".
UNCHECK Allow anonymous read access
Any unauthenticated access will redirect to login now.
I would note that if you setup Jenkins through the setup wizard then anonymous read access is disabled by default. If you want this behaviour AND want to configure jenkins automatically, read on.
Automated with Docker
My situation is that I wanted to check out my repo, run my compose file and have all my config/users/plugins etc ready to go. Great post here with more detail if interested.
In a nutshell:
Dockerfile
FROM jenkins/jenkins:lts-alpine
# Disable setup wizard since security.groovy creates our user
ENV JAVA_OPTS="-Djenkins.install.runSetupWizard=false"
COPY security.groovy /usr/share/jenkins/ref/init.groovy.d/security.groovy
security.groovy
#!groovy
import jenkins.model.*
import hudson.security.*
def instance = Jenkins.getInstance()
// Create Admin User
def hudsonRealm = new HudsonPrivateSecurityRealm(false)
hudsonRealm.createAccount("admin", "admin") // Dont do this. This is bad
instance.setSecurityRealm(hudsonRealm)
// Set Auth to Full Control Once Logged In and prevent read-only access
def strategy = new FullControlOnceLoggedInAuthorizationStrategy()
strategy.setAllowAnonymousRead(false)
instance.setAuthorizationStrategy(strategy)
instance.save()
In particular, strategy.setAllowAnonymousRead(false) is what's needed
Additionally, if you use GitHub as your version control system -- you can use the GitHub OAuth plugin. Once the "Anonymous" reach your page, they will be redirected to GitHub automatically.