I'm struggling with duplicated users in my Jenkins and Not sending mail to unregistered user ... problem.
I installed the plugin as per this answer but cannot configure it properly by reading the plugin documentation.
My jenkins collects data from Active Directory and some users have duplicated entry, e.g.:
john.doe, john.doe#mycompany.com -> duplicated user which is detected by Jenkins
doej, john.doe#mycompany.com -> correct user which is used when logging in
Jenkins after collecting responsible people from git changes in job ends with
Not sending mail to unregistered user john.doe#mycompany.com
I tried adding additional identity to user doej by setting:
Identity: john.doe#mycompany.com
Realm: <empty>
but it doesn't work.
How should I configure correctly the Additional Identities Plugin?
Seems it's not possible to configure the additional identity plugin in Jenkins for merge the duplicate user
As Jenkins is missing a way to ensure users unicity(unique) since they are created from various sources: authentication method (LDAP in my case), code commits (Subversion, Mercurial, Git, ...).
Depending on the way the user is retrieved by Jenkins (from a commit on a given SCM or its authentication), multiple identities are created for the same real user.
As a consequence, some features are not fully or badly working (login, notifications, user's builds, continuous integration game, ...) and configuration of users is a pain as it must be done multiple times for each real user.
Still the required features are:
a merging features. Allow to merge multiple Jenkins users into a single account.
a user pattern per SCM. Allow to choose how to extract a username from a commit for each SCM and how to optionally match existing one instead of creating a new user.
an id pattern per notification type. Allow to define how to generate the default id used for notification from the user data (from his jenkins id, his name, his scm id, ...): for instance, his mail or his jabber id, ...
Reference: [JENKINS-10258] Allow users unicity - Jenkins Jira
Solution is Jenkins 1.480 but this is still in Vulnerabilities state and have bug as well.
Jenkins 1.480 introduces an extension point to resolve jenkins user "canonical" ID when searching for user in Database by id or full name. This plugin uses this extension point to let user configure external identities as user properties.
You can reach out to Jenkins community or Support team to know the status or when they will final release
Related
I have been digging trying to figure out the warning I am getting in the pipeline that we have. It was done by a contractor, now gone. I took over the CI/CD tools, Jenkins, GitLab and Chef.
I constantly see a warning message, that user is not found, but sending email anyway. "xxx.xxx#company.com is not a recognized user, but sending mail anyway xxx.xxx#company.com"
Until I really started to dig into this, I didn't realize that this is causing 2 user auto-added entries into Jenkins.
As other threads I have found on stackoverflow, we have our security realm set to Active Directory, we have a 4 digit code, expanding to 8 digits for the user ID, and it does not match our email addresses of first.last#company.com.
I was in the group back in 2017 when we started implementing these tools, so I have multiple Jenkins accounts, one is firstname.lastname and is confirmed as well as the A/D user ID, so when I run the pipeline, it finds me and no warning/error. When someone that is newer than I, only has an A/D account ID, they get the error and the erroneous accounts are created. first.last and firstlast for the names of the accounts.
Is there anyway to look at the user ID, that is the same in GitLab and Jenkins rather than Email address for the pipeline? Or can I have the warning message but not auto-create the users in Jenkins?
I am in the process of switching the LDAP backend that we use to authenticate access to Gerrit.
When a user logs in via LDAP, a local account is created within Gerrit. We are running version 2.15 of Gerrit, and therefore our local user accounts have migrated from the SQL DB into NoteDB.
The changes in our infrastructure, mean that once the LDAP backend has been switched, user logins will appear to Gerrit as new users and therefore a new local account will be generated. As a result we will need perform a number of administrative tasks to the existing local accounts before and after migration.
The REST API exposes some of the functionality that we need, however two key elements appear to be missing:
There appears to be no way to retrieve a list of all local accounts through the API (such that I could then iterate through to perform the administrative tasks I need to complete). The /accounts/ endpoint insists on a query filter being specified, which does not appear to include a way to simply specify 'all' or '*'. Instead I am having to try and think of a search filter that will reliably return all accounts - I haven't succeeded yet.
There appears to be no way to delete an account. Once the migration is complete, I need to remove the old accounts, but nothing is documented for the API or any other method to remove old accounts.
Has anybody found a solution to either of these tasks that they could share?
I came to the conclusion that the answers to my questions were:
('/a/' in the below examples is accessing the administrative endpoint and so basic Auth is required and the user having appropriate permissions)
Retrieving all accounts
There is no way to do this in a single query, however combining the results of:
GET /a/accounts?q=is:active&n=<number larger than the number of users>
GET /a/accounts?q=is:inactive&n=<number larger than the number of users>
will give effectively the same thing.
Deleting an account
Seems that this simply is not supported. The only option appears to be to set an account inactive:
DELETE /a/accounts/<account_id>/active
I've got an issue with Jenkins 2.6-1.1 running on CentOS v7.2.1511. I am using the Crowd 2 integration plugin v.1.8 and the Matrix Authorization Strategy plugin v.1.3.2 for authentication and authorization, respectively. Security is configured for "Project-based Matrix authorization strategy".
In my Jenkins configuration, I employ two group assignments on the Crowd server: jenkins-administrators and jenkins-users. jenkins-admininstrators has every permission enabled. jenkins-users have permission to:
Overall: Read, RunScripts
Agent: Build, Configure, Connect, Create
Job: Build, Cancel, Configure, Create, Delete, Discover, Read, Workspace
Run: Delete, Update
View: Configure, Create, Read
SCM
jenkins-administrators obviously have all of these permissions enabled as well.
The issue is that, at some point, users who are in both jenkins-administrators and jenkins-users ceased having the ability to configure nodes or create new nodes. What I mean by this is that, when the user clicks on the link to configure a node, or clicks OK on the new node (/computer/node) page, the post goes through, but a page is never returned.
If I remove the user from the jenkins-administrators group, they are able to add and configure nodes as expected.
If I configure the user such that they are in the jenkins-admininstrators group solely, they are unable to login (which seems like it could be related).
I tried modifying the security matrix so that jenkins-administrators and jenkins-users had the same configuration in re: to nodes, but this didn't change anything.
Outside of the slave logs, and the occasional message to /var/log/messages, there doesn't appear to be anything relevant in /var/log/jenkins/jenkins.log.
Any suggestions on how I can configure Jenkins logging to show me information that is more relevant to node configuration and creation, or any suggestions in general on how I might observe the node creation and configuration process?
I want to create a Groovy script using Pipeline plugin in Jenkins handling the security for only some users can enter to the node.
This would be the example:
node('master') {
//code..... more code
}
node('production') {
//more code.....
}
I want to be able that only some users can run succesful the production node without using the input step that ask for only specific users/groups can approve it.
Is there a configuration option where I can configure the security of a specific Node about what users (or group) can execute scripts on it.
Note: I am using only Jenkisn 1.6 (not Cloudbees which it is with more complex security options)
Edited 04/20/2016 reflecting discussions in comment:
Update: Goal: Preventing unauthorized user from executing jobs on a selection of Jenkins node.
Update: The Job Restrictions Plugin referred by luka5z would be a promising fit for the goal, when using it in conjunction with Role Strategy Plugin.
Give Matrix-based security a try with this plugin Role Strategy Plugin. First, you need to set users/anonymous group global role to have a very minimal access. Then you can set slave roles that only allow users to use node name in staring in a pattern e.g QA_Slave*, and only a small group, say admin, have all permissions on all slaves, which implies Production.
Update: Role Strategy Plugin can prevent user from modifying policy applied to node, but would not protect node from running a job it was tagged to. [unauthorized slave assignment in job configuration] where Job Restrictions Plugin would independently apply restrictions on the node level, without go extreme and taking all job configuration access away.
We are developing a replica of Jenkins and we have a need to authenticate SVN & GIT repository URLs. I see Jenkins is able to do it through allowing the user to have credentials created(POST) and validated through(GET) a call. However, I am unable to validate the SVN/GIT repo without the jobname.
I am able to fetch the global credentials added to Jenkins. But they are only retrieved for job basis. So if I want to see the list of credentials of a particular job, I can do it using the following JSON.
http://${JENKINS_URL&PORT}/job/${JOB_NAME}/descriptorByName/hudson.scm.SubversionSCM$ModuleLocation/fillCredentialsIdItems
But I would like to fetch the credentials without depending on the job name. Please let me know if I have to provide any more information. Any help is much appreciated.